Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
01vwXiyQ8K.exe

Overview

General Information

Sample name:01vwXiyQ8K.exe
renamed because original name is a hash value
Original sample name:29DC8180F10EA4A8333C75CA13D89B01.exe
Analysis ID:1447780
MD5:29dc8180f10ea4a8333c75ca13d89b01
SHA1:65bbaf371e659557ca492a5538ff1f3f7c9c5e0d
SHA256:4e8b21d9ef64d249e0e98b777b44120a28a88e33f37fe6b827aefb3e6d093810
Tags:exeQuasarRATRAT
Infos:

Detection

Quasar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Quasar RAT
AI detected suspicious sample
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has a writeable .text section
Performs DNS queries to domains with low reputation
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • 01vwXiyQ8K.exe (PID: 7076 cmdline: "C:\Users\user\Desktop\01vwXiyQ8K.exe" MD5: 29DC8180F10EA4A8333C75CA13D89B01)
    • schtasks.exe (PID: 6708 cmdline: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • COM Services.exe (PID: 1104 cmdline: "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" MD5: 29DC8180F10EA4A8333C75CA13D89B01)
      • schtasks.exe (PID: 5252 cmdline: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 5224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • COM Services.exe (PID: 5812 cmdline: "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" MD5: 29DC8180F10EA4A8333C75CA13D89B01)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
    00000006.00000002.2944900500.0000000004548000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
        00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_QuasarYara detected Quasar RATJoe Security
            Click to see the 5 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe", ParentImage: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe, ParentProcessId: 1104, ParentProcessName: COM Services.exe, ProcessCommandLine: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f, ProcessId: 5252, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f, CommandLine: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\01vwXiyQ8K.exe", ParentImage: C:\Users\user\Desktop\01vwXiyQ8K.exe, ParentProcessId: 7076, ParentProcessName: 01vwXiyQ8K.exe, ProcessCommandLine: "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f, ProcessId: 6708, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:05/27/24-02:43:17.155959
            SID:2035595
            Source Port:53779
            Destination Port:49737
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 01vwXiyQ8K.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeAvira: detection malicious, Label: HEUR/AGEN.1314029
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeReversingLabs: Detection: 47%
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeVirustotal: Detection: 52%Perma Link
            Multi AV Scanner detection for submitted file
            Source: 01vwXiyQ8K.exeReversingLabs: Detection: 58%
            Source: 01vwXiyQ8K.exeVirustotal: Detection: 52%Perma Link
            Yara detected Quasar RAT
            Source: Yara matchFile source: 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01vwXiyQ8K.exe PID: 7076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: COM Services.exe PID: 1104, type: MEMORYSTR
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: 01vwXiyQ8K.exeJoe Sandbox ML: detected
            Source: 01vwXiyQ8K.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49738 version: TLS 1.2
            Source: Binary string: iphlpapi.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.000000000419D000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2932301539.000000000401B000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.00000000041BD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2082357710.0000000003F00000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2929820020.0000000003EA5000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2614254489.0000000003E38000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.0000000004130000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2932301539.0000000003FA0000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.0000000004150000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: iphlpapi.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.000000000419D000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2932301539.000000000401B000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.00000000041BD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2944900500.0000000004548000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2086159105.0000000003F86000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2615697581.0000000003F9F000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 01vwXiyQ8K.exe, 01vwXiyQ8K.exe, 00000000.00000002.2086159105.0000000003F86000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2615697581.0000000003F9F000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wuser32.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.000000000458E000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2938464210.000000000431C000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2625094395.00000000045AD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2082357710.0000000003F00000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2929820020.0000000003EA5000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2614254489.0000000003E38000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2944900500.0000000004548000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdb source: 01vwXiyQ8K.exe, 01vwXiyQ8K.exe, 00000000.00000002.2088979267.0000000004130000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2932301539.0000000003FA0000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.0000000004150000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wuser32.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.000000000458E000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2938464210.000000000431C000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2625094395.00000000045AD000.00000040.00000800.00020000.00000000.sdmp

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 111.173.106.171:53779 -> 192.168.2.4:49737
            Performs DNS queries to domains with low reputation
            Source: DNS query: bkd.114250.xyz
            Source: global trafficTCP traffic: 192.168.2.4:49737 -> 111.173.106.171:53779
            Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
            Source: Joe Sandbox ViewIP Address: 195.201.57.90 195.201.57.90
            Source: Joe Sandbox ViewASN Name: CHINANET-BACKBONENo31Jin-rongStreetCN CHINANET-BACKBONENo31Jin-rongStreetCN
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownDNS query: name: ipwho.is
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0Host: ipwho.isConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: bkd.114250.xyz
            Source: global trafficDNS traffic detected: DNS query: ipwho.is
            Source: COM Services.exe, 00000006.00000002.2925952128.0000000002157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: COM Services.exe, 00000006.00000002.2972470465.00000000076E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabA0
            Source: COM Services.exe, 00000006.00000002.2951377734.0000000004C34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.is
            Source: COM Services.exe, 00000006.00000002.2951377734.0000000004C34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipwho.isd
            Source: COM Services.exe, 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
            Source: COM Services.exe, 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/d
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2097783393.0000000004931000.00000004.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2951377734.000000000499B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://api.ipify.org/
            Source: COM Services.exe, 00000006.00000002.2951377734.0000000004C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, COM Services.exe, 00000006.00000002.2951377734.0000000004C22000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipwho.is/
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, COM Services.exe, 00000006.00000002.2951377734.00000000049A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
            Source: unknownHTTPS traffic detected: 195.201.57.90:443 -> 192.168.2.4:49738 version: TLS 1.2

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Installs a global keyboard hook
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeJump to behavior
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_efd76676-3
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.0000000004635000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: NtUserGetRawInputDatamemstr_c645a6dc-8
            Source: Yara matchFile source: 00000006.00000002.2944900500.0000000004548000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01vwXiyQ8K.exe PID: 7076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: COM Services.exe PID: 1104, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: COM Services.exe PID: 5812, type: MEMORYSTR

            E-Banking Fraud

            barindex
            Yara detected Quasar RAT
            Source: Yara matchFile source: 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01vwXiyQ8K.exe PID: 7076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: COM Services.exe PID: 1104, type: MEMORYSTR

            System Summary

            barindex
            PE file has a writeable .text section
            Source: 01vwXiyQ8K.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: COM Services.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041AC6E6 NtOpenKey,6_2_041AC6E6
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E7F03C0_2_03E7F03C
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED210A0_2_03ED210A
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB74920_2_03EB7492
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ECE4390_2_03ECE439
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBA4310_2_03EBA431
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED1A6B0_2_03ED1A6B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD0_2_03EE09DD
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_024BF03C6_2_024BF03C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E713A16_2_03E713A1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E761466_2_03E76146
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B86_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E767E56_2_03E767E5
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BB6D6_2_03E5BB6D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5EB0C6_2_03E5EB0C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E72B146_2_03E72B14
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FF3ADF6_2_03FF3ADF
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FEB23B6_2_03FEB23B
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FE88CF6_2_03FE88CF
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FD7FD96_2_03FD7FD9
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FB2CB56_2_03FB2CB5
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FF24556_2_03FF2455
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_04023B306_2_04023B30
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_040200AD6_2_040200AD
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_04024AE06_2_04024AE0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041B444A6_2_041B444A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_0419E56A6_2_0419E56A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041A46DA6_2_041A46DA
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041A417A6_2_041A417A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_0419AD5F6_2_0419AD5F
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_04196FEA6_2_04196FEA
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_0422C82A6_2_0422C82A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041A5F5A6_2_041A5F5A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041A59DA6_2_041A59DA
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_0421041A6_2_0421041A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041D84236_2_041D8423
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_0421445C6_2_0421445C
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: String function: 03EA4DCD appears 37 times
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: String function: 03E494A8 appears 51 times
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: String function: 03FC5BC9 appears 43 times
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2080397709.000000000237B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2082357710.0000000003F00000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.0000000004635000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameuser32j% vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2082357710.0000000003F50000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000000.1674119243.0000000002032000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCOM Services< vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2090153176.000000000453E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKernelbase.dllj% vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.000000000419D000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameadvapi32.dllj% vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.000000000419D000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameiphlpapi.dllj% vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2086159105.00000000040B2000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 01vwXiyQ8K.exe
            Source: 01vwXiyQ8K.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/3@2/2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeFile created: C:\Users\user\AppData\Roaming\COM SurrogatesJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5224:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5300:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 01vwXiyQ8K.exeReversingLabs: Detection: 58%
            Source: 01vwXiyQ8K.exeVirustotal: Detection: 52%
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeFile read: C:\Users\user\Desktop\01vwXiyQ8K.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\01vwXiyQ8K.exe "C:\Users\user\Desktop\01vwXiyQ8K.exe"
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess created: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe"
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /fJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess created: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /fJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 01vwXiyQ8K.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: 01vwXiyQ8K.exeStatic file information: File size 29560832 > 1048576
            Source: 01vwXiyQ8K.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x1b72000
            Source: Binary string: iphlpapi.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.000000000419D000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2932301539.000000000401B000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.00000000041BD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2082357710.0000000003F00000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2929820020.0000000003EA5000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2614254489.0000000003E38000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.0000000004130000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2932301539.0000000003FA0000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.0000000004150000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: iphlpapi.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2088979267.000000000419D000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2932301539.000000000401B000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.00000000041BD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2944900500.0000000004548000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2086159105.0000000003F86000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2615697581.0000000003F9F000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: 01vwXiyQ8K.exe, 01vwXiyQ8K.exe, 00000000.00000002.2086159105.0000000003F86000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2615697581.0000000003F9F000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wuser32.pdb source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.000000000458E000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2938464210.000000000431C000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2625094395.00000000045AD000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wkernel32.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2082357710.0000000003F00000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2929820020.0000000003EA5000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2614254489.0000000003E38000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: wkernelbase.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2944900500.0000000004548000.00000040.00000020.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmp
            Source: Binary string: advapi32.pdb source: 01vwXiyQ8K.exe, 01vwXiyQ8K.exe, 00000000.00000002.2088979267.0000000004130000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2932301539.0000000003FA0000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2618876627.0000000004150000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wuser32.pdbUGP source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.000000000458E000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2938464210.000000000431C000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2625094395.00000000045AD000.00000040.00000800.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeUnpacked PE file: 0.2.01vwXiyQ8K.exe.400000.0.unpack .text:EW;.sedata:EW;.idata:W;.rsrc:W;.sedata:R; vs .text:ER;.sedata:ER;.idata:R;.rsrc:R;.sedata:R;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .sedata
            Source: 01vwXiyQ8K.exeStatic PE information: section name: .sedata
            Source: 01vwXiyQ8K.exeStatic PE information: section name: .sedata
            Source: COM Services.exe.0.drStatic PE information: section name: .sedata
            Source: COM Services.exe.0.drStatic PE information: section name: .sedata
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74377 push ecx; ret 6_2_01F74379
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74174 push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74161 push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F740E8 push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74156 push eax; ret 6_2_01F74504
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F743D5 push dword ptr [esp+48h]; retn 004Ch6_2_01F743AB
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F743C2 push dword ptr [esp+48h]; retn 004Ch6_2_01F743AB
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F747C2 push ebx; retf 6_2_01F747C5
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74735 push ebx; ret 6_2_01F74736
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74EB2 push eax; ret 6_2_01F74EB3
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74631 push ebx; ret 6_2_01F74632
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F740BF push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F746BE push ebx; retf 6_2_01F746C1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F7403D push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F743BD push dword ptr [esp+48h]; retn 004Ch6_2_01F743AB
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74139 push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74AA0 push edx; iretd 6_2_01F74AA1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F740AB push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74397 push dword ptr [esp+48h]; retn 004Ch6_2_01F743AB
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74B16 push ebx; ret 6_2_01F74B1A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74190 push eax; ret 6_2_01F7453E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F7411A push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74387 push ecx; ret 6_2_01F74379
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F74000 push ecx; ret 6_2_01F74155
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_01F7410F push ecx; ret 6_2_01F74379
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FA04F5 push eax; iretd 6_2_03FA04F2
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FC4CDD push ecx; ret 6_2_03FC4CF0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03FA04A9 push eax; iretd 6_2_03FA04F2
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_04026C41 push esi; ret 6_2_04026C51
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_0401B530 pushad ; retn 0001h6_2_0401B578
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_04029D5B push esi; ret 6_2_04029D5D
            Source: 01vwXiyQ8K.exeStatic PE information: section name: .sedata entropy: 7.831611017837314
            Source: COM Services.exe.0.drStatic PE information: section name: .sedata entropy: 7.831611017837314
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeFile created: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f

            Hooking and other Techniques for Hiding and Protection

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeFile opened: C:\Users\user\Desktop\01vwXiyQ8K.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeFile opened: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeFile opened: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202BEE4 second address: 202BF29 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp] 0x00000005 dec edi 0x00000006 adc edi, esp 0x00000008 ror dx, cl 0x0000000b jmp 00007FC408FFC964h 0x0000000d clc 0x0000000e mov al, byte ptr [esp+05h] 0x00000012 lea edi, dword ptr [00000000h+ecx*4] 0x00000019 add esp, 08h 0x0000001c lea edx, dword ptr [00000000h+eax*4] 0x00000023 jmp 00007FC408FFC964h 0x00000025 lea edx, dword ptr [ecx+esi] 0x00000028 cmc 0x00000029 sub esp, 0Bh 0x0000002c bsr ax, sp 0x00000030 neg dl 0x00000032 jmp 00007FC408FFC9C7h 0x00000034 mov dword ptr [esp+01h], esi 0x00000038 dec ah 0x0000003a mov dh, bl 0x0000003c lea esp, dword ptr [esp+0Bh] 0x00000040 pop dx 0x00000042 lea edi, dword ptr [00000000h+esi*4] 0x00000049 jmp 00007FC408FFC9E7h 0x0000004b mov al, dh 0x0000004d sub al, 1Ah 0x0000004f pushfd 0x00000050 mov ax, word ptr [esp+07h] 0x00000055 mov dh, 0Fh 0x00000057 bswap eax 0x00000059 jmp 00007FC408FFC956h 0x0000005b add esp, 03h 0x0000005e mov di, dx 0x00000061 stc 0x00000062 mov word ptr [esp+02h], si 0x00000067 mov dword ptr [esp], ecx 0x0000006a xchg dword ptr [esp], edx 0x0000006d jmp 00007FC408FFC968h 0x0000006f clc 0x00000070 mov ax, 26AAh 0x00000074 push dword ptr [esp+02h] 0x00000078 mov word ptr [esp+06h], si 0x0000007d rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202BF29 second address: 202BF78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40850ADAAh 0x00000004 mov edi, dword ptr [esp+04h] 0x00000008 ror eax, cl 0x0000000a stc 0x0000000b xchg dl, ah 0x0000000d lea esp, dword ptr [esp+04h] 0x00000011 add esp, 05h 0x00000014 jmp 00007FC40850ADE0h 0x00000016 mov dl, byte ptr [esp] 0x00000019 btc di, dx 0x0000001d cld 0x0000001e sub esp, 0Dh 0x00000021 mov al, 0Ch 0x00000023 cmc 0x00000024 jmp 00007FC40850AD60h 0x00000026 mov word ptr [esp+06h], bx 0x0000002b mov ax, E973h 0x0000002f pop word ptr [esp+09h] 0x00000034 pop dword ptr [esp+02h] 0x00000038 xchg al, dl 0x0000003a mov eax, dword ptr [esp+07h] 0x0000003e jmp 00007FC40850AD62h 0x00000040 neg al 0x00000042 pop ax 0x00000044 mov edi, dword ptr [esp] 0x00000047 lea esp, dword ptr [esp+03h] 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202BF78 second address: 202BF7A instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202BF7A second address: 202C273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40850ADDFh 0x00000004 xchg word ptr [esp], dx 0x00000008 bsf edx, esi 0x0000000b mov al, byte ptr [esp] 0x0000000e xchg word ptr [esp], di 0x00000012 not ax 0x00000015 mov ah, bl 0x00000017 jmp 00007FC40850AD67h 0x00000019 mov ah, F4h 0x0000001b mov dx, word ptr [esp+01h] 0x00000020 mov ax, 70EEh 0x00000024 lea eax, dword ptr [esi+ebp] 0x00000027 jmp 00007FC40850ADADh 0x00000029 sub ax, si 0x0000002c lea edx, dword ptr [esi+12A880F2h] 0x00000032 sub ax, bp 0x00000035 mov edx, dword ptr [esp] 0x00000038 bsr di, bx 0x0000003c lea esp, dword ptr [esp] 0x0000003f jmp 00007FC40850C5DEh 0x00000044 neg di 0x00000047 lea edi, dword ptr [edi+ebp] 0x0000004a bsr edi, esi 0x0000004d sub esp, 04h 0x00000050 mov di, cx 0x00000053 mov eax, dword ptr [esp+03h] 0x00000057 jmp 00007FC40850A3E5h 0x0000005c mov dword ptr [esp], edx 0x0000005f mov word ptr [esp+03h], ax 0x00000064 btr edi, ebx 0x00000067 lea edi, dword ptr [esp+000000C2h] 0x0000006e setno dl 0x00000071 mov di, word ptr [esp+05h] 0x00000076 jmp 00007FC40850A135h 0x0000007b mov al, dl 0x0000007d xchg edi, edx 0x0000007f mov edi, dword ptr [esp+05h] 0x00000083 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C17F second address: 202C233 instructions: 0x00000000 rdtsc 0x00000002 xchg dh, ah 0x00000004 mov word ptr [esp], di 0x00000008 rcr di, 0000h 0x0000000c jmp 00007FC408FFC9D8h 0x0000000e lea eax, dword ptr [00000000h+ebx*4] 0x00000015 push dword ptr [esp+0Dh] 0x00000019 cld 0x0000001a pop edx 0x0000001b jmp 00007FC408FFC9DFh 0x0000001d xchg byte ptr [esp+08h], dh 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C233 second address: 202C52F instructions: 0x00000000 rdtsc 0x00000002 cld 0x00000003 mov dx, di 0x00000006 clc 0x00000007 mov dword ptr [esp+03h], esp 0x0000000b jmp 00007FC40850AD57h 0x0000000d dec dx 0x0000000f cmc 0x00000010 lea edi, dword ptr [esp-4Eh] 0x00000014 pop eax 0x00000015 xor dl, FFFFFFDAh 0x00000018 mov edx, 0C2319A1h 0x0000001d jmp 00007FC40850ADBBh 0x0000001f add esp, 03h 0x00000022 inc di 0x00000024 cld 0x00000025 push dword ptr [esp+03h] 0x00000029 mov dword ptr [esp+02h], edi 0x0000002d call 00007FC40850AD59h 0x00000032 not edx 0x00000034 jmp 00007FC40850ADCAh 0x00000036 mov di, 5708h 0x0000003a mov dx, D50Dh 0x0000003e mov di, 218Dh 0x00000042 bsf ax, cx 0x00000046 pop edi 0x00000047 cld 0x00000048 jmp 00007FC40850B04Ch 0x0000004d neg dl 0x0000004f push word ptr [esp] 0x00000053 neg al 0x00000055 inc edi 0x00000056 push word ptr [esp+0Dh] 0x0000005b rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C52F second address: 202C2A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC408FFC724h 0x00000007 mov ah, E4h 0x00000009 pop dword ptr [esp+06h] 0x0000000d push word ptr [esp+09h] 0x00000012 neg ax 0x00000015 xchg word ptr [esp+02h], di 0x0000001a cmc 0x0000001b jmp 00007FC408FFC94Bh 0x0000001d xchg byte ptr [esp+02h], al 0x00000021 mov edi, esi 0x00000023 push word ptr [esp] 0x00000027 mov edi, 912CC6F7h 0x0000002c xchg edx, eax 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C9E2 second address: 202C68A instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [esp] 0x00000005 xchg dx, ax 0x00000008 bsr dx, di 0x0000000c mov eax, dword ptr [esp] 0x0000000f lea eax, dword ptr [edx+edi] 0x00000012 jmp 00007FC40850ACFBh 0x00000017 adc di, B7E0h 0x0000001c lea eax, dword ptr [esi+000024F4h] 0x00000022 lea edx, dword ptr [00000000h+ebx*4] 0x00000029 xchg byte ptr [esp], dl 0x0000002c bsf edx, eax 0x0000002f mov ax, dx 0x00000032 jmp 00007FC40850AA9Eh 0x00000037 pop di 0x00000039 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C68A second address: 202C622 instructions: 0x00000000 rdtsc 0x00000002 bsf dx, sp 0x00000006 neg dl 0x00000008 bswap eax 0x0000000a not edx 0x0000000c jmp 00007FC408FFC91Bh 0x0000000e std 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C79E second address: 202C7E1 instructions: 0x00000000 rdtsc 0x00000002 cld 0x00000003 bts edx, eax 0x00000006 bswap eax 0x00000008 jmp 00007FC40850ADF0h 0x0000000a bsr ax, di 0x0000000e pushad 0x0000000f lea esp, dword ptr [esp+5Ch] 0x00000013 mov dh, 08h 0x00000015 mov edx, 0D1EF17Dh 0x0000001a mov ax, 5A05h 0x0000001e call 00007FC40850AD65h 0x00000023 jmp 00007FC40850AD7Ah 0x00000025 pop eax 0x00000026 setl ah 0x00000029 btc ax, bp 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C7E1 second address: 202C839 instructions: 0x00000000 rdtsc 0x00000002 setb dl 0x00000005 call 00007FC408FFC9F8h 0x0000000a bt di, bp 0x0000000e jmp 00007FC408FFC973h 0x00000010 xchg word ptr [esp], ax 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 202C912 second address: 202CA62 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 mov edx, edi 0x00000006 lea esp, dword ptr [esp] 0x00000009 cmc 0x0000000a call 00007FC40850ADB3h 0x0000000f jmp 00007FC40850ADE6h 0x00000011 mov dword ptr [esp], edi 0x00000014 push dword ptr [esp+02h] 0x00000018 mov edx, esp 0x0000001a shr dx, 000Bh 0x0000001e rcl dx, cl 0x00000021 sub esp, 0Dh 0x00000024 jmp 00007FC40850AD29h 0x00000026 mov ah, byte ptr [esp+04h] 0x0000002a not ah 0x0000002c mov edx, dword ptr [esp+10h] 0x00000030 call 00007FC40850ADC4h 0x00000035 bswap eax 0x00000037 mov byte ptr [esp+16h], ch 0x0000003b add ax, ax 0x0000003e jmp 00007FC40850ADC8h 0x00000040 mov dx, ax 0x00000043 xchg word ptr [esp+09h], di 0x00000048 xchg eax, edx 0x00000049 mov byte ptr [esp+0Bh], ch 0x0000004d lea edx, dword ptr [eax+ecx] 0x00000050 pop ax 0x00000052 jmp 00007FC40850AD68h 0x00000054 pushfd 0x00000055 lea edi, dword ptr [00000000h+esi*4] 0x0000005c neg di 0x0000005f jmp 00007FC40850AE35h 0x00000064 cmp edx, CF69AA57h 0x0000006a mov dh, 87h 0x0000006c rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1FA8D27 second address: 1FA8D5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC408FFC970h 0x00000004 mov eax, edi 0x00000006 call 00007FC408FFC9CAh 0x0000000b xchg dx, ax 0x0000000e mov ax, si 0x00000011 xchg ecx, edx 0x00000013 pushad 0x00000014 xchg dword ptr [esp+20h], eax 0x00000018 jmp 00007FC408FFC969h 0x0000001a mov dx, 8EE9h 0x0000001e pushfd 0x0000001f mov dh, BBh 0x00000021 xchg dword ptr [esp], ecx 0x00000024 mov dx, 47ECh 0x00000028 lea eax, dword ptr [eax-00006640h] 0x0000002e call 00007FC408FFC9BBh 0x00000033 jmp 00007FC408FFC97Ah 0x00000035 mov byte ptr [esp], al 0x00000038 mov dh, ch 0x0000003a xchg dword ptr [esp+28h], eax 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1F9DB2E second address: 1F9DB36 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC40850AD96h 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1F9DB36 second address: 1F9DC67 instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp+02h] 0x00000006 jmp 00007FC408FFC996h 0x00000008 sete cl 0x0000000b call 00007FC408FFCAA7h 0x00000010 btr edx, ebp 0x00000013 mov ah, byte ptr [esp] 0x00000016 mov esi, 87D39950h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1F9DC67 second address: 1F9DC3B instructions: 0x00000000 rdtsc 0x00000002 xchg bl, dh 0x00000004 jmp 00007FC40850AD34h 0x00000006 xchg dword ptr [esp], edi 0x00000009 bswap edx 0x0000000b btc ebx, ecx 0x0000000e xchg dh, dl 0x00000010 not ah 0x00000012 mov dh, byte ptr [esp] 0x00000015 jmp 00007FC40850AD03h 0x0000001a lea edi, dword ptr [edi+000001DCh] 0x00000020 sub esp, 01h 0x00000023 neg bl 0x00000025 mov dx, sp 0x00000028 mov dx, 2953h 0x0000002c lea esp, dword ptr [esp+01h] 0x00000030 jmp 00007FC40850AD63h 0x00000032 xchg dword ptr [esp], edi 0x00000035 xor ecx, 2D1A05F5h 0x0000003b mov ebp, dword ptr [esp] 0x0000003e mov dh, ah 0x00000040 mov bh, byte ptr [esp] 0x00000043 jmp 00007FC40850AD69h 0x00000045 push dword ptr [esp] 0x00000048 retn 0004h 0x0000004b add esp, 08h 0x0000004e jnl 00007FC40850AC26h 0x00000054 pop esi 0x00000055 mov dl, byte ptr [esp] 0x00000058 call 00007FC40850ADACh 0x0000005d xor eax, BFDCF547h 0x00000062 not edx 0x00000064 push dx 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a xchg dword ptr [esp], ecx 0x0000006d jmp 00007FC40850AD6Ah 0x0000006f cmc 0x00000070 cmc 0x00000071 call 00007FC40850ADB6h 0x00000076 push dword ptr [esp+03h] 0x0000007a mov bl, byte ptr [esp] 0x0000007d lea ecx, dword ptr [ecx-0000001Fh] 0x00000083 cmp ax, 0000244Fh 0x00000087 jmp 00007FC40850ADC7h 0x00000089 mov dl, bl 0x0000008b rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1F9EAA1 second address: 1F9EAA5 instructions: 0x00000000 rdtsc 0x00000002 xchg ebp, edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1FD853C second address: 1FD854D instructions: 0x00000000 rdtsc 0x00000002 call 00007FC40850AD96h 0x00000007 lea edx, dword ptr [eax+edi] 0x0000000a clc 0x0000000b mov eax, E4ABA4C0h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1FD5AF7 second address: 1FD5AF9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeRDTSC instruction interceptor: First address: 1FE7F5A second address: 1FE7F5C instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202BEE4 second address: 202BF29 instructions: 0x00000000 rdtsc 0x00000002 lea esp, dword ptr [esp] 0x00000005 dec edi 0x00000006 adc edi, esp 0x00000008 ror dx, cl 0x0000000b jmp 00007FC408FFC964h 0x0000000d clc 0x0000000e mov al, byte ptr [esp+05h] 0x00000012 lea edi, dword ptr [00000000h+ecx*4] 0x00000019 add esp, 08h 0x0000001c lea edx, dword ptr [00000000h+eax*4] 0x00000023 jmp 00007FC408FFC964h 0x00000025 lea edx, dword ptr [ecx+esi] 0x00000028 cmc 0x00000029 sub esp, 0Bh 0x0000002c bsr ax, sp 0x00000030 neg dl 0x00000032 jmp 00007FC408FFC9C7h 0x00000034 mov dword ptr [esp+01h], esi 0x00000038 dec ah 0x0000003a mov dh, bl 0x0000003c lea esp, dword ptr [esp+0Bh] 0x00000040 pop dx 0x00000042 lea edi, dword ptr [00000000h+esi*4] 0x00000049 jmp 00007FC408FFC9E7h 0x0000004b mov al, dh 0x0000004d sub al, 1Ah 0x0000004f pushfd 0x00000050 mov ax, word ptr [esp+07h] 0x00000055 mov dh, 0Fh 0x00000057 bswap eax 0x00000059 jmp 00007FC408FFC956h 0x0000005b add esp, 03h 0x0000005e mov di, dx 0x00000061 stc 0x00000062 mov word ptr [esp+02h], si 0x00000067 mov dword ptr [esp], ecx 0x0000006a xchg dword ptr [esp], edx 0x0000006d jmp 00007FC408FFC968h 0x0000006f clc 0x00000070 mov ax, 26AAh 0x00000074 push dword ptr [esp+02h] 0x00000078 mov word ptr [esp+06h], si 0x0000007d rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202BF29 second address: 202BF78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40850ADAAh 0x00000004 mov edi, dword ptr [esp+04h] 0x00000008 ror eax, cl 0x0000000a stc 0x0000000b xchg dl, ah 0x0000000d lea esp, dword ptr [esp+04h] 0x00000011 add esp, 05h 0x00000014 jmp 00007FC40850ADE0h 0x00000016 mov dl, byte ptr [esp] 0x00000019 btc di, dx 0x0000001d cld 0x0000001e sub esp, 0Dh 0x00000021 mov al, 0Ch 0x00000023 cmc 0x00000024 jmp 00007FC40850AD60h 0x00000026 mov word ptr [esp+06h], bx 0x0000002b mov ax, E973h 0x0000002f pop word ptr [esp+09h] 0x00000034 pop dword ptr [esp+02h] 0x00000038 xchg al, dl 0x0000003a mov eax, dword ptr [esp+07h] 0x0000003e jmp 00007FC40850AD62h 0x00000040 neg al 0x00000042 pop ax 0x00000044 mov edi, dword ptr [esp] 0x00000047 lea esp, dword ptr [esp+03h] 0x0000004b rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202BF78 second address: 202BF7A instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202BF7A second address: 202C273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC40850ADDFh 0x00000004 xchg word ptr [esp], dx 0x00000008 bsf edx, esi 0x0000000b mov al, byte ptr [esp] 0x0000000e xchg word ptr [esp], di 0x00000012 not ax 0x00000015 mov ah, bl 0x00000017 jmp 00007FC40850AD67h 0x00000019 mov ah, F4h 0x0000001b mov dx, word ptr [esp+01h] 0x00000020 mov ax, 70EEh 0x00000024 lea eax, dword ptr [esi+ebp] 0x00000027 jmp 00007FC40850ADADh 0x00000029 sub ax, si 0x0000002c lea edx, dword ptr [esi+12A880F2h] 0x00000032 sub ax, bp 0x00000035 mov edx, dword ptr [esp] 0x00000038 bsr di, bx 0x0000003c lea esp, dword ptr [esp] 0x0000003f jmp 00007FC40850C5DEh 0x00000044 neg di 0x00000047 lea edi, dword ptr [edi+ebp] 0x0000004a bsr edi, esi 0x0000004d sub esp, 04h 0x00000050 mov di, cx 0x00000053 mov eax, dword ptr [esp+03h] 0x00000057 jmp 00007FC40850A3E5h 0x0000005c mov dword ptr [esp], edx 0x0000005f mov word ptr [esp+03h], ax 0x00000064 btr edi, ebx 0x00000067 lea edi, dword ptr [esp+000000C2h] 0x0000006e setno dl 0x00000071 mov di, word ptr [esp+05h] 0x00000076 jmp 00007FC40850A135h 0x0000007b mov al, dl 0x0000007d xchg edi, edx 0x0000007f mov edi, dword ptr [esp+05h] 0x00000083 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C17F second address: 202C233 instructions: 0x00000000 rdtsc 0x00000002 xchg dh, ah 0x00000004 mov word ptr [esp], di 0x00000008 rcr di, 0000h 0x0000000c jmp 00007FC408FFC9D8h 0x0000000e lea eax, dword ptr [00000000h+ebx*4] 0x00000015 push dword ptr [esp+0Dh] 0x00000019 cld 0x0000001a pop edx 0x0000001b jmp 00007FC408FFC9DFh 0x0000001d xchg byte ptr [esp+08h], dh 0x00000021 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C233 second address: 202C52F instructions: 0x00000000 rdtsc 0x00000002 cld 0x00000003 mov dx, di 0x00000006 clc 0x00000007 mov dword ptr [esp+03h], esp 0x0000000b jmp 00007FC40850AD57h 0x0000000d dec dx 0x0000000f cmc 0x00000010 lea edi, dword ptr [esp-4Eh] 0x00000014 pop eax 0x00000015 xor dl, FFFFFFDAh 0x00000018 mov edx, 0C2319A1h 0x0000001d jmp 00007FC40850ADBBh 0x0000001f add esp, 03h 0x00000022 inc di 0x00000024 cld 0x00000025 push dword ptr [esp+03h] 0x00000029 mov dword ptr [esp+02h], edi 0x0000002d call 00007FC40850AD59h 0x00000032 not edx 0x00000034 jmp 00007FC40850ADCAh 0x00000036 mov di, 5708h 0x0000003a mov dx, D50Dh 0x0000003e mov di, 218Dh 0x00000042 bsf ax, cx 0x00000046 pop edi 0x00000047 cld 0x00000048 jmp 00007FC40850B04Ch 0x0000004d neg dl 0x0000004f push word ptr [esp] 0x00000053 neg al 0x00000055 inc edi 0x00000056 push word ptr [esp+0Dh] 0x0000005b rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C52F second address: 202C2A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC408FFC724h 0x00000007 mov ah, E4h 0x00000009 pop dword ptr [esp+06h] 0x0000000d push word ptr [esp+09h] 0x00000012 neg ax 0x00000015 xchg word ptr [esp+02h], di 0x0000001a cmc 0x0000001b jmp 00007FC408FFC94Bh 0x0000001d xchg byte ptr [esp+02h], al 0x00000021 mov edi, esi 0x00000023 push word ptr [esp] 0x00000027 mov edi, 912CC6F7h 0x0000002c xchg edx, eax 0x0000002e rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C9E2 second address: 202C68A instructions: 0x00000000 rdtsc 0x00000002 mov dl, byte ptr [esp] 0x00000005 xchg dx, ax 0x00000008 bsr dx, di 0x0000000c mov eax, dword ptr [esp] 0x0000000f lea eax, dword ptr [edx+edi] 0x00000012 jmp 00007FC40850ACFBh 0x00000017 adc di, B7E0h 0x0000001c lea eax, dword ptr [esi+000024F4h] 0x00000022 lea edx, dword ptr [00000000h+ebx*4] 0x00000029 xchg byte ptr [esp], dl 0x0000002c bsf edx, eax 0x0000002f mov ax, dx 0x00000032 jmp 00007FC40850AA9Eh 0x00000037 pop di 0x00000039 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C68A second address: 202C622 instructions: 0x00000000 rdtsc 0x00000002 bsf dx, sp 0x00000006 neg dl 0x00000008 bswap eax 0x0000000a not edx 0x0000000c jmp 00007FC408FFC91Bh 0x0000000e std 0x0000000f rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C79E second address: 202C7E1 instructions: 0x00000000 rdtsc 0x00000002 cld 0x00000003 bts edx, eax 0x00000006 bswap eax 0x00000008 jmp 00007FC40850ADF0h 0x0000000a bsr ax, di 0x0000000e pushad 0x0000000f lea esp, dword ptr [esp+5Ch] 0x00000013 mov dh, 08h 0x00000015 mov edx, 0D1EF17Dh 0x0000001a mov ax, 5A05h 0x0000001e call 00007FC40850AD65h 0x00000023 jmp 00007FC40850AD7Ah 0x00000025 pop eax 0x00000026 setl ah 0x00000029 btc ax, bp 0x0000002d rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C7E1 second address: 202C839 instructions: 0x00000000 rdtsc 0x00000002 setb dl 0x00000005 call 00007FC408FFC9F8h 0x0000000a bt di, bp 0x0000000e jmp 00007FC408FFC973h 0x00000010 xchg word ptr [esp], ax 0x00000014 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 202C912 second address: 202CA62 instructions: 0x00000000 rdtsc 0x00000002 mov edi, esp 0x00000004 mov edx, edi 0x00000006 lea esp, dword ptr [esp] 0x00000009 cmc 0x0000000a call 00007FC40850ADB3h 0x0000000f jmp 00007FC40850ADE6h 0x00000011 mov dword ptr [esp], edi 0x00000014 push dword ptr [esp+02h] 0x00000018 mov edx, esp 0x0000001a shr dx, 000Bh 0x0000001e rcl dx, cl 0x00000021 sub esp, 0Dh 0x00000024 jmp 00007FC40850AD29h 0x00000026 mov ah, byte ptr [esp+04h] 0x0000002a not ah 0x0000002c mov edx, dword ptr [esp+10h] 0x00000030 call 00007FC40850ADC4h 0x00000035 bswap eax 0x00000037 mov byte ptr [esp+16h], ch 0x0000003b add ax, ax 0x0000003e jmp 00007FC40850ADC8h 0x00000040 mov dx, ax 0x00000043 xchg word ptr [esp+09h], di 0x00000048 xchg eax, edx 0x00000049 mov byte ptr [esp+0Bh], ch 0x0000004d lea edx, dword ptr [eax+ecx] 0x00000050 pop ax 0x00000052 jmp 00007FC40850AD68h 0x00000054 pushfd 0x00000055 lea edi, dword ptr [00000000h+esi*4] 0x0000005c neg di 0x0000005f jmp 00007FC40850AE35h 0x00000064 cmp edx, CF69AA57h 0x0000006a mov dh, 87h 0x0000006c rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1FA8D27 second address: 1FA8D5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC408FFC970h 0x00000004 mov eax, edi 0x00000006 call 00007FC408FFC9CAh 0x0000000b xchg dx, ax 0x0000000e mov ax, si 0x00000011 xchg ecx, edx 0x00000013 pushad 0x00000014 xchg dword ptr [esp+20h], eax 0x00000018 jmp 00007FC408FFC969h 0x0000001a mov dx, 8EE9h 0x0000001e pushfd 0x0000001f mov dh, BBh 0x00000021 xchg dword ptr [esp], ecx 0x00000024 mov dx, 47ECh 0x00000028 lea eax, dword ptr [eax-00006640h] 0x0000002e call 00007FC408FFC9BBh 0x00000033 jmp 00007FC408FFC97Ah 0x00000035 mov byte ptr [esp], al 0x00000038 mov dh, ch 0x0000003a xchg dword ptr [esp+28h], eax 0x0000003e rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1F9DB2E second address: 1F9DB36 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC40850AD96h 0x00000007 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1F9DB36 second address: 1F9DC67 instructions: 0x00000000 rdtsc 0x00000002 mov eax, dword ptr [esp+02h] 0x00000006 jmp 00007FC408FFC996h 0x00000008 sete cl 0x0000000b call 00007FC408FFCAA7h 0x00000010 btr edx, ebp 0x00000013 mov ah, byte ptr [esp] 0x00000016 mov esi, 87D39950h 0x0000001b rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1F9DC67 second address: 1F9DC3B instructions: 0x00000000 rdtsc 0x00000002 xchg bl, dh 0x00000004 jmp 00007FC40850AD34h 0x00000006 xchg dword ptr [esp], edi 0x00000009 bswap edx 0x0000000b btc ebx, ecx 0x0000000e xchg dh, dl 0x00000010 not ah 0x00000012 mov dh, byte ptr [esp] 0x00000015 jmp 00007FC40850AD03h 0x0000001a lea edi, dword ptr [edi+000001DCh] 0x00000020 sub esp, 01h 0x00000023 neg bl 0x00000025 mov dx, sp 0x00000028 mov dx, 2953h 0x0000002c lea esp, dword ptr [esp+01h] 0x00000030 jmp 00007FC40850AD63h 0x00000032 xchg dword ptr [esp], edi 0x00000035 xor ecx, 2D1A05F5h 0x0000003b mov ebp, dword ptr [esp] 0x0000003e mov dh, ah 0x00000040 mov bh, byte ptr [esp] 0x00000043 jmp 00007FC40850AD69h 0x00000045 push dword ptr [esp] 0x00000048 retn 0004h 0x0000004b add esp, 08h 0x0000004e jnl 00007FC40850AC26h 0x00000054 pop esi 0x00000055 mov dl, byte ptr [esp] 0x00000058 call 00007FC40850ADACh 0x0000005d xor eax, BFDCF547h 0x00000062 not edx 0x00000064 push dx 0x00000066 lea esp, dword ptr [esp+02h] 0x0000006a xchg dword ptr [esp], ecx 0x0000006d jmp 00007FC40850AD6Ah 0x0000006f cmc 0x00000070 cmc 0x00000071 call 00007FC40850ADB6h 0x00000076 push dword ptr [esp+03h] 0x0000007a mov bl, byte ptr [esp] 0x0000007d lea ecx, dword ptr [ecx-0000001Fh] 0x00000083 cmp ax, 0000244Fh 0x00000087 jmp 00007FC40850ADC7h 0x00000089 mov dl, bl 0x0000008b rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1F9EAA1 second address: 1F9EAA5 instructions: 0x00000000 rdtsc 0x00000002 xchg ebp, edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1FD853C second address: 1FD854D instructions: 0x00000000 rdtsc 0x00000002 call 00007FC40850AD96h 0x00000007 lea edx, dword ptr [eax+edi] 0x0000000a clc 0x0000000b mov eax, E4ABA4C0h 0x00000010 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1FD5AF7 second address: 1FD5AF9 instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeRDTSC instruction interceptor: First address: 1FE7F5A second address: 1FE7F5C instructions: 0x00000000 rdtsc 0x00000002 rdtsc
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeMemory allocated: 3DA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeMemory allocated: 4930000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeMemory allocated: 3DD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeMemory allocated: 4970000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeMemory allocated: 40A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeMemory allocated: 2780000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeMemory allocated: 48C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeMemory allocated: 3EB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041B655A rdtscp 6_2_041B655A
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeWindow / User API: threadDelayed 5111Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeWindow / User API: threadDelayed 4627Jump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeAPI coverage: 0.5 %
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeAPI coverage: 9.0 %
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exe TID: 6016Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe TID: 6048Thread sleep time: -29514790517935264s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe TID: 1848Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BaseBoard
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_BIOS
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: COM Services.exe, 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
            Source: COM Services.exe, 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
            Source: COM Services.exe, 00000006.00000002.2972470465.00000000076E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041B655A rdtscp 6_2_041B655A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_041CE4BA LdrInitializeThunk,6_2_041CE4BA
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB23C5 mov eax, dword ptr fs:[00000030h]0_2_03EB23C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB23C5 mov eax, dword ptr fs:[00000030h]0_2_03EB23C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB23C5 mov eax, dword ptr fs:[00000030h]0_2_03EB23C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E953C6 mov eax, dword ptr fs:[00000030h]0_2_03E953C6
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E953C6 mov eax, dword ptr fs:[00000030h]0_2_03E953C6
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E953C6 mov eax, dword ptr fs:[00000030h]0_2_03E953C6
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC53A1 mov eax, dword ptr fs:[00000030h]0_2_03EC53A1
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC53A1 mov eax, dword ptr fs:[00000030h]0_2_03EC53A1
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EA03A5 mov ecx, dword ptr fs:[00000030h]0_2_03EA03A5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA3B0 mov eax, dword ptr fs:[00000030h]0_2_03EEA3B0
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3389 mov eax, dword ptr fs:[00000030h]0_2_03ED3389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3389 mov ecx, dword ptr fs:[00000030h]0_2_03ED3389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov eax, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov eax, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov eax, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov eax, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov eax, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov eax, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov ecx, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC389 mov eax, dword ptr fs:[00000030h]0_2_03EDC389
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0382 mov eax, dword ptr fs:[00000030h]0_2_03EC0382
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0382 mov eax, dword ptr fs:[00000030h]0_2_03EC0382
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0382 mov ecx, dword ptr fs:[00000030h]0_2_03EC0382
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBB362 mov eax, dword ptr fs:[00000030h]0_2_03EBB362
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED737B mov eax, dword ptr fs:[00000030h]0_2_03ED737B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED737B mov eax, dword ptr fs:[00000030h]0_2_03ED737B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED737B mov eax, dword ptr fs:[00000030h]0_2_03ED737B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB7373 mov eax, dword ptr fs:[00000030h]0_2_03EB7373
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE1355 mov eax, dword ptr fs:[00000030h]0_2_03EE1355
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEF324 mov eax, dword ptr fs:[00000030h]0_2_03EEF324
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC033C mov eax, dword ptr fs:[00000030h]0_2_03EC033C
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC033C mov eax, dword ptr fs:[00000030h]0_2_03EC033C
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE833F mov eax, dword ptr fs:[00000030h]0_2_03EE833F
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8335 mov eax, dword ptr fs:[00000030h]0_2_03ED8335
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8335 mov ecx, dword ptr fs:[00000030h]0_2_03ED8335
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD2FF mov eax, dword ptr fs:[00000030h]0_2_03EDD2FF
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD2FF mov eax, dword ptr fs:[00000030h]0_2_03EDD2FF
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD2FF mov eax, dword ptr fs:[00000030h]0_2_03EDD2FF
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD2FF mov eax, dword ptr fs:[00000030h]0_2_03EDD2FF
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD2FF mov ecx, dword ptr fs:[00000030h]0_2_03EDD2FF
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC02D4 mov eax, dword ptr fs:[00000030h]0_2_03EC02D4
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC02D4 mov eax, dword ptr fs:[00000030h]0_2_03EC02D4
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC02D4 mov eax, dword ptr fs:[00000030h]0_2_03EC02D4
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC02D4 mov eax, dword ptr fs:[00000030h]0_2_03EC02D4
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA2D6 mov eax, dword ptr fs:[00000030h]0_2_03EEA2D6
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF249 mov eax, dword ptr fs:[00000030h]0_2_03EDF249
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF249 mov eax, dword ptr fs:[00000030h]0_2_03EDF249
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF249 mov eax, dword ptr fs:[00000030h]0_2_03EDF249
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF249 mov eax, dword ptr fs:[00000030h]0_2_03EDF249
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF249 mov ecx, dword ptr fs:[00000030h]0_2_03EDF249
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1256 mov eax, dword ptr fs:[00000030h]0_2_03EB1256
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1256 mov eax, dword ptr fs:[00000030h]0_2_03EB1256
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1256 mov eax, dword ptr fs:[00000030h]0_2_03EB1256
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC5205 mov eax, dword ptr fs:[00000030h]0_2_03EC5205
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC5205 mov eax, dword ptr fs:[00000030h]0_2_03EC5205
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC5205 mov eax, dword ptr fs:[00000030h]0_2_03EC5205
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC5205 mov eax, dword ptr fs:[00000030h]0_2_03EC5205
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC71E3 mov eax, dword ptr fs:[00000030h]0_2_03EC71E3
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC71E3 mov eax, dword ptr fs:[00000030h]0_2_03EC71E3
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA1FC mov eax, dword ptr fs:[00000030h]0_2_03EEA1FC
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDA1A5 mov ecx, dword ptr fs:[00000030h]0_2_03EDA1A5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBF1BC mov ecx, dword ptr fs:[00000030h]0_2_03EBF1BC
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBF1BC mov eax, dword ptr fs:[00000030h]0_2_03EBF1BC
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA18E mov eax, dword ptr fs:[00000030h]0_2_03EEA18E
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA18E mov eax, dword ptr fs:[00000030h]0_2_03EEA18E
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA18E mov eax, dword ptr fs:[00000030h]0_2_03EEA18E
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3183 mov eax, dword ptr fs:[00000030h]0_2_03ED3183
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3183 mov ecx, dword ptr fs:[00000030h]0_2_03ED3183
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E94195 mov eax, dword ptr fs:[00000030h]0_2_03E94195
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E94195 mov eax, dword ptr fs:[00000030h]0_2_03E94195
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE816F mov eax, dword ptr fs:[00000030h]0_2_03EE816F
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE816F mov eax, dword ptr fs:[00000030h]0_2_03EE816F
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE816F mov eax, dword ptr fs:[00000030h]0_2_03EE816F
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED5166 mov eax, dword ptr fs:[00000030h]0_2_03ED5166
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E9417B mov eax, dword ptr fs:[00000030h]0_2_03E9417B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E9417B mov eax, dword ptr fs:[00000030h]0_2_03E9417B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF155 mov eax, dword ptr fs:[00000030h]0_2_03EDF155
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E99156 mov esi, dword ptr fs:[00000030h]0_2_03E99156
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED4135 mov eax, dword ptr fs:[00000030h]0_2_03ED4135
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED5100 mov eax, dword ptr fs:[00000030h]0_2_03ED5100
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEB0E9 mov eax, dword ptr fs:[00000030h]0_2_03EEB0E9
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEB0E9 mov eax, dword ptr fs:[00000030h]0_2_03EEB0E9
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E940FC mov eax, dword ptr fs:[00000030h]0_2_03E940FC
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED40D5 mov eax, dword ptr fs:[00000030h]0_2_03ED40D5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEB0A5 mov eax, dword ptr fs:[00000030h]0_2_03EEB0A5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8091 mov eax, dword ptr fs:[00000030h]0_2_03ED8091
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8091 mov eax, dword ptr fs:[00000030h]0_2_03ED8091
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF3044 mov eax, dword ptr fs:[00000030h]0_2_03EF3044
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF3044 mov ecx, dword ptr fs:[00000030h]0_2_03EF3044
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF035 mov eax, dword ptr fs:[00000030h]0_2_03EDF035
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDF035 mov ecx, dword ptr fs:[00000030h]0_2_03EDF035
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF1007 mov eax, dword ptr fs:[00000030h]0_2_03EF1007
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF1007 mov eax, dword ptr fs:[00000030h]0_2_03EF1007
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3003 mov eax, dword ptr fs:[00000030h]0_2_03ED3003
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3003 mov eax, dword ptr fs:[00000030h]0_2_03ED3003
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBF018 mov ecx, dword ptr fs:[00000030h]0_2_03EBF018
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBF018 mov eax, dword ptr fs:[00000030h]0_2_03EBF018
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E917E3 mov eax, dword ptr fs:[00000030h]0_2_03E917E3
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDC7F5 mov ecx, dword ptr fs:[00000030h]0_2_03EDC7F5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC47F5 mov eax, dword ptr fs:[00000030h]0_2_03EC47F5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC47F5 mov eax, dword ptr fs:[00000030h]0_2_03EC47F5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC97F5 mov eax, dword ptr fs:[00000030h]0_2_03EC97F5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBB7C3 mov eax, dword ptr fs:[00000030h]0_2_03EBB7C3
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBB7C3 mov eax, dword ptr fs:[00000030h]0_2_03EBB7C3
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA7DD mov eax, dword ptr fs:[00000030h]0_2_03EEA7DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA7DD mov eax, dword ptr fs:[00000030h]0_2_03EEA7DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E9F7D0 mov eax, dword ptr fs:[00000030h]0_2_03E9F7D0
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ECD769 mov eax, dword ptr fs:[00000030h]0_2_03ECD769
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ECD769 mov ecx, dword ptr fs:[00000030h]0_2_03ECD769
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE1775 mov eax, dword ptr fs:[00000030h]0_2_03EE1775
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3747 mov eax, dword ptr fs:[00000030h]0_2_03ED3747
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3747 mov eax, dword ptr fs:[00000030h]0_2_03ED3747
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF4758 mov eax, dword ptr fs:[00000030h]0_2_03EF4758
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF4758 mov eax, dword ptr fs:[00000030h]0_2_03EF4758
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED172A mov eax, dword ptr fs:[00000030h]0_2_03ED172A
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED172A mov ecx, dword ptr fs:[00000030h]0_2_03ED172A
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE0724 mov eax, dword ptr fs:[00000030h]0_2_03EE0724
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF0739 mov eax, dword ptr fs:[00000030h]0_2_03EF0739
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF0739 mov eax, dword ptr fs:[00000030h]0_2_03EF0739
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF0739 mov eax, dword ptr fs:[00000030h]0_2_03EF0739
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF0739 mov eax, dword ptr fs:[00000030h]0_2_03EF0739
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8705 mov eax, dword ptr fs:[00000030h]0_2_03ED8705
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8705 mov ecx, dword ptr fs:[00000030h]0_2_03ED8705
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EA06F2 mov eax, dword ptr fs:[00000030h]0_2_03EA06F2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EA06F2 mov ecx, dword ptr fs:[00000030h]0_2_03EA06F2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EA06F2 mov eax, dword ptr fs:[00000030h]0_2_03EA06F2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF36C4 mov eax, dword ptr fs:[00000030h]0_2_03EF36C4
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF36C4 mov eax, dword ptr fs:[00000030h]0_2_03EF36C4
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E986D5 mov eax, dword ptr fs:[00000030h]0_2_03E986D5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E986D5 mov ecx, dword ptr fs:[00000030h]0_2_03E986D5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED168B mov eax, dword ptr fs:[00000030h]0_2_03ED168B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3669 mov eax, dword ptr fs:[00000030h]0_2_03ED3669
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED2662 mov eax, dword ptr fs:[00000030h]0_2_03ED2662
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED2662 mov eax, dword ptr fs:[00000030h]0_2_03ED2662
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB2635 mov eax, dword ptr fs:[00000030h]0_2_03EB2635
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB2635 mov ecx, dword ptr fs:[00000030h]0_2_03EB2635
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB2635 mov eax, dword ptr fs:[00000030h]0_2_03EB2635
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA61F mov eax, dword ptr fs:[00000030h]0_2_03EEA61F
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED35E4 mov eax, dword ptr fs:[00000030h]0_2_03ED35E4
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC55C5 mov eax, dword ptr fs:[00000030h]0_2_03EC55C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF45C2 mov eax, dword ptr fs:[00000030h]0_2_03EF45C2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF45C2 mov eax, dword ptr fs:[00000030h]0_2_03EF45C2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF45C2 mov eax, dword ptr fs:[00000030h]0_2_03EF45C2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF45C2 mov eax, dword ptr fs:[00000030h]0_2_03EF45C2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E9A5B5 mov eax, dword ptr fs:[00000030h]0_2_03E9A5B5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC4575 mov eax, dword ptr fs:[00000030h]0_2_03EC4575
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC4575 mov eax, dword ptr fs:[00000030h]0_2_03EC4575
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC4575 mov eax, dword ptr fs:[00000030h]0_2_03EC4575
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC4575 mov eax, dword ptr fs:[00000030h]0_2_03EC4575
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA571 mov eax, dword ptr fs:[00000030h]0_2_03EEA571
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEA571 mov eax, dword ptr fs:[00000030h]0_2_03EEA571
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED154F mov eax, dword ptr fs:[00000030h]0_2_03ED154F
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE1545 mov eax, dword ptr fs:[00000030h]0_2_03EE1545
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB8526 mov eax, dword ptr fs:[00000030h]0_2_03EB8526
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB8526 mov eax, dword ptr fs:[00000030h]0_2_03EB8526
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB8526 mov eax, dword ptr fs:[00000030h]0_2_03EB8526
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB8526 mov eax, dword ptr fs:[00000030h]0_2_03EB8526
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB8526 mov eax, dword ptr fs:[00000030h]0_2_03EB8526
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB3535 mov eax, dword ptr fs:[00000030h]0_2_03EB3535
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED1515 mov eax, dword ptr fs:[00000030h]0_2_03ED1515
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC5515 mov eax, dword ptr fs:[00000030h]0_2_03EC5515
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF34E2 mov eax, dword ptr fs:[00000030h]0_2_03EF34E2
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF44D5 mov eax, dword ptr fs:[00000030h]0_2_03EF44D5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF44D5 mov eax, dword ptr fs:[00000030h]0_2_03EF44D5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE14D5 mov eax, dword ptr fs:[00000030h]0_2_03EE14D5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF24A5 mov ecx, dword ptr fs:[00000030h]0_2_03EF24A5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE848E mov eax, dword ptr fs:[00000030h]0_2_03EE848E
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEF48D mov eax, dword ptr fs:[00000030h]0_2_03EEF48D
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8485 mov eax, dword ptr fs:[00000030h]0_2_03ED8485
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8485 mov ecx, dword ptr fs:[00000030h]0_2_03ED8485
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB7492 mov eax, dword ptr fs:[00000030h]0_2_03EB7492
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB7492 mov ecx, dword ptr fs:[00000030h]0_2_03EB7492
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB7492 mov eax, dword ptr fs:[00000030h]0_2_03EB7492
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB7492 mov eax, dword ptr fs:[00000030h]0_2_03EB7492
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB7492 mov eax, dword ptr fs:[00000030h]0_2_03EB7492
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB7492 mov eax, dword ptr fs:[00000030h]0_2_03EB7492
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1465 mov eax, dword ptr fs:[00000030h]0_2_03EB1465
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1465 mov ecx, dword ptr fs:[00000030h]0_2_03EB1465
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1465 mov eax, dword ptr fs:[00000030h]0_2_03EB1465
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBB455 mov eax, dword ptr fs:[00000030h]0_2_03EBB455
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EBB455 mov eax, dword ptr fs:[00000030h]0_2_03EBB455
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3435 mov eax, dword ptr fs:[00000030h]0_2_03ED3435
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3435 mov eax, dword ptr fs:[00000030h]0_2_03ED3435
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3435 mov eax, dword ptr fs:[00000030h]0_2_03ED3435
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3435 mov ecx, dword ptr fs:[00000030h]0_2_03ED3435
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC8408 mov eax, dword ptr fs:[00000030h]0_2_03EC8408
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC8408 mov eax, dword ptr fs:[00000030h]0_2_03EC8408
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E99401 mov eax, dword ptr fs:[00000030h]0_2_03E99401
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E99401 mov ecx, dword ptr fs:[00000030h]0_2_03E99401
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED7406 mov eax, dword ptr fs:[00000030h]0_2_03ED7406
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1BE5 mov eax, dword ptr fs:[00000030h]0_2_03EB1BE5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EB1BE5 mov ecx, dword ptr fs:[00000030h]0_2_03EB1BE5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE1BF1 mov eax, dword ptr fs:[00000030h]0_2_03EE1BF1
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC5BC5 mov eax, dword ptr fs:[00000030h]0_2_03EC5BC5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3BD5 mov eax, dword ptr fs:[00000030h]0_2_03ED3BD5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED3BD5 mov eax, dword ptr fs:[00000030h]0_2_03ED3BD5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC1B65 mov eax, dword ptr fs:[00000030h]0_2_03EC1B65
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC1B65 mov eax, dword ptr fs:[00000030h]0_2_03EC1B65
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC1B65 mov eax, dword ptr fs:[00000030h]0_2_03EC1B65
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEBB49 mov eax, dword ptr fs:[00000030h]0_2_03EEBB49
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEEB43 mov eax, dword ptr fs:[00000030h]0_2_03EEEB43
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC2B55 mov eax, dword ptr fs:[00000030h]0_2_03EC2B55
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC2B55 mov ecx, dword ptr fs:[00000030h]0_2_03EC2B55
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE6B2C mov eax, dword ptr fs:[00000030h]0_2_03EE6B2C
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE6B2C mov ecx, dword ptr fs:[00000030h]0_2_03EE6B2C
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF0B3C mov eax, dword ptr fs:[00000030h]0_2_03EF0B3C
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDBB35 mov eax, dword ptr fs:[00000030h]0_2_03EDBB35
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDBB35 mov eax, dword ptr fs:[00000030h]0_2_03EDBB35
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF3AFF mov eax, dword ptr fs:[00000030h]0_2_03EF3AFF
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0AAC mov eax, dword ptr fs:[00000030h]0_2_03EC0AAC
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0AAC mov eax, dword ptr fs:[00000030h]0_2_03EC0AAC
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0AAC mov eax, dword ptr fs:[00000030h]0_2_03EC0AAC
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF4AAB mov eax, dword ptr fs:[00000030h]0_2_03EF4AAB
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF4AAB mov eax, dword ptr fs:[00000030h]0_2_03EF4AAB
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF4AAB mov eax, dword ptr fs:[00000030h]0_2_03EF4AAB
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF4AAB mov eax, dword ptr fs:[00000030h]0_2_03EF4AAB
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF1A67 mov eax, dword ptr fs:[00000030h]0_2_03EF1A67
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED2A25 mov eax, dword ptr fs:[00000030h]0_2_03ED2A25
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED29E5 mov eax, dword ptr fs:[00000030h]0_2_03ED29E5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov ecx, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC49C5 mov eax, dword ptr fs:[00000030h]0_2_03EC49C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE09DD mov eax, dword ptr fs:[00000030h]0_2_03EE09DD
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF098B mov eax, dword ptr fs:[00000030h]0_2_03EF098B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF098B mov eax, dword ptr fs:[00000030h]0_2_03EF098B
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD985 mov ecx, dword ptr fs:[00000030h]0_2_03EDD985
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE799A mov eax, dword ptr fs:[00000030h]0_2_03EE799A
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE799A mov eax, dword ptr fs:[00000030h]0_2_03EE799A
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0922 mov eax, dword ptr fs:[00000030h]0_2_03EC0922
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0922 mov eax, dword ptr fs:[00000030h]0_2_03EC0922
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC0922 mov ecx, dword ptr fs:[00000030h]0_2_03EC0922
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC1935 mov eax, dword ptr fs:[00000030h]0_2_03EC1935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC1935 mov eax, dword ptr fs:[00000030h]0_2_03EC1935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC1935 mov eax, dword ptr fs:[00000030h]0_2_03EC1935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC1935 mov eax, dword ptr fs:[00000030h]0_2_03EC1935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E91935 mov eax, dword ptr fs:[00000030h]0_2_03E91935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E91935 mov eax, dword ptr fs:[00000030h]0_2_03E91935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E91935 mov eax, dword ptr fs:[00000030h]0_2_03E91935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03E91935 mov eax, dword ptr fs:[00000030h]0_2_03E91935
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED28E5 mov eax, dword ptr fs:[00000030h]0_2_03ED28E5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD8F5 mov eax, dword ptr fs:[00000030h]0_2_03EDD8F5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF28C5 mov eax, dword ptr fs:[00000030h]0_2_03EF28C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF28C5 mov ecx, dword ptr fs:[00000030h]0_2_03EF28C5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EDD8B5 mov ecx, dword ptr fs:[00000030h]0_2_03EDD8B5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EE18B5 mov eax, dword ptr fs:[00000030h]0_2_03EE18B5
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EA088F mov eax, dword ptr fs:[00000030h]0_2_03EA088F
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EC286A mov eax, dword ptr fs:[00000030h]0_2_03EC286A
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EEC866 mov eax, dword ptr fs:[00000030h]0_2_03EEC866
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8855 mov eax, dword ptr fs:[00000030h]0_2_03ED8855
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03ED8855 mov ecx, dword ptr fs:[00000030h]0_2_03ED8855
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF482E mov eax, dword ptr fs:[00000030h]0_2_03EF482E
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeCode function: 0_2_03EF482E mov eax, dword ptr fs:[00000030h]0_2_03EF482E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E993F4 mov eax, dword ptr fs:[00000030h]6_2_03E993F4
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E693D0 mov eax, dword ptr fs:[00000030h]6_2_03E693D0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E693D0 mov eax, dword ptr fs:[00000030h]6_2_03E693D0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E693D0 mov eax, dword ptr fs:[00000030h]6_2_03E693D0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E693D0 mov eax, dword ptr fs:[00000030h]6_2_03E693D0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E6A3A7 mov eax, dword ptr fs:[00000030h]6_2_03E6A3A7
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E78360 mov eax, dword ptr fs:[00000030h]6_2_03E78360
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E78360 mov eax, dword ptr fs:[00000030h]6_2_03E78360
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5D36F mov ecx, dword ptr fs:[00000030h]6_2_03E5D36F
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5D36F mov eax, dword ptr fs:[00000030h]6_2_03E5D36F
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8F373 mov eax, dword ptr fs:[00000030h]6_2_03E8F373
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8F373 mov eax, dword ptr fs:[00000030h]6_2_03E8F373
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7C342 mov eax, dword ptr fs:[00000030h]6_2_03E7C342
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7C342 mov eax, dword ptr fs:[00000030h]6_2_03E7C342
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7C342 mov eax, dword ptr fs:[00000030h]6_2_03E7C342
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E98308 mov eax, dword ptr fs:[00000030h]6_2_03E98308
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E98308 mov eax, dword ptr fs:[00000030h]6_2_03E98308
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E452E7 mov eax, dword ptr fs:[00000030h]6_2_03E452E7
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E452E7 mov eax, dword ptr fs:[00000030h]6_2_03E452E7
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E952F9 mov eax, dword ptr fs:[00000030h]6_2_03E952F9
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E842F9 mov eax, dword ptr fs:[00000030h]6_2_03E842F9
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E842F9 mov eax, dword ptr fs:[00000030h]6_2_03E842F9
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E842F9 mov eax, dword ptr fs:[00000030h]6_2_03E842F9
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E842F9 mov eax, dword ptr fs:[00000030h]6_2_03E842F9
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E842F9 mov ecx, dword ptr fs:[00000030h]6_2_03E842F9
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5B2F0 mov eax, dword ptr fs:[00000030h]6_2_03E5B2F0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E812F1 mov eax, dword ptr fs:[00000030h]6_2_03E812F1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E812F1 mov ecx, dword ptr fs:[00000030h]6_2_03E812F1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E862CC mov eax, dword ptr fs:[00000030h]6_2_03E862CC
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E562C0 mov eax, dword ptr fs:[00000030h]6_2_03E562C0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E562C0 mov ecx, dword ptr fs:[00000030h]6_2_03E562C0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E6A2A0 mov eax, dword ptr fs:[00000030h]6_2_03E6A2A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E782B0 mov eax, dword ptr fs:[00000030h]6_2_03E782B0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E782B0 mov eax, dword ptr fs:[00000030h]6_2_03E782B0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E66240 mov eax, dword ptr fs:[00000030h]6_2_03E66240
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E66240 mov eax, dword ptr fs:[00000030h]6_2_03E66240
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E66240 mov eax, dword ptr fs:[00000030h]6_2_03E66240
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E90224 mov eax, dword ptr fs:[00000030h]6_2_03E90224
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E67230 mov eax, dword ptr fs:[00000030h]6_2_03E67230
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E67230 mov ecx, dword ptr fs:[00000030h]6_2_03E67230
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8B207 mov eax, dword ptr fs:[00000030h]6_2_03E8B207
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8B207 mov ecx, dword ptr fs:[00000030h]6_2_03E8B207
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9321E mov eax, dword ptr fs:[00000030h]6_2_03E9321E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80210 mov eax, dword ptr fs:[00000030h]6_2_03E80210
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80210 mov eax, dword ptr fs:[00000030h]6_2_03E80210
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E95217 mov eax, dword ptr fs:[00000030h]6_2_03E95217
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E981DA mov eax, dword ptr fs:[00000030h]6_2_03E981DA
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E65187 mov eax, dword ptr fs:[00000030h]6_2_03E65187
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E65187 mov eax, dword ptr fs:[00000030h]6_2_03E65187
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E65187 mov eax, dword ptr fs:[00000030h]6_2_03E65187
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E99186 mov eax, dword ptr fs:[00000030h]6_2_03E99186
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E99186 mov eax, dword ptr fs:[00000030h]6_2_03E99186
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E99186 mov eax, dword ptr fs:[00000030h]6_2_03E99186
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E99186 mov eax, dword ptr fs:[00000030h]6_2_03E99186
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E96142 mov eax, dword ptr fs:[00000030h]6_2_03E96142
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77100 mov eax, dword ptr fs:[00000030h]6_2_03E77100
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E770C0 mov eax, dword ptr fs:[00000030h]6_2_03E770C0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov ecx, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E690A0 mov eax, dword ptr fs:[00000030h]6_2_03E690A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E850B8 mov eax, dword ptr fs:[00000030h]6_2_03E850B8
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E82060 mov ecx, dword ptr fs:[00000030h]6_2_03E82060
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E95066 mov eax, dword ptr fs:[00000030h]6_2_03E95066
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E95066 mov eax, dword ptr fs:[00000030h]6_2_03E95066
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C075 mov eax, dword ptr fs:[00000030h]6_2_03E8C075
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C075 mov eax, dword ptr fs:[00000030h]6_2_03E8C075
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E36010 mov eax, dword ptr fs:[00000030h]6_2_03E36010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E36010 mov eax, dword ptr fs:[00000030h]6_2_03E36010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E36010 mov eax, dword ptr fs:[00000030h]6_2_03E36010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E36010 mov eax, dword ptr fs:[00000030h]6_2_03E36010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E66010 mov eax, dword ptr fs:[00000030h]6_2_03E66010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E66010 mov eax, dword ptr fs:[00000030h]6_2_03E66010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E66010 mov eax, dword ptr fs:[00000030h]6_2_03E66010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E66010 mov eax, dword ptr fs:[00000030h]6_2_03E66010
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8F7C4 mov eax, dword ptr fs:[00000030h]6_2_03E8F7C4
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8F7C4 mov eax, dword ptr fs:[00000030h]6_2_03E8F7C4
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E387D7 mov eax, dword ptr fs:[00000030h]6_2_03E387D7
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E797DB mov eax, dword ptr fs:[00000030h]6_2_03E797DB
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E787B0 mov eax, dword ptr fs:[00000030h]6_2_03E787B0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8F780 mov eax, dword ptr fs:[00000030h]6_2_03E8F780
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7C76C mov eax, dword ptr fs:[00000030h]6_2_03E7C76C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7C76C mov eax, dword ptr fs:[00000030h]6_2_03E7C76C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9771F mov eax, dword ptr fs:[00000030h]6_2_03E9771F
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9771F mov ecx, dword ptr fs:[00000030h]6_2_03E9771F
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E83710 mov eax, dword ptr fs:[00000030h]6_2_03E83710
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E83710 mov ecx, dword ptr fs:[00000030h]6_2_03E83710
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E956E2 mov eax, dword ptr fs:[00000030h]6_2_03E956E2
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E956E2 mov eax, dword ptr fs:[00000030h]6_2_03E956E2
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E636F3 mov ecx, dword ptr fs:[00000030h]6_2_03E636F3
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E636F3 mov eax, dword ptr fs:[00000030h]6_2_03E636F3
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7D6D0 mov eax, dword ptr fs:[00000030h]6_2_03E7D6D0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7D6D0 mov eax, dword ptr fs:[00000030h]6_2_03E7D6D0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E776DE mov eax, dword ptr fs:[00000030h]6_2_03E776DE
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E776DE mov eax, dword ptr fs:[00000030h]6_2_03E776DE
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E646A0 mov eax, dword ptr fs:[00000030h]6_2_03E646A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E646A0 mov eax, dword ptr fs:[00000030h]6_2_03E646A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E646A0 mov eax, dword ptr fs:[00000030h]6_2_03E646A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E646A0 mov eax, dword ptr fs:[00000030h]6_2_03E646A0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E786B0 mov eax, dword ptr fs:[00000030h]6_2_03E786B0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E786B0 mov eax, dword ptr fs:[00000030h]6_2_03E786B0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E35657 mov eax, dword ptr fs:[00000030h]6_2_03E35657
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E35657 mov ecx, dword ptr fs:[00000030h]6_2_03E35657
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E78650 mov eax, dword ptr fs:[00000030h]6_2_03E78650
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69610 mov eax, dword ptr fs:[00000030h]6_2_03E69610
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69610 mov eax, dword ptr fs:[00000030h]6_2_03E69610
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69610 mov ecx, dword ptr fs:[00000030h]6_2_03E69610
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69610 mov eax, dword ptr fs:[00000030h]6_2_03E69610
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69610 mov eax, dword ptr fs:[00000030h]6_2_03E69610
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69610 mov eax, dword ptr fs:[00000030h]6_2_03E69610
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69610 mov eax, dword ptr fs:[00000030h]6_2_03E69610
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E775F0 mov eax, dword ptr fs:[00000030h]6_2_03E775F0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E775F0 mov eax, dword ptr fs:[00000030h]6_2_03E775F0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9958E mov eax, dword ptr fs:[00000030h]6_2_03E9958E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9958E mov eax, dword ptr fs:[00000030h]6_2_03E9958E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9958E mov eax, dword ptr fs:[00000030h]6_2_03E9958E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E4558C mov eax, dword ptr fs:[00000030h]6_2_03E4558C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E4558C mov eax, dword ptr fs:[00000030h]6_2_03E4558C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77590 mov eax, dword ptr fs:[00000030h]6_2_03E77590
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E6451E mov eax, dword ptr fs:[00000030h]6_2_03E6451E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E6451E mov eax, dword ptr fs:[00000030h]6_2_03E6451E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E994C1 mov eax, dword ptr fs:[00000030h]6_2_03E994C1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E814C0 mov eax, dword ptr fs:[00000030h]6_2_03E814C0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E814C0 mov ecx, dword ptr fs:[00000030h]6_2_03E814C0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E674B0 mov eax, dword ptr fs:[00000030h]6_2_03E674B0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E674B0 mov ecx, dword ptr fs:[00000030h]6_2_03E674B0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9548A mov eax, dword ptr fs:[00000030h]6_2_03E9548A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E9548A mov eax, dword ptr fs:[00000030h]6_2_03E9548A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E98491 mov eax, dword ptr fs:[00000030h]6_2_03E98491
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E98491 mov eax, dword ptr fs:[00000030h]6_2_03E98491
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7D444 mov eax, dword ptr fs:[00000030h]6_2_03E7D444
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E3A448 mov eax, dword ptr fs:[00000030h]6_2_03E3A448
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C45E mov eax, dword ptr fs:[00000030h]6_2_03E8C45E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C45E mov eax, dword ptr fs:[00000030h]6_2_03E8C45E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C45E mov eax, dword ptr fs:[00000030h]6_2_03E8C45E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C45E mov ecx, dword ptr fs:[00000030h]6_2_03E8C45E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C45E mov eax, dword ptr fs:[00000030h]6_2_03E8C45E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8C45E mov ecx, dword ptr fs:[00000030h]6_2_03E8C45E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8F452 mov eax, dword ptr fs:[00000030h]6_2_03E8F452
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8F452 mov eax, dword ptr fs:[00000030h]6_2_03E8F452
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7B42C mov ecx, dword ptr fs:[00000030h]6_2_03E7B42C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E90416 mov eax, dword ptr fs:[00000030h]6_2_03E90416
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E90416 mov eax, dword ptr fs:[00000030h]6_2_03E90416
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E90416 mov eax, dword ptr fs:[00000030h]6_2_03E90416
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69BF0 mov eax, dword ptr fs:[00000030h]6_2_03E69BF0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E75BF0 mov eax, dword ptr fs:[00000030h]6_2_03E75BF0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E97BBD mov eax, dword ptr fs:[00000030h]6_2_03E97BBD
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E85BB0 mov eax, dword ptr fs:[00000030h]6_2_03E85BB0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E98BB0 mov eax, dword ptr fs:[00000030h]6_2_03E98BB0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E98BB0 mov eax, dword ptr fs:[00000030h]6_2_03E98BB0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E96B80 mov ecx, dword ptr fs:[00000030h]6_2_03E96B80
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8CB69 mov eax, dword ptr fs:[00000030h]6_2_03E8CB69
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E93B68 mov eax, dword ptr fs:[00000030h]6_2_03E93B68
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7CB60 mov eax, dword ptr fs:[00000030h]6_2_03E7CB60
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7CB60 mov ecx, dword ptr fs:[00000030h]6_2_03E7CB60
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BB6D mov eax, dword ptr fs:[00000030h]6_2_03E5BB6D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BB6D mov ecx, dword ptr fs:[00000030h]6_2_03E5BB6D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BB6D mov eax, dword ptr fs:[00000030h]6_2_03E5BB6D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BB6D mov eax, dword ptr fs:[00000030h]6_2_03E5BB6D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BB6D mov eax, dword ptr fs:[00000030h]6_2_03E5BB6D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BB6D mov eax, dword ptr fs:[00000030h]6_2_03E5BB6D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E55B40 mov eax, dword ptr fs:[00000030h]6_2_03E55B40
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E55B40 mov ecx, dword ptr fs:[00000030h]6_2_03E55B40
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E55B40 mov eax, dword ptr fs:[00000030h]6_2_03E55B40
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5FB30 mov eax, dword ptr fs:[00000030h]6_2_03E5FB30
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5FB30 mov eax, dword ptr fs:[00000030h]6_2_03E5FB30
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77B10 mov eax, dword ptr fs:[00000030h]6_2_03E77B10
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77B10 mov eax, dword ptr fs:[00000030h]6_2_03E77B10
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77B10 mov eax, dword ptr fs:[00000030h]6_2_03E77B10
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77B10 mov ecx, dword ptr fs:[00000030h]6_2_03E77B10
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E6CAE3 mov eax, dword ptr fs:[00000030h]6_2_03E6CAE3
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E6CAE3 mov eax, dword ptr fs:[00000030h]6_2_03E6CAE3
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7BAE1 mov eax, dword ptr fs:[00000030h]6_2_03E7BAE1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E3DADC mov eax, dword ptr fs:[00000030h]6_2_03E3DADC
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E3DADC mov ecx, dword ptr fs:[00000030h]6_2_03E3DADC
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E39AA1 mov eax, dword ptr fs:[00000030h]6_2_03E39AA1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E39AA1 mov eax, dword ptr fs:[00000030h]6_2_03E39AA1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E39AA1 mov eax, dword ptr fs:[00000030h]6_2_03E39AA1
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E56AA0 mov eax, dword ptr fs:[00000030h]6_2_03E56AA0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E56AA0 mov eax, dword ptr fs:[00000030h]6_2_03E56AA0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E56AA0 mov eax, dword ptr fs:[00000030h]6_2_03E56AA0
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8EA8B mov eax, dword ptr fs:[00000030h]6_2_03E8EA8B
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E44A80 mov ecx, dword ptr fs:[00000030h]6_2_03E44A80
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77A64 mov eax, dword ptr fs:[00000030h]6_2_03E77A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E77A64 mov ecx, dword ptr fs:[00000030h]6_2_03E77A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov eax, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov eax, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov eax, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov eax, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov eax, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov eax, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov ecx, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E80A64 mov eax, dword ptr fs:[00000030h]6_2_03E80A64
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69A7C mov eax, dword ptr fs:[00000030h]6_2_03E69A7C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E69A7C mov eax, dword ptr fs:[00000030h]6_2_03E69A7C
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5BA4E mov eax, dword ptr fs:[00000030h]6_2_03E5BA4E
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7BA56 mov eax, dword ptr fs:[00000030h]6_2_03E7BA56
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7BA56 mov eax, dword ptr fs:[00000030h]6_2_03E7BA56
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7BA56 mov eax, dword ptr fs:[00000030h]6_2_03E7BA56
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E64A5D mov eax, dword ptr fs:[00000030h]6_2_03E64A5D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E64A5D mov eax, dword ptr fs:[00000030h]6_2_03E64A5D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E64A5D mov ecx, dword ptr fs:[00000030h]6_2_03E64A5D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E5FA3D mov eax, dword ptr fs:[00000030h]6_2_03E5FA3D
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E85A30 mov eax, dword ptr fs:[00000030h]6_2_03E85A30
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E64A17 mov eax, dword ptr fs:[00000030h]6_2_03E64A17
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E64A17 mov eax, dword ptr fs:[00000030h]6_2_03E64A17
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E8CA1A mov eax, dword ptr fs:[00000030h]6_2_03E8CA1A
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7CA10 mov eax, dword ptr fs:[00000030h]6_2_03E7CA10
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E7CA10 mov ecx, dword ptr fs:[00000030h]6_2_03E7CA10
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E939FF mov eax, dword ptr fs:[00000030h]6_2_03E939FF
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E819DA mov eax, dword ptr fs:[00000030h]6_2_03E819DA
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeCode function: 6_2_03E819DA mov eax, dword ptr fs:[00000030h]6_2_03E819DA
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /fJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeProcess created: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /fJump to behavior
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.000000000458E000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2938464210.000000000431C000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2625094395.00000000045AD000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
            Source: 01vwXiyQ8K.exe, 00000000.00000002.2093870951.000000000458E000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, COM Services.exe, 00000006.00000002.2938464210.000000000431C000.00000040.00000800.00020000.00000000.sdmp, COM Services.exe, 00000007.00000002.2625094395.00000000045AD000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeQueries volume information: C:\Users\user\Desktop\01vwXiyQ8K.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\01vwXiyQ8K.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Quasar RAT
            Source: Yara matchFile source: 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01vwXiyQ8K.exe PID: 7076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: COM Services.exe PID: 1104, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Quasar RAT
            Source: Yara matchFile source: 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 01vwXiyQ8K.exe PID: 7076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: COM Services.exe PID: 1104, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		12
            Process Injection            		1
            Masquerading            		121
            Input Capture            		331
            Security Software Discovery            		Remote Services121
            Input Capture            		11
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		151
            Virtualization/Sandbox Evasion            		Security Account Manager151
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            System Network Configuration Discovery            		SSHKeylogging13
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Hidden Files and Directories            		Cached Domain Credentials123
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
            Obfuscated Files or Information            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Software Packing            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447780 Sample: 01vwXiyQ8K.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 29 bkd.114250.xyz 2->29 31 ipwho.is 2->31 43 Snort IDS alert for network traffic 2->43 45 Antivirus detection for dropped file 2->45 47 Antivirus / Scanner detection for submitted sample 2->47 51 8 other signatures 2->51 9 01vwXiyQ8K.exe 5 2->9         started        13 COM Services.exe 3 2->13         started        signatures3 49 Performs DNS queries to domains with low reputation 29->49 process4 file5 27 C:\Users\user\AppData\...\COM Services.exe, PE32 9->27 dropped 53 Detected unpacking (changes PE section rights) 9->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 9->55 57 Tries to detect virtualization through RDTSC time measurements 9->57 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->59 15 COM Services.exe 15 2 9->15         started        19 schtasks.exe 1 9->19         started        61 Hides threads from debuggers 13->61 signatures6 process7 dnsIp8 33 bkd.114250.xyz 111.173.106.171, 49737, 53779 CHINANET-BACKBONENo31Jin-rongStreetCN China 15->33 35 ipwho.is 195.201.57.90, 443, 49738 HETZNER-ASDE Germany 15->35 37 Hides threads from debuggers 15->37 39 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->39 41 Installs a global keyboard hook 15->41 21 schtasks.exe 1 15->21         started        23 conhost.exe 19->23         started        signatures9 process10 process11 25 conhost.exe 21->25         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            01vwXiyQ8K.exe58%ReversingLabsWin32.Trojan.Generic
            01vwXiyQ8K.exe52%VirustotalBrowse
            01vwXiyQ8K.exe100%AviraHEUR/AGEN.1314029
            01vwXiyQ8K.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe100%AviraHEUR/AGEN.1314029
            C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe47%ReversingLabsWin32.Trojan.Generic
            C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe52%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            ipwho.is0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://api.ipify.org/0%URL Reputationsafe
            https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
            https://stackoverflow.com/q/2152978/23354sCannot0%URL Reputationsafe
            https://ipwho.is/0%URL Reputationsafe
            http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
            http://schemas.datacontract.org/2004/07/d0%Avira URL Cloudsafe
            https://ipwho.is0%Avira URL Cloudsafe
            http://ipwho.is0%Avira URL Cloudsafe
            http://ipwho.isd0%Avira URL Cloudsafe
            https://ipwho.is0%VirustotalBrowse
            http://ipwho.is0%VirustotalBrowse
            http://schemas.datacontract.org/2004/07/d0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ipwho.is
            		195.201.57.90
            		truefalseunknown
            bkd.114250.xyz
            		111.173.106.171
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://ipwho.is/false
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://api.ipify.org/01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.datacontract.org/2004/07/dCOM Services.exe, 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://stackoverflow.com/q/14436606/2335401vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, COM Services.exe, 00000006.00000002.2951377734.00000000049A2000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://stackoverflow.com/q/2152978/23354sCannot01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.datacontract.org/2004/07/COM Services.exe, 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name01vwXiyQ8K.exe, 00000000.00000002.2097783393.0000000004931000.00000004.00000800.00020000.00000000.sdmp, COM Services.exe, 00000006.00000002.2951377734.000000000499B000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://ipwho.isCOM Services.exe, 00000006.00000002.2951377734.0000000004C34000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://stackoverflow.com/q/11564914/23354;01vwXiyQ8K.exe, 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://ipwho.isdCOM Services.exe, 00000006.00000002.2951377734.0000000004C34000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ipwho.isCOM Services.exe, 00000006.00000002.2951377734.0000000004C22000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              111.173.106.171
              		bkd.114250.xyzChina
              		4134CHINANET-BACKBONENo31Jin-rongStreetCNtrue
              195.201.57.90
              		ipwho.isGermany
              		24940HETZNER-ASDEfalse

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1447780
              Start date and time:2024-05-27 02:41:11 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 47s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:12
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:01vwXiyQ8K.exe
              renamed because original name is a hash value
              Original Sample Name:29DC8180F10EA4A8333C75CA13D89B01.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@10/3@2/2
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 90%
              • Number of executed functions: 163
              • Number of non-executed functions: 136
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              01:42:37Task SchedulerRun new task: System Services path: C:\Users\user\AppData\Roaming\COM s>Surrogates\COM Services.exe
              20:43:15API Interceptor3494x Sleep call for process: COM Services.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              195.201.57.903r3usOVGsa.exeGet hashmaliciousBlackGuardBrowse
              • ipwhois.app/xml/
              KvVXVfYvlF.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
              • ipwhois.app/xml/
              file.exeGet hashmaliciousBlackGuardBrowse
              • ipwhois.app/xml/
              file.exeGet hashmaliciousBlackGuardBrowse
              • ipwhois.app/xml/
              file.exeGet hashmaliciousBlackGuardBrowse
              • ipwhois.app/xml/
              JFBYfxYeTO.exeGet hashmaliciousBlackGuardBrowse
              • ipwhois.app/xml/
              JHtrZ0tgun.exeGet hashmaliciousBlackGuardBrowse
              • ipwhois.app/xml/
              file.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
              • ipwhois.app/xml/
              file.exeGet hashmaliciousBlackGuard, SmokeLoaderBrowse
              • ipwhois.app/xml/
              file.exeGet hashmaliciousBlackGuardBrowse
              • ipwhois.app/xml/

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ipwho.ishttp://amht38eh3e3f98ox0ld1rc4h3fjcowz98ldjp5hek8.pages.dev/Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              SecuriteInfo.com.Trojan.PWS.Stealer.36926.32356.23713.exeGet hashmaliciousUnknownBrowse
              • 147.135.36.89
              SecuriteInfo.com.Trojan.PWS.Stealer.36926.32356.23713.exeGet hashmaliciousUnknownBrowse
              • 195.201.57.90
              https://jjl66-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=1-844-293-1010Get hashmaliciousTechSupportScamBrowse
              • 195.201.57.90
              https://serviappnrems122.z20.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
              • 195.201.57.90
              https://kko10-secondary.z8.web.core.windows.net/werrx01USAHTML/?bcda=02331-9759-835Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              https://globalwebagency.netlify.app/Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              https://axovesb7koecn0j.pages.dev/smart89/Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              https://vocc3-secondary.z35.web.core.windows.net/werrx01USAHTML/?bcda=1-833-234-2368Get hashmaliciousTechSupportScamBrowse
              • 195.201.57.90
              1G8k6LshGX.exeGet hashmaliciousQuasarBrowse
              • 195.201.57.90

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              HETZNER-ASDEhttp://dkc2006.github.io/HunarIntern-project-3/Get hashmaliciousUnknownBrowse
              • 78.46.22.25
              jE4zclRJU2.exeGet hashmaliciousVidarBrowse
              • 88.198.124.82
              mQPyKe8cqn.exeGet hashmaliciousVidarBrowse
              • 128.140.125.116
              fZUVfiCmaP.elfGet hashmaliciousMiraiBrowse
              • 176.9.143.1
              hs1vfUvu3u.elfGet hashmaliciousMiraiBrowse
              • 95.217.66.161
              https://www.brownfieldagnews.com/news/Get hashmaliciousUnknownBrowse
              • 168.119.205.136
              SecuriteInfo.com.Win32.Malware-gen.198.6512.exeGet hashmaliciousPureLog Stealer, VidarBrowse
              • 78.47.123.174
              A2G6pO40qG.exeGet hashmaliciousCMSBruteBrowse
              • 95.217.39.117
              BI6oo9z4In.exeGet hashmaliciousCryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
              • 78.47.123.174
              https://deref-mail.com/mail/client/j_iGygdK9BI/dereferrer/?redirectUrl=Get hashmaliciousUnknownBrowse
              • 136.243.25.83
              CHINANET-BACKBONENo31Jin-rongStreetCNhttps://uncovered-fragrant-climb.glitch.me/public/eleventy.js.htmlGet hashmaliciousHTMLPhisherBrowse
              • 63.140.38.112
              URocnz2wNj.elfGet hashmaliciousUnknownBrowse
              • 117.40.190.37
              8427xbk3Zt.elfGet hashmaliciousUnknownBrowse
              • 36.104.221.42
              T57QiayIem.elfGet hashmaliciousUnknownBrowse
              • 183.30.128.9
              M4huqujaBY.elfGet hashmaliciousUnknownBrowse
              • 218.74.80.14
              cVxP229sNF.elfGet hashmaliciousUnknownBrowse
              • 183.64.144.97
              fdftMGtnix.elfGet hashmaliciousUnknownBrowse
              • 218.84.118.203
              3LI2VAvf26.elfGet hashmaliciousUnknownBrowse
              • 171.8.17.59
              ccsetup624.exeGet hashmaliciousUnknownBrowse
              • 63.140.39.93
              BEddZjSb7A.elfGet hashmaliciousUnknownBrowse
              • 1.183.178.21

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              3b5074b1b5d032e5620f69f9f700ff0exA4LQYIndy.exeGet hashmaliciousDCRatBrowse
              • 195.201.57.90
              https://kruekanlogin.gitbook.io/Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              https://fbreview-requestnow.github.io/ajazGet hashmaliciousUnknownBrowse
              • 195.201.57.90
              https://mega.nz/file/wncXiYhZ#ABJEpmoiGH0hIeVVKQy7V_ALtGclDnJ4rFrDjwZ8kDEGet hashmaliciousDCRatBrowse
              • 195.201.57.90
              wtrD6RiHlm.exeGet hashmaliciousRedLineBrowse
              • 195.201.57.90
              https://newsklikdisini5bekbg0.3bsz4.xyz/Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              http://worker-quiet-cherry-3fda.cbb2856.workers.dev/favicon.icoGet hashmaliciousHTMLPhisherBrowse
              • 195.201.57.90
              https://v2-ci8.pages.dev/appeal_case_ID/Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              https://piscinaveronza.com/app/online/Get hashmaliciousUnknownBrowse
              • 195.201.57.90
              SecuriteInfo.com.FileRepMalware.1834.13764.exeGet hashmaliciousDiscord Token Stealer, XWormBrowse
              • 195.201.57.90

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\01vwXiyQ8K.exe.log

              Download File
              Process:C:\Users\user\Desktop\01vwXiyQ8K.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1119
              Entropy (8bit):5.345080863654519
              Encrypted:false
              SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0Hj
              MD5:E6726BABA80C39624BADA32F0CCE6B54
              SHA1:4C769FA8A02DBE33AA9084040A9E6C70230334FA
              SHA-256:6A9F9C628B47AFC2A34A71826450A12D9293709BF977E72C04102F9DDD3705E0
              SHA-512:BBCCE0FCC59D29116253E71ECC786B8E3BA19D9A3124F36FEC9963C7F47016F145C76C18C5AD0FB6186ADEA69652BA99F29EF5AB5E71EFDD7EC07A82BB366960
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\COM Services.exe.log

              Download File
              Process:C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1119
              Entropy (8bit):5.345080863654519
              Encrypted:false
              SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0Hj
              MD5:E6726BABA80C39624BADA32F0CCE6B54
              SHA1:4C769FA8A02DBE33AA9084040A9E6C70230334FA
              SHA-256:6A9F9C628B47AFC2A34A71826450A12D9293709BF977E72C04102F9DDD3705E0
              SHA-512:BBCCE0FCC59D29116253E71ECC786B8E3BA19D9A3124F36FEC9963C7F47016F145C76C18C5AD0FB6186ADEA69652BA99F29EF5AB5E71EFDD7EC07A82BB366960
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

              C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe

              Download File
              Process:C:\Users\user\Desktop\01vwXiyQ8K.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):29560832
              Entropy (8bit):7.999778120405382
              Encrypted:true
              SSDEEP:786432:VofOiEX3ihOwHbyK6IFnSksNhz/PoXOqyQ:VTSh7HbyKFNsPTPGyQ
              MD5:29DC8180F10EA4A8333C75CA13D89B01
              SHA1:65BBAF371E659557CA492A5538FF1F3F7C9C5E0D
              SHA-256:4E8B21D9EF64D249E0E98B777B44120A28A88E33F37FE6B827AEFB3E6D093810
              SHA-512:9D46856E316DFE1380764496DA6D8334D059C6368C204CE472F30EF23CD53143DF7E000058DA6B73ED2569FF665C8EC2C64F643D0EB657118075E1F852BC0383
              Malicious:true
              Antivirus:
              • Antivirus: Avira, Detection: 100%
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 47%
              • Antivirus: Virustotal, Detection: 52%, Browse
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..........................................@.. .......................`.............................................._........ ...............................................................................................................text.... ... ... ..................`....sedata......@.......$.............. ....idata... ..........................@....rsrc.... ... ......................@....sedata.. ...@... ..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.999778120405382
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.94%
              • Win16/32 Executable Delphi generic (2074/23) 0.02%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:01vwXiyQ8K.exe
              File size:29'560'832 bytes
              MD5:29dc8180f10ea4a8333c75ca13d89b01
              SHA1:65bbaf371e659557ca492a5538ff1f3f7c9c5e0d
              SHA256:4e8b21d9ef64d249e0e98b777b44120a28a88e33f37fe6b827aefb3e6d093810
              SHA512:9d46856e316dfe1380764496da6d8334d059c6368c204ce472f30ef23cd53143df7e000058da6b73ed2569ff665c8ec2c64f643d0eb657118075e1f852bc0383
              SSDEEP:786432:VofOiEX3ihOwHbyK6IFnSksNhz/PoXOqyQ:VTSh7HbyKFNsPTPGyQ
              TLSH:B35733AF8D6AD13BC32A70B544599D0CEE3D1C272A25DE7B3BC50B52D9B45A500BB233
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d..........................................@.. .......................`.............................................

              File Icon

              Icon Hash:90cececece8e8eb0

              Static PE Info

              General

              Entrypoint:0x202d884
              Entrypoint Section:.sedata
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x640DFAE7 [Sun Mar 12 16:16:39 2023 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:32c5de998b5f069b26c94c8143b13c06

              Entrypoint Preview

              Instruction
              call 00007FC40965AAA1h
              push ebx
              popad
              outsb
              imul ebp, dword ptr [bp+65h], 69685320h
              insb
              outsb
              and byte ptr [esi+32h], dh
              xor ebp, dword ptr [esi]
              aaa
              xor byte ptr [eax], al
              jmp 00007FC40965AA37h
              dec cl
              push 8D5D228Bh
              mov dh, A4h
              cmp eax, 748B0000h
              and al, 19h
              lea esp, dword ptr [esp+24h]
              call 00007FC40965748Eh
              jmp 00007FC40965964Dh
              mov dword ptr [esp+04h], ecx
              xchg cx, ax
              lea eax, dword ptr [00000000h+edx*4]
              call 00007FC40965AAABh
              lodsb
              mov edi, FEC80F86h
              int3
              bswap eax
              inc eax
              mov eax, dword ptr [esp]
              cmc
              jmp 00007FC40965AA5Fh
              mov dword ptr [esp], ebx
              pushad
              mov ebx, edi
              bswap ecx
              push word ptr [esp+03h]
              setnp ah
              jmp 00007FC40965AAF7h
              xor dword ptr [eax], esi
              xor ebp, dword ptr [edx]
              pop cx
              mov ax, word ptr [esp]
              lea esp, dword ptr [esp+02h]
              jmp 00007FC40965AA60h
              push edx
              lds edx, fword ptr [ebp+3Ch]
              iretd
              in al, dx
              jbe 00007FC40965AA66h
              cmp dword ptr [esi-32h], FFFFFFE7h
              push cs
              cdq
              clc
              lea esp, dword ptr [esp+08h]
              pushad
              push eax
              mov dword ptr [esp+09h], eax
              jmp 00007FC40965AA37h
              rcr ax, cl
              mov ax, word ptr [esp+19h]
              mov cx, bp
              clc
              jmp 00007FC40965AA9Ah
              retn CF5Fh
              stosb
              pop ecx
              into
              xor ch, byte ptr [00B5048Dh]
              add byte ptr [eax], al
              add byte ptr [esi-3Fh], ah
              jmp 00007FC40965AA88h
              call 00007FC40965AA5Fh

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x1c3005f0xb4.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c320000xc00.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x1b720000x1b72000b81b5b5f18067ad268e15ccd9879f9d2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .sedata0x1b740000xbc0000xbbe0018b760797a9c659b1c337af24c02c16aFalse0.8542654274783765data7.831611017837314IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0x1c300000x20000x200424af747e064d9d788e1cd003408d66cFalse0.533203125Message Sequence Chart (chart)4.309207801043733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0x1c320000x20000xc00f10b919d9334255926b4001a4c7184c8False0.3557942708333333data4.802221296158998IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .sedata0x1c340000x20000x200020fb1b56e098d76309d48cc1a3149392False0.693115234375data7.9921639684838635IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0x1c320a00x360data0.38078703703703703
              RT_MANIFEST0x1c324000x701XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.3987730061349693

              Imports

              DLLImport
              mscoree.dll_CorExeMain
              MSVCRT.dllstrncpy
              IPHLPAPI.DLLGetInterfaceInfo
              PSAPI.DLLGetMappedFileNameW
              KERNEL32.dllGetModuleFileNameW
              USER32.dllGetWindow
              ADVAPI32.dllRegDeleteKeyA
              SHELL32.dllSHGetFolderPathW

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              05/27/24-02:43:17.155959TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert5377949737111.173.106.171192.168.2.4

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 27, 2024 02:43:16.258071899 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:16.263088942 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:16.263361931 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:16.424457073 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:16.429461002 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:17.155958891 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:17.160660028 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:17.160878897 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:17.165117025 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:17.215411901 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:17.528058052 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:17.646145105 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:18.185271978 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:18.185367107 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:18.185481071 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:18.188327074 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:18.188364983 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:19.138000011 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:19.138178110 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:19.140827894 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:19.140856028 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:19.141262054 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:19.152271032 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:19.194540977 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:19.381385088 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:19.381521940 CEST44349738195.201.57.90192.168.2.4
              May 27, 2024 02:43:19.381602049 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:19.646456003 CEST49738443192.168.2.4195.201.57.90
              May 27, 2024 02:43:19.942934036 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:19.948122978 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:19.948249102 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:19.953216076 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:20.538882017 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:20.676980019 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:20.811508894 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:43:20.958628893 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:45.817811012 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:43:45.825395107 CEST5377949737111.173.106.171192.168.2.4
              May 27, 2024 02:44:10.833437920 CEST4973753779192.168.2.4111.173.106.171
              May 27, 2024 02:44:10.838582039 CEST5377949737111.173.106.171192.168.2.4

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 27, 2024 02:43:16.216247082 CEST5257453192.168.2.41.1.1.1
              May 27, 2024 02:43:16.248284101 CEST53525741.1.1.1192.168.2.4
              May 27, 2024 02:43:18.173446894 CEST5360353192.168.2.41.1.1.1
              May 27, 2024 02:43:18.180679083 CEST53536031.1.1.1192.168.2.4

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              May 27, 2024 02:43:16.216247082 CEST192.168.2.41.1.1.10xbbc3Standard query (0)bkd.114250.xyzA (IP address)IN (0x0001)false
              May 27, 2024 02:43:18.173446894 CEST192.168.2.41.1.1.10xf20Standard query (0)ipwho.isA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              May 27, 2024 02:43:16.248284101 CEST1.1.1.1192.168.2.40xbbc3No error (0)bkd.114250.xyz111.173.106.171A (IP address)IN (0x0001)false
              May 27, 2024 02:43:18.180679083 CEST1.1.1.1192.168.2.40xf20No error (0)ipwho.is195.201.57.90A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • ipwho.is

              HTTPS Proxied Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.449738195.201.57.904431104C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe
              TimestampBytes transferredDirectionData
              2024-05-27 00:43:19 UTC150OUTGET / HTTP/1.1
              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
              Host: ipwho.is
              Connection: Keep-Alive
              2024-05-27 00:43:19 UTC223INHTTP/1.1 200 OK
              Date: Mon, 27 May 2024 00:43:19 GMT
              Content-Type: application/json; charset=utf-8
              Transfer-Encoding: chunked
              Connection: close
              Server: ipwhois
              Access-Control-Allow-Headers: *
              X-Robots-Tag: noindex
              2024-05-27 00:43:19 UTC1029INData Raw: 33 66 39 0d 0a 7b 0a 20 20 20 20 22 41 62 6f 75 74 20 55 73 22 3a 20 22 68 74 74 70 73 3a 5c 2f 5c 2f 69 70 77 68 6f 69 73 2e 69 6f 22 2c 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 74 79 70 65 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 22 3a 20 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 0a 20 20 20 20 22 63 6f 6e 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 20 22 4e 41 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f
              Data Ascii: 3f9{ "About Us": "https:\/\/ipwhois.io", "ip": "8.46.123.175", "success": true, "type": "IPv4", "continent": "North America", "continent_code": "NA", "country": "United States", "country_code": "US", "region": "New Yo


              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:20:42:01
              Start date:26/05/2024
              Path:C:\Users\user\Desktop\01vwXiyQ8K.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\01vwXiyQ8K.exe"
              Imagebase:0x400000
              File size:29'560'832 bytes
              MD5 hash:29DC8180F10EA4A8333C75CA13D89B01
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2090153176.000000000435E000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.2043114076.0000000000720000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
              Reputation:low
              Has exited:true

              General

              Target ID:4
              Start time:20:42:37
              Start date:26/05/2024
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:"schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f
              Imagebase:0x9a0000
              File size:187'904 bytes
              MD5 hash:48C2FE20575769DE916F48EF0676A965
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:20:42:37
              Start date:26/05/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:20:42:37
              Start date:26/05/2024
              Path:C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe"
              Imagebase:0x400000
              File size:29'560'832 bytes
              MD5 hash:29DC8180F10EA4A8333C75CA13D89B01
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.2951377734.0000000004C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.2944900500.0000000004548000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
              Antivirus matches:
              • Detection: 100%, Avira
              • Detection: 100%, Joe Sandbox ML
              • Detection: 47%, ReversingLabs
              • Detection: 52%, Virustotal, Browse
              Reputation:low
              Has exited:false

              General

              Target ID:7
              Start time:20:42:37
              Start date:26/05/2024
              Path:C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe"
              Imagebase:0x400000
              File size:29'560'832 bytes
              MD5 hash:29DC8180F10EA4A8333C75CA13D89B01
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000007.00000002.2620765717.000000000437E000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:true

              General

              Target ID:9
              Start time:20:43:13
              Start date:26/05/2024
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:"schtasks" /create /tn "System Services" /sc ONLOGON /tr "C:\Users\user\AppData\Roaming\COM Surrogates\COM Services.exe" /rl HIGHEST /f
              Imagebase:0x9a0000
              File size:187'904 bytes
              MD5 hash:48C2FE20575769DE916F48EF0676A965
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:10
              Start time:20:43:13
              Start date:26/05/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7699e0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3.1%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:53
                Total number of Limit Nodes:4
                execution_graph 34893 3e74668 34894 3e74676 34893->34894 34899 3e76de0 34894->34899 34897 3e74704 34900 3e76e05 34899->34900 34908 3e76ef0 34900->34908 34912 3e76edf 34900->34912 34901 3e746e9 34904 3e7421c 34901->34904 34905 3e74227 34904->34905 34924 3e78560 34905->34924 34907 3e78806 34907->34897 34910 3e76f17 34908->34910 34909 3e76ff4 34909->34909 34910->34909 34916 3e76414 34910->34916 34913 3e76ee4 34912->34913 34914 3e76ff4 34913->34914 34915 3e76414 CreateActCtxWWorker 34913->34915 34915->34914 34917 3e77370 34916->34917 34920 3ed9b95 34917->34920 34918 3e77423 34921 3ed9ce3 34920->34921 34922 3ed9c02 34920->34922 34921->34918 34922->34921 34923 3ed9e12 CreateActCtxWWorker 34922->34923 34923->34921 34925 3e7856b 34924->34925 34928 3e78580 34925->34928 34927 3e788dd 34927->34907 34929 3e7858b 34928->34929 34932 3e785b0 34929->34932 34931 3e789ba 34931->34927 34933 3e785bb 34932->34933 34936 3e785e0 34933->34936 34935 3e78aad 34935->34931 34938 3e785eb 34936->34938 34937 3e79ed1 34937->34935 34938->34937 34940 3e7df60 34938->34940 34942 3e7df64 34940->34942 34941 3e7dfb5 34941->34937 34942->34941 34944 3e7e120 34942->34944 34945 3e7e12d 34944->34945 34947 3e7e166 34945->34947 34948 3e7c464 34945->34948 34947->34941 34949 3e7c46f 34948->34949 34950 3e7e1d8 34949->34950 34952 3e7c498 34949->34952 34953 3e7c4a3 34952->34953 34954 3e785e0 KiUserCallbackDispatcher 34953->34954 34955 3e7e247 34954->34955 34958 3e7e2c0 34955->34958 34956 3e7e256 34956->34950 34959 3e7e2ee 34958->34959 34960 3e7e3ba KiUserCallbackDispatcher 34959->34960 34961 3e7e3bf 34959->34961 34960->34961

                Executed Functions

                Function 03E774E0 Relevance: 90.7, Strings: 72, Instructions: 733COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                • API String ID: 0-1605395142
                • Opcode ID: df8d3afb11323912a0c22750b32cb1cbd401f26fa047934c00dcd21838f1af43
                • Instruction ID: 82b5b6d08d8ae0093ca9bfc41c1dd4db75dc11e9a82de0bbc8117b088d062634
                • Opcode Fuzzy Hash: df8d3afb11323912a0c22750b32cb1cbd401f26fa047934c00dcd21838f1af43
                • Instruction Fuzzy Hash: 72720A30E0421A8FCB19EF64E955BDDBBF2FF44704F1089A8904AAB265DF745D898F81
                Function 03E77570 Relevance: 90.7, Strings: 72, Instructions: 688COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 277 3e77570-3e782e2 call 3e7650c 537 3e782e7-3e78301 call 3e7650c 277->537
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                • API String ID: 0-1605395142
                • Opcode ID: c63a95988f7d6085f626f6659ca467ba624ef23dabd26dd21eebf11057bf11c1
                • Instruction ID: d3df5da51a4f14e2d13410eb6dbbb453587436aff7f7e6add328270e1bea0a6f
                • Opcode Fuzzy Hash: c63a95988f7d6085f626f6659ca467ba624ef23dabd26dd21eebf11057bf11c1
                • Instruction Fuzzy Hash: EA72FA30E1421A8FCB19EF64E955BDDBBF2FF44704F1089A8904AAB264DF745D898F81
                Function 03E771D0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 540 3e771d0-3e771f1 541 3e771f3-3e771fc 540->541 542 3e77259-3e7725f 540->542 543 3e772b2-3e772bb 541->543 548 3e77202-3e77237 541->548 542->543 544 3e77261-3e77268 542->544 546 3e7728b-3e77292 544->546 547 3e7726a call 3e76420 544->547 546->543 550 3e77294 546->550 552 3e7726f-3e77284 547->552 548->543 565 3e77239-3e77257 548->565 551 3e77295-3e77298 550->551 553 3e77282-3e77288 551->553 554 3e77299-3e772af 551->554 552->546 557 3e7728e-3e7728f 553->557 558 3e7728a 553->558 554->543 557->551 559 3e77290-3e77292 557->559 558->557 559->543 559->550 565->543
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q$`Q^q$`Q^q
                • API String ID: 0-846367443
                • Opcode ID: 9c6824e5d63ffa53bf7300524e7b34a98f566046e0343767e6b101caf4585dcc
                • Instruction ID: 4611af8e6567c31162f9a4a75924f9ba29d7d1927d3b18b5ecadc3d3d6556ade
                • Opcode Fuzzy Hash: 9c6824e5d63ffa53bf7300524e7b34a98f566046e0343767e6b101caf4585dcc
                • Instruction Fuzzy Hash: 0F212971F003949BDB15DBB4D8047BEBBF6EB45F08F28019DE105AB280D6B4584587E2
                Function 03ED9B95 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 222COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 568 3ed9b95-3ed9bfc 569 3ed9e42-3ed9e4a 568->569 570 3ed9c02-3ed9c0b 568->570 571 3ed9e4f-3ed9e5e 569->571 570->569 572 3ed9c11-3ed9c26 570->572 578 3ed9e61-3ed9e68 571->578 573 3ed9c2c-3ed9c2f 572->573 574 3ed9e32-3ed9e40 572->574 576 3ed9c3c-3ed9c3f 573->576 577 3ed9c31-3ed9c36 573->577 574->571 579 3ed9c41-3ed9c48 576->579 580 3ed9c50-3ed9c52 576->580 577->574 577->576 581 3ed9e6a-3ed9e70 578->581 582 3ed9e77-3ed9e7e 578->582 579->574 583 3ed9c4e 579->583 584 3ed9c54-3ed9c57 580->584 581->582 585 3ed9e9b-3ed9eb0 582->585 586 3ed9e80-3ed9e8c 582->586 583->584 587 3ed9c59-3ed9c60 584->587 588 3ed9c66-3ed9c6f 584->588 596 3ed9eb8-3ed9ec8 call 3ea3284 585->596 597 3ed9eb2-3ed9eb3 call 3e9caf5 585->597 586->585 589 3ed9e8e-3ed9e94 586->589 587->574 587->588 590 3ed9c7e-3ed9c81 588->590 591 3ed9c71-3ed9c78 588->591 589->585 593 3ed9c90-3ed9c99 590->593 594 3ed9c83-3ed9c8a 590->594 591->590 592 3ed9e2c 591->592 592->574 598 3ed9c9b-3ed9ca0 593->598 599 3ed9ca6-3ed9ca9 593->599 594->592 594->593 597->596 598->592 598->599 602 3ed9d0d-3ed9d0f 599->602 603 3ed9cab-3ed9ce1 599->603 604 3ed9d1b 602->604 605 3ed9d11-3ed9d16 602->605 626 3ed9cf9-3ed9d0b 603->626 627 3ed9ce3-3ed9ce9 603->627 607 3ed9d21-3ed9d24 604->607 605->585 609 3ed9d26-3ed9d2a 607->609 610 3ed9d31-3ed9d34 607->610 609->610 612 3ed9d36-3ed9d3a 610->612 613 3ed9d41-3ed9d43 610->613 612->613 614 3ed9d4e-3ed9d51 613->614 615 3ed9d45-3ed9d48 613->615 616 3ed9dcf-3ed9dd2 614->616 617 3ed9d53-3ed9da5 614->617 615->614 619 3ed9dd4-3ed9de5 call 3e9c0fe 616->619 620 3ed9e12-3ed9e28 CreateActCtxWWorker 616->620 636 3ed9dac-3ed9db7 617->636 637 3ed9da7 617->637 629 3ed9e0c 619->629 630 3ed9de7-3ed9dfb 619->630 620->578 624 3ed9e2a 620->624 628 3ed9dfe-3ed9e0a 624->628 626->607 627->578 632 3ed9cef-3ed9cf4 627->632 628->578 629->620 630->628 632->578 636->578 638 3ed9dbd-3ed9dc9 636->638 637->636 638->616
                APIs
                • CreateActCtxWWorker.KERNEL32(00000020), ref: 03ED9E19
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID: CreateWorker
                • String ID:
                • API String ID: 1056503121-3916222277
                • Opcode ID: 4d06a0164d5774cec3eb209d7a7067f24b803e4c0818712438978e380c0da4c3
                • Instruction ID: 23ab04f5117503734bf1b198057186ef8edeeacd723f1ce3d0c5dccadfbf7a15
                • Opcode Fuzzy Hash: 4d06a0164d5774cec3eb209d7a7067f24b803e4c0818712438978e380c0da4c3
                • Instruction Fuzzy Hash: 6391C1359002299BCB24EF68CC98BD9B7F4AB48315F1857E5EC09EB256D7349E81CF50
                Function 03E7F01C Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 639 3e7f01c-3e7f879 642 3e7f87f-3e7f883 639->642 643 3e7f8fc-3e7f8ff 639->643 644 3e7f885-3e7f89f call 3e785a0 642->644 645 3e7f900-3e7f94a 642->645 651 3e7f8b3-3e7f8d7 call 3e7f03c 644->651 652 3e7f8a1-3e7f8a8 644->652 665 3e7f950-3e7f96e 645->665 666 3e7f94c-3e7f94e 645->666 661 3e7f8dc-3e7f8de 651->661 652->651 653 3e7f8aa-3e7f8ae call 3e7f02c 652->653 653->651 662 3e7f8f5-3e7f8f7 call 3e7c588 661->662 663 3e7f8e0-3e7f8ec 661->663 662->643 663->662 669 3e7f8ee-3e7f8f0 call 3e7c4b8 663->669 672 3e7f974-3e7f99a call 3e7bbc8 call 3e79bbc call 3e7f04c 665->672 673 3e7fa28-3e7fa2d 665->673 666->665 669->662 679 3e7f99c-3e7f9a7 672->679 680 3e7f9aa-3e7f9af 672->680 679->680 681 3e7f9b1-3e7f9b3 call 3e7f05c 680->681 682 3e7f9b8-3e7f9c0 680->682 681->682 684 3e7f9e5-3e7fa17 call 3e7c55c 682->684 685 3e7f9c2-3e7f9e0 call 3e7f06c call 3e785a0 682->685 692 3e7fa1c-3e7fa23 call 3e7f07c 684->692 685->684 692->673
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: Hbq
                • API String ID: 0-1245868
                • Opcode ID: 9e6d470cf50bfe954b1b88849c66869ae1c490dd37eab5ab848f76cf945f83f8
                • Instruction ID: fa5302416fe2bff34a8c780188ded69e9d9695b5b225d08fc721692e414101fd
                • Opcode Fuzzy Hash: 9e6d470cf50bfe954b1b88849c66869ae1c490dd37eab5ab848f76cf945f83f8
                • Instruction Fuzzy Hash: 9451AE383006109FDB18EB29D854B2E77F6AFC5614F149669E506CB3A1CF35EC0287A4
                Function 03E79EF0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 695 3e79ef0-3e79f1f 697 3e79f21-3e79f28 695->697 698 3e79f29-3e79f31 695->698 700 3e79f33-3e79f3a 698->700 701 3e79f3c 698->701 702 3e79f8c-3e79fa4 700->702 703 3e79f42-3e79f56 701->703 705 3e7a03b-3e7a058 702->705 706 3e79faa-3e79fe6 call 3e76524 702->706 708 3e79f64 703->708 709 3e79f58-3e79f62 703->709 720 3e7a059-3e7a062 706->720 721 3e79fe8-3e79ff6 call 3e76b38 706->721 710 3e79f69-3e79f6b 708->710 709->710 710->702 713 3e79f6d-3e79f7c 710->713 713->702 717 3e79f7e-3e79f85 713->717 717->702 726 3e7a064-3e7a066 720->726 727 3e7a068-3e7a120 720->727 721->705 725 3e79ff8-3e7a034 call 3e7991c 721->725 725->705 726->727
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q
                • API String ID: 0-1948671464
                • Opcode ID: 1381195e2fff55b01eebd239069278d21f1da445158e7e1146606285de5db29c
                • Instruction ID: 6a8ff33a9846ce65a6610d2230e29f8811fd50f637c5bf8c434be13a03c20301
                • Opcode Fuzzy Hash: 1381195e2fff55b01eebd239069278d21f1da445158e7e1146606285de5db29c
                • Instruction Fuzzy Hash: 2351B170608244DFE705DB28E414BAA7FA7EF4930DF04C1A9E444AB382DB7A9845CBE5
                Function 03E7DBC4 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 734 3e7dbc4-3e7dbc6 735 3e7dbcc-3e7dbf8 734->735 736 3e7dbc8 734->736 738 3e7dc17-3e7dc23 735->738 739 3e7dbfa-3e7dbff 735->739 736->735 743 3e7dc2b-3e7dc50 call 3e7c40c call 3e7c418 738->743 740 3e7dc01-3e7dc0e 739->740 741 3e7dc0f-3e7dc16 739->741 749 3e7dc52 743->749 750 3e7dc59-3e7dc6d 743->750 749->750 752 3e7dc73 750->752 753 3e7dc6f-3e7dc71 750->753 754 3e7dc76-3e7dcc6 call 3e7c424 752->754 753->754 761 3e7dcd1 754->761 762 3e7dcc8 754->762 762->761
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: LR^q
                • API String ID: 0-2625958711
                • Opcode ID: a9b5d27325fc8f82e7695c173d1f1d78d977dfa5651b43698a067f4b5d505032
                • Instruction ID: 490ab5a863d3778e751a7c681fe78529cc768a19d05c2d2c2b430259fafc8033
                • Opcode Fuzzy Hash: a9b5d27325fc8f82e7695c173d1f1d78d977dfa5651b43698a067f4b5d505032
                • Instruction Fuzzy Hash: 9431A175B002059FDB18DF68D844BAEB7BAFF88714F1442A9E506D7350DB71AC05CB90
                Function 03E75470 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 763 3e75470-3e75471 764 3e75473-3e75479 763->764 765 3e754f0-3e754f3 763->765 766 3e754f8-3e754f9 764->766 767 3e7547b-3e7547d 764->767 765->766 768 3e75503-3e7551f 766->768 769 3e753ff-3e75442 call 3e74f78 767->769 770 3e7547f-3e75498 767->770 785 3e75447-3e7544f 769->785 774 3e754af-3e754b0 770->774 775 3e7549a-3e754a8 call 3e74e90 770->775 781 3e754ad 775->781 781->774 787 3e75451 785->787 788 3e75459-3e754ba 785->788 787->788 790 3e754c0-3e754c5 788->790 791 3e754bc-3e754be 788->791 790->785 792 3e754c7-3e754f9 790->792 791->790 792->768
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: 4'^q
                • API String ID: 0-1614139903
                • Opcode ID: 16a837a5f56232789bff9ef4b9292c4ae2b7c4de56a918736523361cb36be9eb
                • Instruction ID: 2700a1650339e01e29e5bc715f78c13396f33002415d2a03ed33c487d959dfb8
                • Opcode Fuzzy Hash: 16a837a5f56232789bff9ef4b9292c4ae2b7c4de56a918736523361cb36be9eb
                • Instruction Fuzzy Hash: D3113370B0011A8FDB08EB7998406EDBBB2EB45609F0411A9D406FB3E1EF349D478BA1
                Function 03E77120 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 796 3e77120-3e77122 797 3e77124-3e77126 796->797 798 3e77128-3e7715c 796->798 797->798 802 3e7715f call 3e77167 798->802 803 3e7715f call 3e77178 798->803 801 3e77162-3e77166 802->801 803->801
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q
                • API String ID: 0-1948671464
                • Opcode ID: 2617c4287d57dedb9c8c27155cd899325232788e003733bbdb4b3469a2b277f9
                • Instruction ID: 01d13d5486081fa032b6e4195748a14a383961ac69bc5a88055211fb49ff871d
                • Opcode Fuzzy Hash: 2617c4287d57dedb9c8c27155cd899325232788e003733bbdb4b3469a2b277f9
                • Instruction Fuzzy Hash: 53F0E536B442546FD7065629AC94F766BE69FCAA24F1900AEF10CCB2A1C8619C068320
                Function 03E77130 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 804 3e77130-3e7715c 808 3e7715f call 3e77167 804->808 809 3e7715f call 3e77178 804->809 807 3e77162-3e77166 808->807 809->807
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q
                • API String ID: 0-1948671464
                • Opcode ID: 63fb8791368d4f3ec65fb80b9f6a30f29686206adb6b150b46a48bbaf9633b10
                • Instruction ID: 34d7bd02a9f18be53677458e7871cd9677ef67aec0c6d6fcfa07e22dfed66ca1
                • Opcode Fuzzy Hash: 63fb8791368d4f3ec65fb80b9f6a30f29686206adb6b150b46a48bbaf9633b10
                • Instruction Fuzzy Hash: C0E04F327402146BD218556AAC54F67A69AEBC9A60F54006AF209DB2A0C891EC0542A4
                Function 03E7B688 Relevance: .4, Instructions: 413COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 810 3e7b688-3e7b6b8 811 3e7b6c0-3e7b6c2 810->811 812 3e7b763-3e7b76c 811->812 813 3e7b6c8-3e7b6df 811->813 814 3e7b6e5-3e7b6f2 813->814 815 3e7b76f-3e7b79a 813->815 814->812 816 3e7b6f4-3e7b701 814->816 819 3e7b7a0-3e7b7bc 815->819 820 3e7b79c 815->820 816->812 818 3e7b703 816->818 821 3e7b737-3e7b740 818->821 822 3e7b720-3e7b729 818->822 823 3e7b74e-3e7b757 818->823 824 3e7b70a-3e7b713 818->824 829 3e7b7c2-3e7b7c8 819->829 830 3e7b9d0-3e7b9d7 819->830 820->819 821->815 827 3e7b742-3e7b74c 821->827 822->815 826 3e7b72b-3e7b735 822->826 823->815 828 3e7b759-3e7b760 823->828 824->815 825 3e7b715-3e7b71e 824->825 825->812 826->812 827->812 828->812 832 3e7b965-3e7b968 829->832 833 3e7b7ce-3e7b7d9 829->833 831 3e7b9d9-3e7b9e5 830->831 834 3e7b96a-3e7b96f 832->834 835 3e7b7de-3e7b7e7 833->835 836 3e7b7db 833->836 837 3e7b974-3e7b977 834->837 838 3e7b971 834->838 839 3e7b7ed-3e7b7fe 835->839 840 3e7b9e8-3e7b9fa 835->840 836->835 837->840 841 3e7b979-3e7b98a 837->841 838->837 842 3e7b805-3e7b813 839->842 843 3e7b800-3e7b803 839->843 850 3e7ba00-3e7ba31 call 3e7b7a0 840->850 851 3e7b9fc-3e7b9fe 840->851 845 3e7b98c-3e7b996 841->845 846 3e7b998-3e7b99a 841->846 842->840 847 3e7b819-3e7b826 842->847 843->842 845->831 852 3e7b9a1 846->852 853 3e7b99c-3e7b99f 846->853 848 3e7b832-3e7b837 847->848 849 3e7b828-3e7b82d 847->849 854 3e7b83c-3e7b846 848->854 855 3e7b839 848->855 849->831 861 3e7ba37-3e7ba3c 850->861 862 3e7bad3-3e7bada 850->862 851->850 857 3e7b9a4-3e7b9a6 852->857 853->857 854->840 859 3e7b84c-3e7b85f 854->859 855->854 857->834 860 3e7b9a8-3e7b9b6 857->860 863 3e7b893-3e7b898 859->863 864 3e7b861-3e7b874 859->864 860->840 865 3e7b9b8-3e7b9c5 860->865 868 3e7baa2-3e7bab1 861->868 869 3e7ba3e-3e7ba53 861->869 866 3e7bae0 862->866 867 3e7bb68-3e7bb71 862->867 871 3e7b89d-3e7b8a7 863->871 872 3e7b89a 863->872 864->840 870 3e7b87a-3e7b887 864->870 873 3e7b9c7-3e7b9ca 865->873 874 3e7b9cc-3e7b9ce 865->874 875 3e7bae7-3e7baf0 866->875 876 3e7bb2c-3e7bb35 866->876 877 3e7bb4b-3e7bb54 866->877 878 3e7bb09-3e7bb12 866->878 879 3e7bb73-3e7bb80 867->879 880 3e7bbab-3e7bbbe 867->880 892 3e7bab9-3e7bac2 868->892 897 3e7ba55-3e7ba62 869->897 898 3e7ba69-3e7ba76 869->898 870->863 881 3e7b889-3e7b88e 870->881 871->840 882 3e7b8ad-3e7b8c0 871->882 872->871 873->874 874->831 875->880 887 3e7baf6-3e7bb07 875->887 876->880 885 3e7bb37-3e7bb49 876->885 877->880 886 3e7bb56-3e7bb60 877->886 878->880 890 3e7bb18-3e7bb2a 878->890 879->880 888 3e7bb82-3e7bba8 879->888 881->831 883 3e7b8f4-3e7b8f9 882->883 884 3e7b8c2-3e7b8d5 882->884 894 3e7b8fe-3e7b909 883->894 895 3e7b8fb 883->895 884->840 893 3e7b8db-3e7b8e8 884->893 885->867 886->867 887->867 890->867 892->880 901 3e7bac8-3e7bacf 892->901 893->883 899 3e7b8ea-3e7b8ef 893->899 894->840 902 3e7b90f-3e7b91c 894->902 895->894 897->898 904 3e7ba95-3e7baa0 898->904 905 3e7ba78-3e7ba8e 898->905 899->831 901->862 907 3e7b950-3e7b95a 902->907 908 3e7b91e-3e7b931 902->908 904->892 905->904 911 3e7b961-3e7b963 907->911 912 3e7b95c-3e7b95f 907->912 908->840 910 3e7b937-3e7b944 908->910 910->907 913 3e7b946-3e7b94b 910->913 911->831 912->911 913->831
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e8fff7f8cc3cd88898e56435528766779dde317ffd6736de97cc76b9d13460e
                • Instruction ID: b77108b101e6289221e4707e8a4121b231acd57ba6dcc1b0d4d4dda1c54712be
                • Opcode Fuzzy Hash: 3e8fff7f8cc3cd88898e56435528766779dde317ffd6736de97cc76b9d13460e
                • Instruction Fuzzy Hash: A2026031A04616CFCB15CF58C8C09AEB7F9FF44314B5A8AA9D8569B295E334FD85CB80
                Function 03E7E2C0 Relevance: .3, Instructions: 332COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 914 3e7e2c0-3e7e302 917 3e7e623-3e7e630 914->917 918 3e7e308-3e7e30a 914->918 921 3e7e632-3e7e634 917->921 922 3e7e698-3e7e6bc call 3e785a0 917->922 919 3e7e317-3e7e329 918->919 920 3e7e30c-3e7e312 call 3e7c530 918->920 926 3e7e3bf-3e7e3d2 919->926 927 3e7e32f-3e7e34a 919->927 920->919 921->922 925 3e7e636-3e7e649 921->925 939 3e7e6c2-3e7e700 922->939 940 3e7e771-3e7e784 922->940 925->922 932 3e7e64b-3e7e67e call 3e7c598 925->932 936 3e7e404-3e7e41e call 3e785a0 926->936 937 3e7e3d4-3e7e3d6 926->937 933 3e7e4e6-3e7e4f6 927->933 934 3e7e350-3e7e37e 927->934 932->922 965 3e7e680-3e7e693 932->965 952 3e7e510-3e7e514 933->952 953 3e7e4f8-3e7e509 call 3e785a0 933->953 950 3e7e380-3e7e38d 934->950 951 3e7e38f-3e7e3a2 934->951 954 3e7e420-3e7e426 call 3e7c4b8 936->954 955 3e7e42b-3e7e473 936->955 937->933 941 3e7e3dc-3e7e3e6 937->941 972 3e7e702-3e7e728 939->972 973 3e7e72a-3e7e74b 939->973 947 3e7e786-3e7e78c 940->947 941->933 942 3e7e3ec-3e7e3fe call 3e7c54c 941->942 942->933 942->936 959 3e7e3aa-3e7e3b5 call 3e7c540 950->959 966 3e7e3a8 951->966 962 3e7e5f7-3e7e615 call 3e7c588 952->962 963 3e7e51a-3e7e55f call 3e7b400 952->963 953->952 954->955 981 3e7e475-3e7e48a 955->981 982 3e7e48c-3e7e49c 955->982 974 3e7e3ba KiUserCallbackDispatcher 959->974 962->947 991 3e7e5a1-3e7e5c4 963->991 992 3e7e561-3e7e59c call 3e7c568 call 3e7b400 call 3e7c578 963->992 965->947 966->959 983 3e7e750-3e7e76c call 3e7c55c 972->983 973->983 974->926 985 3e7e4a1-3e7e4c2 call 3e7c55c 981->985 982->985 983->940 985->933 997 3e7e5ca-3e7e5e6 991->997 992->991 1000 3e7e5f4 997->1000 1001 3e7e5e8 997->1001 1000->962 1001->1000
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e6da75b97e6c10203e783096042316cf9d95bbfd5f95ffc4bb99ff78decf5ef
                • Instruction ID: 02da664f582fc87d4e479feacc86e82d0c40318676cab35e23281d104b7cdec6
                • Opcode Fuzzy Hash: 9e6da75b97e6c10203e783096042316cf9d95bbfd5f95ffc4bb99ff78decf5ef
                • Instruction Fuzzy Hash: 09E12975A00219CFDB24DF64C884B9DBBB6FF85308F1541E8E909AB261DB71AD85CF90
                Function 03E79BD0 Relevance: .2, Instructions: 245COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1006 3e79bd0-3e79bd2 1007 3e79bd4-3e79bd6 1006->1007 1008 3e79bd8-3e79bda 1006->1008 1007->1008 1009 3e79be0-3e79c20 1008->1009 1010 3e79bdc 1008->1010 1014 3e79c2a-3e79c32 1009->1014 1010->1009 1056 3e79c32 call 3e79ee3 1014->1056 1057 3e79c32 call 3e79ef0 1014->1057 1016 3e79c38 1017 3e79c3e-3e79c9c call 3e79788 call 3e79798 call 3e785c0 1016->1017 1026 3e79ca1-3e79ca3 call 3e797a8 1017->1026 1028 3e79ca8-3e79d56 1026->1028 1032 3e79d89-3e79db8 1028->1032 1033 3e79d58-3e79d84 call 3e798fc 1028->1033 1038 3e79de0-3e79e0f 1032->1038 1039 3e79dba-3e79dda 1032->1039 1033->1032 1043 3e79e37-3e79e5c 1038->1043 1044 3e79e11-3e79e31 1038->1044 1039->1038 1048 3e79ec3-3e79ec9 1043->1048 1049 3e79e5e-3e79e62 1043->1049 1044->1043 1051 3e79ed1-3e79ed8 1048->1051 1052 3e79ecb call 3e7df60 1048->1052 1049->1048 1050 3e79e64-3e79e90 call 3e7bed1 1049->1050 1053 3e79e93-3e79ec0 call 3e7990c 1050->1053 1052->1051 1053->1048 1056->1016 1057->1016
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3596a0123c65b3fa027ea68c032a404eb94e7541ab7f47e23ebedc3c58ab7671
                • Instruction ID: de688a0bed88c6ae6e3216bdaec6b7f6303ad60da6ee2748bbf5e4ce192b6baf
                • Opcode Fuzzy Hash: 3596a0123c65b3fa027ea68c032a404eb94e7541ab7f47e23ebedc3c58ab7671
                • Instruction Fuzzy Hash: 9BA17374A10605CFCB04EF68C88499DBBB1FF89314F1596A9E505AF366EB70E985CF80
                Function 03E785E0 Relevance: .2, Instructions: 240COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1060 3e785e0-3e79c32 1108 3e79c32 call 3e79ee3 1060->1108 1109 3e79c32 call 3e79ef0 1060->1109 1068 3e79c38-3e79d56 call 3e79788 call 3e79798 call 3e785c0 call 3e797a8 1084 3e79d89-3e79db8 1068->1084 1085 3e79d58-3e79d84 call 3e798fc 1068->1085 1090 3e79de0-3e79e0f 1084->1090 1091 3e79dba-3e79dda 1084->1091 1085->1084 1095 3e79e37-3e79e5c 1090->1095 1096 3e79e11-3e79e31 1090->1096 1091->1090 1100 3e79ec3-3e79ec9 1095->1100 1101 3e79e5e-3e79e62 1095->1101 1096->1095 1103 3e79ed1-3e79ed8 1100->1103 1104 3e79ecb call 3e7df60 1100->1104 1101->1100 1102 3e79e64-3e79e90 call 3e7bed1 1101->1102 1105 3e79e93-3e79ec0 call 3e7990c 1102->1105 1104->1103 1105->1100 1108->1068 1109->1068
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 131ede958299ec2234f2ffad923d8748a714aa007fff18ac216e5917e1c7415b
                • Instruction ID: 91bdf26eaff06eafa6cd4e94d2efdc9bae7279d865dae64a20cb471a2d6f3e8d
                • Opcode Fuzzy Hash: 131ede958299ec2234f2ffad923d8748a714aa007fff18ac216e5917e1c7415b
                • Instruction Fuzzy Hash: 99A15335A10605CFCB04EF68C48499DBBB1FF89314F1596A9E509AB366EB70E985CF80
                Function 03E7BBC8 Relevance: .2, Instructions: 222COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1112 3e7bbc8-3e7bbd6 1113 3e7bbdc-3e7bc3a call 3e79bbc 1112->1113 1114 3e7bbd8-3e7bbdb 1112->1114 1122 3e7bc6f-3e7bca9 call 3e7b688 1113->1122 1123 3e7bc3c-3e7bc62 1113->1123 1114->1113 1131 3e7bcb6-3e7bce8 call 3e7ad00 call 3e7ad10 call 3e7ad20 1122->1131 1132 3e7bcab-3e7bcb3 1122->1132 1123->1122 1129 3e7bc64-3e7bc6c 1123->1129 1129->1122 1141 3e7bcf5-3e7bd07 call 3e7ad30 call 3e7ad40 1131->1141 1142 3e7bcea-3e7bcf2 1131->1142 1132->1131 1147 3e7bd21-3e7bd2a call 3e7ad50 1141->1147 1148 3e7bd09-3e7bd0c 1141->1148 1142->1141 1154 3e7bd30-3e7bd3c 1147->1154 1155 3e7be0b-3e7be12 1147->1155 1149 3e7bd0e-3e7bd11 1148->1149 1150 3e7bd18-3e7bd1e 1148->1150 1149->1150 1152 3e7bd13-3e7bd16 1149->1152 1150->1147 1152->1147 1152->1150 1163 3e7bd42-3e7bd4c call 3e7ad60 1154->1163 1164 3e7bdde-3e7bdf5 1154->1164 1156 3e7be14-3e7be1d call 3e7ad50 1155->1156 1157 3e7be1f-3e7be23 call 3e7ad80 1155->1157 1156->1157 1165 3e7be6f-3e7be78 call 3e78590 1156->1165 1162 3e7be28-3e7be56 1157->1162 1162->1165 1174 3e7bd4e-3e7bd57 call 3e7ad60 1163->1174 1175 3e7bd5d-3e7bd7a call 3e7b688 1163->1175 1171 3e7bdf7-3e7bdff 1164->1171 1172 3e7be02-3e7be08 1164->1172 1178 3e7be8c-3e7be99 1165->1178 1179 3e7be7a-3e7be84 call 3e7ad90 1165->1179 1171->1172 1172->1155 1174->1164 1174->1175 1184 3e7bd92-3e7bd9d call 3e7ad70 1175->1184 1185 3e7bd7c-3e7bd84 1175->1185 1190 3e7bec2-3e7becb 1178->1190 1191 3e7be9b-3e7beaa 1178->1191 1179->1178 1184->1164 1193 3e7bd9f-3e7bda9 call 3e7ad60 1184->1193 1185->1184 1191->1190 1196 3e7beac-3e7bebf 1191->1196 1193->1164 1198 3e7bdab-3e7bdd9 call 3e785a0 1193->1198 1196->1190 1198->1164
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f63f39b1bb8abab0d986ad3bd9868b8d154a6424d1cf711ab307bffb1d44d551
                • Instruction ID: 67a2708e4c56fea1752f0bb89448fce7d6d1311695d583c81fd9ebbfc8ff20c9
                • Opcode Fuzzy Hash: f63f39b1bb8abab0d986ad3bd9868b8d154a6424d1cf711ab307bffb1d44d551
                • Instruction Fuzzy Hash: E5818830710A069FDB28EF28C445B6AB7F6FF45248F185668E646CB394EB34E840CBD1
                Function 03E7BFF0 Relevance: .2, Instructions: 204COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 82c384fcfd20bee33f0710273b276c0d7c17c3823d7345abd2b39f5aecf4b762
                • Instruction ID: bed939d01c614c5ab4118b5a2142f4e083e1d3f60c1bc2fec3040f673fa3acaf
                • Opcode Fuzzy Hash: 82c384fcfd20bee33f0710273b276c0d7c17c3823d7345abd2b39f5aecf4b762
                • Instruction Fuzzy Hash: A08165B0A00B449FD724DF29D44079ABBF9FF88304F148A6DD48ADBA50DB75E846CB90
                Function 03E76530 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a6f23b52ffb38f81110ac3765776ed32b9fef8b78adb046f3237d2e3d5a5b9b
                • Instruction ID: f4ce2c0ba29ba52e84d4997083971ebffbaa954cef1d1829a74c4c1852c36ea5
                • Opcode Fuzzy Hash: 3a6f23b52ffb38f81110ac3765776ed32b9fef8b78adb046f3237d2e3d5a5b9b
                • Instruction Fuzzy Hash: 895179B0910709CFDB58CFA9D948B9EFBF1EB48308F24C559D049A73A0D7349944CB65
                Function 03E76540 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d4bdd9f7ab684085ccbb6f7469df548e296c6fb43a32637bdc46b4867660cb6
                • Instruction ID: 80e2034bdd4444f8084da82654e6beded59279024a1f13d3fded9f722c451c30
                • Opcode Fuzzy Hash: 1d4bdd9f7ab684085ccbb6f7469df548e296c6fb43a32637bdc46b4867660cb6
                • Instruction Fuzzy Hash: 6E5145B09106098FDB58DFA9D548B9EBBF1EB48308F20C569D419A73A0DB34A984CB65
                Function 03E7F104 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 652a1e15ffef48c15b47ed5a9f3402cf02a9ead533eb2ea4431cce3417aee116
                • Instruction ID: bec502a5cf91fc736e8fba560389012e097e19f3609b056a00d7da81a4bdbda1
                • Opcode Fuzzy Hash: 652a1e15ffef48c15b47ed5a9f3402cf02a9ead533eb2ea4431cce3417aee116
                • Instruction Fuzzy Hash: C2418C34A106149FDB18DF69D884AADB7F1FF89714F1452A9E501EB3A5CB31DC42CB50
                Function 03E76EDF Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6cca0cd5ce81a28c7267cc4b2297a134f6da5dbfd0803b04ac7bf085a4825817
                • Instruction ID: ac68355d0d0ceea4667a7a944e5a80b6290a00ae63ea897d9352fae9b81e7221
                • Opcode Fuzzy Hash: 6cca0cd5ce81a28c7267cc4b2297a134f6da5dbfd0803b04ac7bf085a4825817
                • Instruction Fuzzy Hash: 3F410031A14245CBE705CF79D5006AEBFB3EFC9204F198269D145A7382EB38E941CBA1
                Function 03E76414 Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47e920d27a91c2538f9afc9b25262096ba665a601974aecb17f8f1b26dc04f3e
                • Instruction ID: 677ba79f0e5bf2cdd5d582c1e0c6b7f0aba9eceb05aa9bdbff05164cada83759
                • Opcode Fuzzy Hash: 47e920d27a91c2538f9afc9b25262096ba665a601974aecb17f8f1b26dc04f3e
                • Instruction Fuzzy Hash: 5C41E0B0C00619CFDB24CFA9C844BDEFBB5BF48304F24816AD448AB255EB756989CF90
                Function 03E7DF60 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 108189282131a78ba3904256921ef9127930aab6e102b59d809711c98a383389
                • Instruction ID: c0b3965d832ea37c40e8fb69753394970dedfd89255fdd38ebb38ea6a386c973
                • Opcode Fuzzy Hash: 108189282131a78ba3904256921ef9127930aab6e102b59d809711c98a383389
                • Instruction Fuzzy Hash: 863135717002099FEB14EB78D4143AFBAA3AFC0314F4855A8C249AB7C5EF749946C7D2
                Function 03E77364 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7733b9624810fd0897f9aeab061fa36f5f13d2118c8b51dd37a4751e923d24cc
                • Instruction ID: 8c62ad1d53a25676d5bc27236ef89e43ba2f967c4d4611b63ae7f8e49ed772e9
                • Opcode Fuzzy Hash: 7733b9624810fd0897f9aeab061fa36f5f13d2118c8b51dd37a4751e923d24cc
                • Instruction Fuzzy Hash: 8241E1B1C00619CFDB24CFA9C9447DDFBB2BF49304F2481AAD448AB255EB756989CF90
                Function 03E7670F Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a2af40b46363879fad9ee9173d6e8daf6f81e891098917b208875b7da2219a8c
                • Instruction ID: 6c596833c1bfa0c93b5e7beb255b8d98c2fae0b99957f61479257d101027a953
                • Opcode Fuzzy Hash: a2af40b46363879fad9ee9173d6e8daf6f81e891098917b208875b7da2219a8c
                • Instruction Fuzzy Hash: 0F3166BA9002489FDB01CF99D844AEEBFF5FF48324F14805AEA48A7361C7359910CFA0
                Function 03E76EF0 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51d74b27667372679c74f78cc65ee7d9b0a3c9c8d8942581f5041c1e85c791f2
                • Instruction ID: 743e5a0695aa5764c78e8b2615eccd43afae2048c718415a74e6be10deed3abc
                • Opcode Fuzzy Hash: 51d74b27667372679c74f78cc65ee7d9b0a3c9c8d8942581f5041c1e85c791f2
                • Instruction Fuzzy Hash: 1931E231A14205CBE705CF79D5006AEBBB7EFC9204B158269D145A7381EF38ED40CBE1
                Function 03E789F9 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2aa146c0444a181501693948d5569a9c6561e6c72bd76cd18de575ad2e522e73
                • Instruction ID: 88bacfd42a6dad9aa21473e09e12e50cd93d8dbf6df8c1c6a5dacccc2f068c30
                • Opcode Fuzzy Hash: 2aa146c0444a181501693948d5569a9c6561e6c72bd76cd18de575ad2e522e73
                • Instruction Fuzzy Hash: 1631B132A047068BEB00AF68C851395B372FF95364F1497B9D94C7F382EB71794587A0
                Function 03E7F958 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7a56f40baa3fc4dc8bdb7d0fc8fd903d148b8dbebab81c3ff7173e60bfbacb11
                • Instruction ID: 245c7600b8a89b42ebc525a8b55fd55db0ff2986dca1d507645533921eb31df3
                • Opcode Fuzzy Hash: 7a56f40baa3fc4dc8bdb7d0fc8fd903d148b8dbebab81c3ff7173e60bfbacb11
                • Instruction Fuzzy Hash: D2214934300611AFEB18DB69D855B2E77A7BFC8A54F148269E109CB394CB75EC4287E4
                Function 03E7C4A8 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4fcb732d3a04577f61dcebcaf79323d6619a1deebb8e1213d6bd8c79d206c58b
                • Instruction ID: 29919c24f2c7cfd650d82123a3834686ed5227dbbfe37800751f8618fc1baf2f
                • Opcode Fuzzy Hash: 4fcb732d3a04577f61dcebcaf79323d6619a1deebb8e1213d6bd8c79d206c58b
                • Instruction Fuzzy Hash: 2D117B717143509FD715A73D44181BD7FA6EFC5204B0885B9CA06DB385EE34CC4783A2
                Function 0256D01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2081844845.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_256d000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 065be889f701d72527d8809e554609a5e499159522886f75f453d1cacf56ff22
                • Instruction ID: 49a31a05dff978b6b4546f9be58f7e8079c05588ded688616c5538cd5cb35b6c
                • Opcode Fuzzy Hash: 065be889f701d72527d8809e554609a5e499159522886f75f453d1cacf56ff22
                • Instruction Fuzzy Hash: 95212275605200DFDB14DF14D988B36BFB5FB84324F20C969D80A4B256D33BD447CAA5
                Function 03E76780 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9f4665f144efcbfada6a3c10a95709ebb9ee3d1b3f08d22b3b0ff547c86e0f78
                • Instruction ID: f7432da0299a737c4c31e1d3e4c43f1ee4df637e6a24e16738cd72ea5421420a
                • Opcode Fuzzy Hash: 9f4665f144efcbfada6a3c10a95709ebb9ee3d1b3f08d22b3b0ff547c86e0f78
                • Instruction Fuzzy Hash: F92115B5D00248DFDB10CFA9D984AEEBFF4EB48314F24846AE954A7351D334A945CFA4
                Function 03E78560 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c065daa652cfab008cdc0854c93ed92f82f9e3f9bc221b2213e0dfb8dc04c72
                • Instruction ID: a919861b88974f74684faaf6e40c52ba05c23d5ae563a2bb68ad6966bd48ded5
                • Opcode Fuzzy Hash: 9c065daa652cfab008cdc0854c93ed92f82f9e3f9bc221b2213e0dfb8dc04c72
                • Instruction Fuzzy Hash: DA218E716002058BDB14DF2CC881795F7E2EB99364B04C77AE909EF345EA74A8458BD0
                Function 03E78848 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a5df553064bb998daaf01bdb29396fd5d1ae8116402666ff3211dbe2dbe35dc2
                • Instruction ID: 47ac8bf21279fe04bcecec6270f0b706fe67f0ea81a9785a3ce7c5af01214b97
                • Opcode Fuzzy Hash: a5df553064bb998daaf01bdb29396fd5d1ae8116402666ff3211dbe2dbe35dc2
                • Instruction Fuzzy Hash: A021B0716042058BDB14DF2CC841395FBE2EF99364B08C7BAD949DF386EA74A8458BD0
                Function 03E7BF08 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d0d94ecbfbf5b6fb05f72b63b1cc0170febf2d4095b864457e32a088756741df
                • Instruction ID: 4bca9d4cfd4bf7eb780bc1c8ff56a535dfeb280b934d38dcd05d7551ee6b8328
                • Opcode Fuzzy Hash: d0d94ecbfbf5b6fb05f72b63b1cc0170febf2d4095b864457e32a088756741df
                • Instruction Fuzzy Hash: AA216870200B41EFD72ACF28C445745BBE1FF40308F184B69E1668B6A5C7B6E99ACB81
                Function 03E7BEF8 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 380789a82fb92e71d37da4e36ac5356a8f18ecb43473918c31760e12e27f6bab
                • Instruction ID: 8440b013c2d8bfda515f44363ce38a84e52b954d2298db251af32d36ccf5e0cf
                • Opcode Fuzzy Hash: 380789a82fb92e71d37da4e36ac5356a8f18ecb43473918c31760e12e27f6bab
                • Instruction Fuzzy Hash: EC219F70100741DFE71ACF28C444755BBE1EF41308F184AADD1568F6A5C3B6E88BCB91
                Function 0256D006 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2081844845.000000000256D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0256D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_256d000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e9c06afe8ff79cdab885a39e3b8a758112d3abae060d5cc7fb6efe88f1e62e1
                • Instruction ID: adb6a3169fa27e0ab624b104b0e205ab1b0e95c43620949683b4e107828ad57e
                • Opcode Fuzzy Hash: 1e9c06afe8ff79cdab885a39e3b8a758112d3abae060d5cc7fb6efe88f1e62e1
                • Instruction Fuzzy Hash: 622150755093808FDB12CF24D994B25BF71FB46214F28C5DAD8498F667C33A940ACB62
                Function 03E76788 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 46aabc17e126eb3410f2bf704ff93231231c6a126873189653f74495e0037b6a
                • Instruction ID: 1b522594cb4da018e4219078c4caa7825b269e5067ca315e0d4627070eb82a78
                • Opcode Fuzzy Hash: 46aabc17e126eb3410f2bf704ff93231231c6a126873189653f74495e0037b6a
                • Instruction Fuzzy Hash: 6A21B0B59002589FDB10CFAAD984ADEFFF4EB48324F14841AE958A7310D374A944CFA5
                Function 03E785B0 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67f2217e0236b8a3bb9352adcfefb7bdc611f16d2a6334df88fd25bbfcf318b5
                • Instruction ID: 0b09f64b3d71bea6d0220c7099aa3213ba67de00a5668194ab5fd488e0e2e070
                • Opcode Fuzzy Hash: 67f2217e0236b8a3bb9352adcfefb7bdc611f16d2a6334df88fd25bbfcf318b5
                • Instruction Fuzzy Hash: FD217F71A147068BEB10AF68C840395B372FF95364F108675D98C7B341EF71B98487D0
                Function 03E74658 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8e596f921c7c82ce66869899e4d8f7729d8bef07a56c524f65232c0989854c58
                • Instruction ID: f7d5455d35cef3dbef337a924a7a6f803545ea454c2953cdd0d5460c65a51d29
                • Opcode Fuzzy Hash: 8e596f921c7c82ce66869899e4d8f7729d8bef07a56c524f65232c0989854c58
                • Instruction Fuzzy Hash: 7F11DD742013408FC725EB74D4189AE7BE6EF853103018AAAD546CB3A1DF38AC04CFD6
                Function 03E787B8 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80aa79f9869cce1b82fe8dfd475be90d0eb9bc0e3145badeda4b71b211478074
                • Instruction ID: 40ef3096a1edd85f30998b50903e1260bc93eefc8cc9b7cc5a183aba4fb9d22d
                • Opcode Fuzzy Hash: 80aa79f9869cce1b82fe8dfd475be90d0eb9bc0e3145badeda4b71b211478074
                • Instruction Fuzzy Hash: DD01B5251497E10FD707A3386C2469D3F554F83294F0A06ABC195DF1E3DD54484A83A6
                Function 03E7C870 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 38d8bc3fef5da10cb3d67fc29aa3dd0e90660f9ce4826d003e883ed347a6e937
                • Instruction ID: a82bac103a90f007ec22836fe68ec78786f49ecff7cb00a5fe299ab73949a496
                • Opcode Fuzzy Hash: 38d8bc3fef5da10cb3d67fc29aa3dd0e90660f9ce4826d003e883ed347a6e937
                • Instruction Fuzzy Hash: 921112B6D003098FDB20CFAAD444ADEFBF8EB88320F24842AD559A7610C775A545CFA5
                Function 03E7C294 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d65a15c47b1b84c52707ef69a8f7d35dbea9be9c7e42025c19ec8e0999c27fc
                • Instruction ID: 24107425331e897024395644689066c9b1af21a6ac5b3ffea0a8a8bcbbd3629b
                • Opcode Fuzzy Hash: 0d65a15c47b1b84c52707ef69a8f7d35dbea9be9c7e42025c19ec8e0999c27fc
                • Instruction Fuzzy Hash: D61126B6D003098FDB10CFAAD444ADEFBF8EB48314F14852AD519B7210C375A544CFA4
                Function 03E7C1F0 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92ced9776928aee4959863dc90c4f5793d20002320900ea289bf053e29fece93
                • Instruction ID: dd3625ce474c24e865c7f8a0c50728cc4c292ada09908c0830dada745242e02b
                • Opcode Fuzzy Hash: 92ced9776928aee4959863dc90c4f5793d20002320900ea289bf053e29fece93
                • Instruction Fuzzy Hash: 851140B1C006488FCB10CF9AC444ADEFBF8AB88324F20852AC828B7210C374A545CFA0
                Function 03E7C464 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f657a7b0b4f0b0faf54c009c582fa103a9a62608ea45b3875fd36e8d9fe274c
                • Instruction ID: 5869663bb1fb641487780a2937dc1cbd77bf20be27a34956e29f3eda8d94d847
                • Opcode Fuzzy Hash: 4f657a7b0b4f0b0faf54c009c582fa103a9a62608ea45b3875fd36e8d9fe274c
                • Instruction Fuzzy Hash: 8001D230A402689BDB24DB68C8557EEFAF5BF88300F041A69D042B7280DF789944CBA1
                Function 03E74668 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 95d39de5ed8a1edb168217dcacca1f111a8288521f9f2700d33b93a0b7f6db5f
                • Instruction ID: c6f4b2d08c178893766249dc2c442995e5c51fd06509539ea5b03043d3a49867
                • Opcode Fuzzy Hash: 95d39de5ed8a1edb168217dcacca1f111a8288521f9f2700d33b93a0b7f6db5f
                • Instruction Fuzzy Hash: AC0169742003108FC725EB78D419AAEBBE6EF842117008A69D607DB790DF79EC048FC6
                Function 03E7C4B8 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76b962b69d6f7afcd1f377c318ee131782f881cee138c4ad8142acc2d1314700
                • Instruction ID: d9f6d5a1ed7384844f4a41dfc559a291a937dd67a2f1f20c872480e0f7c91b4b
                • Opcode Fuzzy Hash: 76b962b69d6f7afcd1f377c318ee131782f881cee138c4ad8142acc2d1314700
                • Instruction Fuzzy Hash: 54017834A102089FDB10DF79C848BADBBF9FF45328F0485A9E505C7261DB74DA45CB41
                Function 03E78950 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 77ba14b452ab48bbe2776c9ba2d631869d6e02d1b61cff01a3be96db306ccd75
                • Instruction ID: b07f0a67368d3b9b6dffbd86bee5ca082a53da00ffdf4d5ce914944b520a9578
                • Opcode Fuzzy Hash: 77ba14b452ab48bbe2776c9ba2d631869d6e02d1b61cff01a3be96db306ccd75
                • Instruction Fuzzy Hash: E301F97570834147EB109F688855781B7A5EF95368F0443B9E94CBF3C3EB715845C7A0
                Function 03E78580 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df083a5da7645055e36f9aa6ea5cc43c39fb86eeaaeff8952130c51fc0c68bcc
                • Instruction ID: a78be43875f651988cfb028b979d95a8891d71ba436cbc9452239321e037d5e3
                • Opcode Fuzzy Hash: df083a5da7645055e36f9aa6ea5cc43c39fb86eeaaeff8952130c51fc0c68bcc
                • Instruction Fuzzy Hash: 8CF0C23130430147EB10AF6C8895B96B7A6FF94364F104779E94DBF3C5DB71A84487A4
                Function 03E7C689 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c4501458462848531ea22f243eb84956edf59c50ad2cbe3fe502861fbaab5d9
                • Instruction ID: e4f90c7b41128d1768df2b43ac50f4d728ec906ccd6f38fa30b4d3652bbf0851
                • Opcode Fuzzy Hash: 9c4501458462848531ea22f243eb84956edf59c50ad2cbe3fe502861fbaab5d9
                • Instruction Fuzzy Hash: 29F05C5D3583882BDB18D2B69C50936269F8BC2DA0B2C6775E204CB1D4DC508C02C364
                Function 03E7AA88 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d969a831f17189d109828ab8a65061ed49e5b7f0bcc593f1b0d4c57918e1b4c1
                • Instruction ID: 9e03157d61ae7a645ce7e222f81e027c08725e724d4d2de27ae018b0c61a7005
                • Opcode Fuzzy Hash: d969a831f17189d109828ab8a65061ed49e5b7f0bcc593f1b0d4c57918e1b4c1
                • Instruction Fuzzy Hash: 51F0FC2422C3C1DEEB12D7B6B645BA93FBCC70154CF0891A6E840C6383D5789445CF61
                Function 03E7D910 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3dc9f504977f545dd14063c0e77e31aa0240d3222a3c7bccd526328eb4ceddef
                • Instruction ID: bc6398bdd330225723904294873529364d3568f90abbdd88300d057fd6a5d6a3
                • Opcode Fuzzy Hash: 3dc9f504977f545dd14063c0e77e31aa0240d3222a3c7bccd526328eb4ceddef
                • Instruction Fuzzy Hash: CDF08C2A60D3C06FCB0397659C105A67FB85E1305130A51E3D489CF293E994ED06C7B2
                Function 03E7E120 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94fd760e02395c3bc417f98f5f6daf3798123a55ba142facc796aa53933add11
                • Instruction ID: a715cad97b6234ee6beb56249444c8d1ab30398be2f8859ea38472ecbe7c1e9f
                • Opcode Fuzzy Hash: 94fd760e02395c3bc417f98f5f6daf3798123a55ba142facc796aa53933add11
                • Instruction Fuzzy Hash: FDE0A031A403152BCB20E26A8900A5EEBA99BC0660F049774D4189B258EE25ED0947D0
                Function 03E7C498 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d7c7d0f93c5e1d7a4f59228f123ad86ddee6d862870e97240e79b5104a5b92c
                • Instruction ID: de0136efe31660e0d97817a0bda56b17fa26db595dc476a64b9f1994fa14720b
                • Opcode Fuzzy Hash: 3d7c7d0f93c5e1d7a4f59228f123ad86ddee6d862870e97240e79b5104a5b92c
                • Instruction Fuzzy Hash: 12F039343502245BDB08EB6CC868B6E769AEFC9B00F1091AAE10ACF3A5DEA5DC0147D1
                Function 03E7C698 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b3d807fbb4b1692a185b02de9459e0b143213fe1c2b0331671c06f2274b12c7
                • Instruction ID: a7804b4410d788152f5b31b3df30b22ebcff845c38483bd8462daad58436e42b
                • Opcode Fuzzy Hash: 9b3d807fbb4b1692a185b02de9459e0b143213fe1c2b0331671c06f2274b12c7
                • Instruction Fuzzy Hash: 2FE0D82E31474817EB18E2F75C5093B629F8BC099472CA639A505CF294EC508C0243A0
                Function 03E77178 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: be48cb5b9f5fc6a1062d8496b875b78cf9a35245b64ac027f5acd48065ed3f57
                • Instruction ID: 41f0088ddeafdb3cd2d2bec2b2286eeaf6dac2fbe5bf9689e1850dc235fd52d6
                • Opcode Fuzzy Hash: be48cb5b9f5fc6a1062d8496b875b78cf9a35245b64ac027f5acd48065ed3f57
                • Instruction Fuzzy Hash: 31E09A323402258BD310DA79D8009B673AD9F54A69B0185BAEA04CB360EA31DC82C7D1
                Function 03E7D9D8 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a27920fa9d23237835026ab81775908576fdece767754e6dc0498ed3a49d27d6
                • Instruction ID: b2fcce0d4d790ca29986e0c361774cca077145df75de4dda7be7f4583a37b01e
                • Opcode Fuzzy Hash: a27920fa9d23237835026ab81775908576fdece767754e6dc0498ed3a49d27d6
                • Instruction Fuzzy Hash: 72E09232308114CBCF20E7ADF801AEAB3ACFF406ADB084566F50DD7210EB52E8108780
                Function 03E7421C Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 87fbcfc627308febcc7f78850722a9d44a85cf7b5942c2bb932def215f1e59f8
                • Instruction ID: 46970ab9e54b7ac447ab46e8fc654d61ab6f3f293d640f837d3d6924098a368a
                • Opcode Fuzzy Hash: 87fbcfc627308febcc7f78850722a9d44a85cf7b5942c2bb932def215f1e59f8
                • Instruction Fuzzy Hash: 6DE022303502000BD444F32CAC489FEA68BCFC1390B008A38D62AEB398DD60EC4A43E6
                Function 03E797A8 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 425d76a99453e8be9f86809387b5410d0a35cec86761d1ce636ea189713582ba
                • Instruction ID: eb77f34ae2e9587a494bbf24221ee5090c329f14c7d489d7681517a238c2beea
                • Opcode Fuzzy Hash: 425d76a99453e8be9f86809387b5410d0a35cec86761d1ce636ea189713582ba
                • Instruction Fuzzy Hash: 08F0AE3421C381D9EB11D7B6F64ABA57F9CD70064CF08E275B80085381DA78D980CF94
                Function 03E7D940 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b062dbd1974fdfa6545bd6297943158708842501839f430d883f737a496f3eb9
                • Instruction ID: 658299846e7328697eefc2a50c26e77f5fc31662a198005895ba31597b49f011
                • Opcode Fuzzy Hash: b062dbd1974fdfa6545bd6297943158708842501839f430d883f737a496f3eb9
                • Instruction Fuzzy Hash: 4FE01232354625CB8F14EBADF8449EAB7ECEF4996930801EAF50DC7750DB51EC008791
                Function 03E77167 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8c762faa109c6ae09eb88c2bb739320aa63fedf4d8703a3dc7737210ac12031
                • Instruction ID: b13510ed92c843e9fd17ad78e2ddb94eafb02b58d0cc45013ce829e3b1781d7e
                • Opcode Fuzzy Hash: f8c762faa109c6ae09eb88c2bb739320aa63fedf4d8703a3dc7737210ac12031
                • Instruction Fuzzy Hash: 92E092766092A18FE7128B3CD8106A53F694B12359F0941A3DC80CB2A3E626CC92D792
                Function 03E76DE0 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0495cf14143535f6db4532064a7a73b2fe50d71c614065c2ea86ea895dd52de9
                • Instruction ID: 8842cbab76d57031eebf5cc76a2a326fe6ced787302c9b7950edbddb4a37dc8e
                • Opcode Fuzzy Hash: 0495cf14143535f6db4532064a7a73b2fe50d71c614065c2ea86ea895dd52de9
                • Instruction Fuzzy Hash: F9D02E31301024D7DB059A4CB004BDF23A3DBCA30AF00C03AE908A3304CDB88C8683D2
                Function 03E7BED1 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c8e2ad33ab1514d3411f1dbf7442c3bc0bb9516dff67f5abd438184fed09da2e
                • Instruction ID: 0ff25d7eee074f919dbdae662a42ed1f49c6228399b7a7343350fd0bf710bc88
                • Opcode Fuzzy Hash: c8e2ad33ab1514d3411f1dbf7442c3bc0bb9516dff67f5abd438184fed09da2e
                • Instruction Fuzzy Hash: D0E0C2A4E196828FD70ACB3C94182847FF1EB6630071600DAE000CB217E228CD85C762
                Function 03E75480 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 78ad1ee8d95792092ff1980eccd9d9f57acbd5d40203976e6918bdc1b905f87b
                • Instruction ID: db0e01d6032ae4f6a34680267624d4227909ed2fdc743a0647cf345bd512068c
                • Opcode Fuzzy Hash: 78ad1ee8d95792092ff1980eccd9d9f57acbd5d40203976e6918bdc1b905f87b
                • Instruction Fuzzy Hash: 57D0220032003047F690E32D6C00BAB02CB9B80558B0102B8D306EF3C6E904EC410BD1
                Function 03E74F78 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e52abd39f25f89173404f9d09e25a94bfcd7690233a4ab2e621d269bbd58edb
                • Instruction ID: 0f7e899e9f45736a8b1ae52c9a0f84063060e028ebe5cf84ca113b4b8a03db8b
                • Opcode Fuzzy Hash: 2e52abd39f25f89173404f9d09e25a94bfcd7690233a4ab2e621d269bbd58edb
                • Instruction Fuzzy Hash: 57D0C97032C2028FDF15DB25E74561A3BB6E7503497016560A58496265DE3898068B80

                Non-executed Functions

                Function 03EBA431 Relevance: 14.2, Strings: 11, Instructions: 498COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: $tt$,tt$8tt$@tt$Htt$Ptt$Xtt$`tt$htt$ttt$|tt
                • API String ID: 0-2781859846
                • Opcode ID: 6140b965ae43d073bf86b469b9ac298336e721d3184e5d29970905fe0222bd76
                • Instruction ID: 1b392b8c7515cfcd2deb3f50066938d6068adf86624111b62914e96406c90a49
                • Opcode Fuzzy Hash: 6140b965ae43d073bf86b469b9ac298336e721d3184e5d29970905fe0222bd76
                • Instruction Fuzzy Hash: 77125171508382CFDB26DF25D5406EBFBF1AF94308F189A3DA495872A0DB74C949CB62
                Function 03EB7492 Relevance: 7.4, Strings: 5, Instructions: 1158COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: $9$@Bt$B$Trt
                • API String ID: 0-1651311918
                • Opcode ID: 9ea9def2cc17c83f839e19bb6eb410774ab6cac38e6ef64e9ab871a0afc58bec
                • Instruction ID: a791d6b2196a1ea0aa07cf7f4c3dc4d6419c442314907689ba510fd5e9f98fbf
                • Opcode Fuzzy Hash: 9ea9def2cc17c83f839e19bb6eb410774ab6cac38e6ef64e9ab871a0afc58bec
                • Instruction Fuzzy Hash: 57B24C759012299FDB25DF28CC88BEAB7B8FF48304F1452DAE849AB255D7349E81CF50
                Function 03E91935 Relevance: 2.8, Strings: 2, Instructions: 316COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @$@
                • API String ID: 0-149943524
                • Opcode ID: 71a4a2e3cd27fdab5e5a627977ba29c990d931d61f4d5ce97f9ca1e94fd49bc3
                • Instruction ID: 08f17f8da9dd4aa1c501229b33f44ea89c454e19adfed243d0f4dc04fecde0cc
                • Opcode Fuzzy Hash: 71a4a2e3cd27fdab5e5a627977ba29c990d931d61f4d5ce97f9ca1e94fd49bc3
                • Instruction Fuzzy Hash: 78D14B752087459FD710DF68C490A6BBBF8FF89708F045A2EE996C7650D730E909CB52
                Function 03EF098B Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @Bt$zdbf
                • API String ID: 0-2429547408
                • Opcode ID: 7434b190d9dfc6bdf5fd0cfd6f9e8aac9de35f1b7ac6884548484b0c86068b7a
                • Instruction ID: 5f3d9fbfc846007625c4796e8cabd49c6bf5b2963791965102d121e611a571aa
                • Opcode Fuzzy Hash: 7434b190d9dfc6bdf5fd0cfd6f9e8aac9de35f1b7ac6884548484b0c86068b7a
                • Instruction Fuzzy Hash: C441F275B80704BFE725E6148D51F6AB26D9F40B5CF142744FB41AF2E2EAE0DE018AA1
                Function 03EDC389 Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: b
                • API String ID: 0-1908338681
                • Opcode ID: f934738f1c274fb3939898facb117da240c3b7069a319366259c1673d5dbb7d0
                • Instruction ID: 510c8d66fcfd383599e68bc61971498dc61eec5f5df88e1faea766de5584da21
                • Opcode Fuzzy Hash: f934738f1c274fb3939898facb117da240c3b7069a319366259c1673d5dbb7d0
                • Instruction Fuzzy Hash: 93C1BF31544705AFD721DF64C818E6ABBB8FF84B58F245A1DF1568B1A0EBB0C582CB91
                Function 03EF1007 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 290c89551a80487ef030ed2584e6eab967dd268d7a25847f15a3df1ee1a40586
                • Instruction ID: ec6271caee2357dbf49c913463ee830ecf3a0dc6edee1846fab11a9507a3dd18
                • Opcode Fuzzy Hash: 290c89551a80487ef030ed2584e6eab967dd268d7a25847f15a3df1ee1a40586
                • Instruction Fuzzy Hash: AD913C75E0021DEFDB14DF98C881AEEB7B8BF08714F145269E915FB250E7B09A41CBA0
                Function 03ED1A6B Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: (D#$
                • API String ID: 0-2986077793
                • Opcode ID: 09683ee66db2929bc667d6d0d88309baaf3cd5610085a0ec99a6612d25806fe0
                • Instruction ID: df804abf58b0dbbdb0fce601f2a4985c1204aab953bce3fc6a13c74210b6f307
                • Opcode Fuzzy Hash: 09683ee66db2929bc667d6d0d88309baaf3cd5610085a0ec99a6612d25806fe0
                • Instruction Fuzzy Hash: 46619D77F403188BCB18DB38CC8DAD9BBBDEB84344F1556AAD405EB251EA709A42CF50
                Function 03EF482E Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 7452bcd38069af466674fa4a1c7db2b346e24edf939e2a6e82999d8ef4bf473e
                • Instruction ID: 15348f941941fa6f7f772d13cbc24b852f35e8ffd84966176ad6cc098d7749b9
                • Opcode Fuzzy Hash: 7452bcd38069af466674fa4a1c7db2b346e24edf939e2a6e82999d8ef4bf473e
                • Instruction Fuzzy Hash: E7717E71A006199FDB21CB19CC49B9BB7B9EF45314F1486A9E51DE7290EB70DA80CF20
                Function 03EC0AAC Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: H{t
                • API String ID: 0-2597746159
                • Opcode ID: 79d0168d49db208b9d813e76798b5a88e4432819d257a9a442e872dbaac20c4b
                • Instruction ID: d3c5329dcbe9b74b4211978636bef494d716f9203dec996e1e70e281c1212de0
                • Opcode Fuzzy Hash: 79d0168d49db208b9d813e76798b5a88e4432819d257a9a442e872dbaac20c4b
                • Instruction Fuzzy Hash: 4C51C235A10241DBCB25DF18CA409AEF7BAFF8470CB1996ACD8029B614E731EE83C750
                Function 03EDF249 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 2ef3abb904ca52960dcaba39e9edcb9736271adad0ae9951fe4a509e964cc1a3
                • Instruction ID: a82ec8bda98ae7f79242c5a3ec74e82be8924c1804910c55c620f8b2217a768e
                • Opcode Fuzzy Hash: 2ef3abb904ca52960dcaba39e9edcb9736271adad0ae9951fe4a509e964cc1a3
                • Instruction Fuzzy Hash: 8151837594121CAFCB21EF58DC5CB9AB7B8FB08704F040599E90AE6290DB749A42CF60
                Function 03EEA3B0 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: ac70082176e4fc405d65e69ca97a610e02be6c2241fd1c29e74f0bfce8169c7e
                • Instruction ID: 74846488ccdf977d464f1f7878b19e7cd5d2daa9518f52fb053337e25340d2a9
                • Opcode Fuzzy Hash: ac70082176e4fc405d65e69ca97a610e02be6c2241fd1c29e74f0bfce8169c7e
                • Instruction Fuzzy Hash: 9841D376E00215ABDF25DF64C844AAABAB4AF04724F0593BDED16AF340E770DE04C790
                Function 03EE816F Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 0aa8884e8cdb8066e03b9aca293d0f4fcf8da53e3f2ec39268de410f81520190
                • Instruction ID: 18c637893d5a90c70686bca15497472ffe3459d5f93a62d6022f5e6dbfa8b175
                • Opcode Fuzzy Hash: 0aa8884e8cdb8066e03b9aca293d0f4fcf8da53e3f2ec39268de410f81520190
                • Instruction Fuzzy Hash: E841C531E40608BBD721DB94CC59FEEBBB8EB44B54F040255FA04FB291D7B59A40CBA4
                Function 03EBB455 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 50a1f0d4434ac2e2eb23dd6ae269a05c53a9cc0011a9635bd258f4ac318963c2
                • Instruction ID: 4d4b0b2d97d2f288f39cfbd111d8c20a4e5b8c6addd78f825ca9976efb743eb9
                • Opcode Fuzzy Hash: 50a1f0d4434ac2e2eb23dd6ae269a05c53a9cc0011a9635bd258f4ac318963c2
                • Instruction Fuzzy Hash: 41416D75A0121AAFDB11DFA8D858FEEB7BAFB48764F140619E911A7290D7309D00CB61
                Function 03EF3AFF Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: #
                • API String ID: 0-1885708031
                • Opcode ID: 915cf925701af67fb53c00b3b4889310206a4b6ecf95bcf322d46333cfbdfc94
                • Instruction ID: fa8c87e154b1a272b1df72a0e6366034d9b865537fc9d5293a02f63e0e07a362
                • Opcode Fuzzy Hash: 915cf925701af67fb53c00b3b4889310206a4b6ecf95bcf322d46333cfbdfc94
                • Instruction Fuzzy Hash: 5241E879A00215EFCB14EF98CC52AAEB7B5EF84304F154569DA05AB240E7B0AF01CB90
                Function 03EB7373 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 6b74fc40166bcf887fe43817a659744f723e8694ab9f7d87a13691700673b3c3
                • Instruction ID: 6f43a71df56dd8ad29e8d6832014d38acbec5666f3e84d9e8c1411a89f14a039
                • Opcode Fuzzy Hash: 6b74fc40166bcf887fe43817a659744f723e8694ab9f7d87a13691700673b3c3
                • Instruction Fuzzy Hash: 58416775A00208AFDF12CF94C8849EFBBBAFF88314F109265F915A7250D672DA91DB60
                Function 03E99401 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 0f4afc4174e8b53f399dd4438259c60514ac6ca34a161390010ccf8b8f067d0c
                • Instruction ID: 6c850c6d69584783eafdfe8b9416a74664bda79d5f8c73a22723dd68b51dfa71
                • Opcode Fuzzy Hash: 0f4afc4174e8b53f399dd4438259c60514ac6ca34a161390010ccf8b8f067d0c
                • Instruction Fuzzy Hash: FC319A31A41219FBEF22DB94CC49BAFBBB8FB08708F04092AF901A6141D7349A45DF60
                Function 03ED154F Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: (
                • API String ID: 0-3887548279
                • Opcode ID: 35b926ebca14b961a3435c257730f31cff61ac074aded9b03f06bf7a4513888b
                • Instruction ID: b519f1ac17aeae6021129f291eab97ed5c76492095ea8d07807fb0c8869d6078
                • Opcode Fuzzy Hash: 35b926ebca14b961a3435c257730f31cff61ac074aded9b03f06bf7a4513888b
                • Instruction Fuzzy Hash: 5641D5B5E00209DFDF21DF9AD584BDDFBB4BB08314F14852AE429AB280C7749946CF50
                Function 03EDA1A5 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: B
                • API String ID: 0-1255198513
                • Opcode ID: 9bbb58d812a051c4378b6e8bc3d0f33c714200b7748c61544dc46bfd21846e47
                • Instruction ID: 917e12d7b36b3e2e8c6790c0a7671e58674d3a410acb1d016bc12f671096e525
                • Opcode Fuzzy Hash: 9bbb58d812a051c4378b6e8bc3d0f33c714200b7748c61544dc46bfd21846e47
                • Instruction Fuzzy Hash: 2C316271D0011DEFDB11DFD5D888AEEBBB8FB04328F14462AE515B7180D7758A41CB60
                Function 03EE833F Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: \
                • API String ID: 0-2967466578
                • Opcode ID: 2c1b90ccc00ce6bebf91225ae401626c3574ebf514810d36b452271201a0064e
                • Instruction ID: 349bcc28e30d589961c1dc96e11d9522145c72c824a8224c399357cc085e491b
                • Opcode Fuzzy Hash: 2c1b90ccc00ce6bebf91225ae401626c3574ebf514810d36b452271201a0064e
                • Instruction Fuzzy Hash: 6D112176240604BFD324EB59CC59EBFBBB8EF84715B05462AF849D7200EB74A941CB70
                Function 03EE848E Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: cfa28815146d0c1298c60960d0c8aa9fdff197e3a628d060f35b3099852ac556
                • Instruction ID: eec0aa58b8e332950e151fc4d1e3c980a317c5316f8a2894f63d648de0b4132a
                • Opcode Fuzzy Hash: cfa28815146d0c1298c60960d0c8aa9fdff197e3a628d060f35b3099852ac556
                • Instruction Fuzzy Hash: DD218471D00218ABCB25DF99C844FEEBBF8EB49710F00426AE915F7340DB749A44CBA0
                Function 03EF0B3C Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID: HVt
                • API String ID: 0-2743574106
                • Opcode ID: 2770ce2379ff2ab2e8a83609de09c73883583694072f23563e6ac487b0c045b2
                • Instruction ID: 81e347828b3b128631d2e50605e2eec2215a4f0b4238e193ee248bdf962381c9
                • Opcode Fuzzy Hash: 2770ce2379ff2ab2e8a83609de09c73883583694072f23563e6ac487b0c045b2
                • Instruction Fuzzy Hash: 2611E470B45700EFE738EB69CC05B6AB260DF8071CF14175DE66A9E1D2CBE16D01CA50
                Function 03EA03A5 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 034f84b5e20122b6a49154dbeb077d026212ed6e318012e817dff317d969b1d2
                • Instruction ID: 8eb3095e8e6440db85cc2ea4b96ef20614059f4803b0cd6ec52a9e2a506d6011
                • Opcode Fuzzy Hash: 034f84b5e20122b6a49154dbeb077d026212ed6e318012e817dff317d969b1d2
                • Instruction Fuzzy Hash: EF011E31400609FFCF22EF68CD18AD97BB5FF04348F04A629B91668061D775E966DB11
                Function 03ECE439 Relevance: 1.0, Instructions: 950COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bcb13feb476bd28001c79c8f7abc9870e195fa6575f601eb21bf9c4c3dfce27d
                • Instruction ID: c8c3d97ffc4788b1cb704ad45020c33ea2db6df10e1aab48d21a61538eb30de5
                • Opcode Fuzzy Hash: bcb13feb476bd28001c79c8f7abc9870e195fa6575f601eb21bf9c4c3dfce27d
                • Instruction Fuzzy Hash: 38824F75A10246CFCB28CF59C690ABDB7F6FB88305F29966DD406AB340D735EA42CB50
                Function 03EE09DD Relevance: .5, Instructions: 514COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d3fb0d9e2df17676d6b48c07f463d0aae1f2ca6d7c69e7471663e348739fe6b4
                • Instruction ID: 3587e37d6cc13e66e34370fade403d92d0e75adcd05f8d30027f655692c4bb2a
                • Opcode Fuzzy Hash: d3fb0d9e2df17676d6b48c07f463d0aae1f2ca6d7c69e7471663e348739fe6b4
                • Instruction Fuzzy Hash: 8002B032E002199FCB25DFAACC54AAEB7B9FF44714F055669E906FB214DB709D01CB60
                Function 03ED210A Relevance: .5, Instructions: 495COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fbd85d132cf7e5b4f747680f54e2a5b0fa49f5064d6ceeec28576a220da60581
                • Instruction ID: 51fc279f80b03d3ded23988a5fd6dd5a22b54caf151763ed50d5ef0e956df268
                • Opcode Fuzzy Hash: fbd85d132cf7e5b4f747680f54e2a5b0fa49f5064d6ceeec28576a220da60581
                • Instruction Fuzzy Hash: DAF16572F002189FDB0CCAADDD91AADBBF6AFCC310B19816DE509EB350D5749D418B64
                Function 03EE799A Relevance: .3, Instructions: 271COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9603d8cd860c531f97e9164ad1404f936e5ce3a0805a75189ab0776e7eaba5ae
                • Instruction ID: 9194903c84f1ebbde581586ae9f6d451b0a2ea3fc9feb3794d1d40838998f21a
                • Opcode Fuzzy Hash: 9603d8cd860c531f97e9164ad1404f936e5ce3a0805a75189ab0776e7eaba5ae
                • Instruction Fuzzy Hash: 18A16E75A093129BC720DF25C840A6BBBE9FFC8754F155A2DF995AB340D730ED048B92
                Function 03E7F03C Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082246529.0000000003E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 03E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e70000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b2f01f8ff88ad40b1087cc1c6bcc797fc6ae904362ca4652479d792915e2ac4
                • Instruction ID: 7730672f18146208740d3a3138190b8809c7858b9189e9577d2c8328e170085e
                • Opcode Fuzzy Hash: 8b2f01f8ff88ad40b1087cc1c6bcc797fc6ae904362ca4652479d792915e2ac4
                • Instruction Fuzzy Hash: 80A15D36E00209CFCF05DFB4D8445DEB7B2FF85304B15966AE905AB261DB71E956CB80
                Function 03EC49C5 Relevance: .2, Instructions: 235COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: faa36946652067ea90065f8d775f2f5c051e0a3addf40f69cf3b8d7b5939473e
                • Instruction ID: 5564cfa160072ffa3e0385c3c824c048250e6849070c05cc1a8490697b57b096
                • Opcode Fuzzy Hash: faa36946652067ea90065f8d775f2f5c051e0a3addf40f69cf3b8d7b5939473e
                • Instruction Fuzzy Hash: 4A917735510259ABDB22DF56CE98FDEB7B9FB54714F04029CE819A72A0DB309E82CF50
                Function 03EF36C4 Relevance: .2, Instructions: 234COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b0926e7d8cc30ccc1a2ce446cd234bbbd7da88099682a401f26eb983e3d0f17d
                • Instruction ID: 64860e4b427eabd7e021603d56b14114454bd638b511cf2eae053b877fde2901
                • Opcode Fuzzy Hash: b0926e7d8cc30ccc1a2ce446cd234bbbd7da88099682a401f26eb983e3d0f17d
                • Instruction Fuzzy Hash: 2A71AE79B00209AFEB14EB54CC41EBAB7B8AF45704F005365FA45EF2D4D6B09A418BA1
                Function 03ED4135 Relevance: .2, Instructions: 224COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fea3e7401733e82229454be6cf927a582990edd903bc2e25aca8119d69c10f28
                • Instruction ID: d8b8b679746da22812c336c7b0e22a87bb61ab30a467c42990f69cfd855a10a8
                • Opcode Fuzzy Hash: fea3e7401733e82229454be6cf927a582990edd903bc2e25aca8119d69c10f28
                • Instruction Fuzzy Hash: D671C036780215EFE721EFAAC958B6977B8FB58B48F081664F902DA1D4DE30DC02CE50
                Function 03EC1B65 Relevance: .2, Instructions: 204COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 476a65948e61624e4cef4028c1aaa5ea0913903baa5373415081c9eed8d21f44
                • Instruction ID: 309acec464459e1f22f920b92e07ff6eed54ba992780de5ec4baee9a6f6a2914
                • Opcode Fuzzy Hash: 476a65948e61624e4cef4028c1aaa5ea0913903baa5373415081c9eed8d21f44
                • Instruction Fuzzy Hash: 6C610271614381DBD728DF28C955FAFB7F8AB88758F044A2DF9499B281D730DC028B92
                Function 03EF28C5 Relevance: .2, Instructions: 194COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16a62036e4e706d2c746df755261ac9d224226dc41c6f18a315a8479e09edfb4
                • Instruction ID: 3d17423bec38643d9bb1899145f64446a68b5de78f40301cb30f6810ebbdecdc
                • Opcode Fuzzy Hash: 16a62036e4e706d2c746df755261ac9d224226dc41c6f18a315a8479e09edfb4
                • Instruction Fuzzy Hash: A76170796083019FC715DF28C880A6AB7E5FFC8714F045B2DFA999B290DBB0D905CB56
                Function 03EEBB49 Relevance: .2, Instructions: 172COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bbc79e89c556b82d8c8ae3217b52379be068d2f347366c747c0f889924ce31ee
                • Instruction ID: 04744e63a1d5cf173d5f425ec436d81d4a987aa0ce08d281af66ae2031eed91a
                • Opcode Fuzzy Hash: bbc79e89c556b82d8c8ae3217b52379be068d2f347366c747c0f889924ce31ee
                • Instruction Fuzzy Hash: 0A510635F0821AFBDB20DBA8CC54FAEB6B9AB04314F051715E911FB280DB709D008BA1
                Function 03EE0724 Relevance: .2, Instructions: 162COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9024748dcd625e552e8368af52c5f65ffbb77210ff49fa0f63f4adc76736af7
                • Instruction ID: 757319f451d1ac7f217d4f8f26c0e9a13816746e0ba71169554924f82b80933f
                • Opcode Fuzzy Hash: f9024748dcd625e552e8368af52c5f65ffbb77210ff49fa0f63f4adc76736af7
                • Instruction Fuzzy Hash: ED5197B5A0021D9BDB20DF65DC94BDA77FCEB89304F0045A9AA08E6241EB719E44CF25
                Function 03EBF1BC Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 98f7bd3d717f6617da0271bbe620942db8eaa8fb3d5126ee34376630fa62e34e
                • Instruction ID: a989b4369cf98bb62eea6d769b998ad562218ff7ba7975b99e0eaa4ef52c7c01
                • Opcode Fuzzy Hash: 98f7bd3d717f6617da0271bbe620942db8eaa8fb3d5126ee34376630fa62e34e
                • Instruction Fuzzy Hash: 4151AC36A00205DFEB25CF58CD84FEAB7B5EF88314F154269E954AB290C730ED02CBA0
                Function 03EBF018 Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 79ba79a8bd683e6bdca2f64753467d0dfb4da513ddb77b01f564033655f39a38
                • Instruction ID: 704fe3cf9907555ccdfd3c80366ffff3409f3d5f40ffc8ac7e2d518e756ea1ed
                • Opcode Fuzzy Hash: 79ba79a8bd683e6bdca2f64753467d0dfb4da513ddb77b01f564033655f39a38
                • Instruction Fuzzy Hash: BC517B32A40205DFDB25CF58CD84FAAB7B5EF48314F154659E905AB296C770ED42CB90
                Function 03EF3044 Relevance: .2, Instructions: 153COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4664d45c13f3ea49ace8f4b837af11889253b8fd23f0a3ecd9121a689114cb85
                • Instruction ID: e7098cbb0224df1e9e3c80613dd28ecb1e9e6a28ca0f4301d03667093403c739
                • Opcode Fuzzy Hash: 4664d45c13f3ea49ace8f4b837af11889253b8fd23f0a3ecd9121a689114cb85
                • Instruction Fuzzy Hash: D7519178740215AFEB15EF58C850A6A7BBAEBC8314F145255AE069B381EBB1CD01CB61
                Function 03ED3435 Relevance: .2, Instructions: 151COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: adf583a1ff359f7c86e0cf393c53c48670e16a4ac694d85b23da0866bd8fd6ea
                • Instruction ID: d1063d091e0e4a3ca144190608c17aec9d329fdd3a848e869ed2b9ea2df358d9
                • Opcode Fuzzy Hash: adf583a1ff359f7c86e0cf393c53c48670e16a4ac694d85b23da0866bd8fd6ea
                • Instruction Fuzzy Hash: F951A676E01119AFCF26DF98DC54AAEB7B8FB48358F041669E802F7250DB309E02CB51
                Function 03EC47F5 Relevance: .1, Instructions: 147COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 54827fe44e5d3a5f37248bd8476914cffc4033eb9b4a7d72c9160d420942592d
                • Instruction ID: 2c70e82ee3cd83c4d58a06176ddf9da7834cf98556342af21e0ff15dafb80dbb
                • Opcode Fuzzy Hash: 54827fe44e5d3a5f37248bd8476914cffc4033eb9b4a7d72c9160d420942592d
                • Instruction Fuzzy Hash: B551E5326102999BCF22CF16CE64BEEB779FB44308F08566CFD0996280D770D982CE90
                Function 03EEEB43 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1f8d91e4a2b383bff38d835e14a1168d9ec5fc76a3d0e5861a8536e94aaa2876
                • Instruction ID: acaca2080258b49fe4f521a921e4b0910c0d70d81513daafab2d428b7d58cf5a
                • Opcode Fuzzy Hash: 1f8d91e4a2b383bff38d835e14a1168d9ec5fc76a3d0e5861a8536e94aaa2876
                • Instruction Fuzzy Hash: 05414D76B00264ABDB14DFA8CD81A6DF3B4FF84714F195729F556DB280EB709A40C760
                Function 03EC1935 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6d3a33b0def2d44e3b91fb76358a77c4bca1e5feb4423b964ec0eac5a70669cc
                • Instruction ID: 56962aaf4d3778331e0eeb2aaed25443b0708ac729803163c303340da906d7e2
                • Opcode Fuzzy Hash: 6d3a33b0def2d44e3b91fb76358a77c4bca1e5feb4423b964ec0eac5a70669cc
                • Instruction Fuzzy Hash: E2419E35650644FFDB22EF64CE04B6FBBB9EF84744F045669E902AB255DA30D902CB60
                Function 03EC4575 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1aab962fae839f88aa2ab7df0bbc29c52acc18798f3a0762eef1c2e93b236c12
                • Instruction ID: 896f6d33032f066af5a094eb9749d5cc2c9cf626c874304db290ac7131627706
                • Opcode Fuzzy Hash: 1aab962fae839f88aa2ab7df0bbc29c52acc18798f3a0762eef1c2e93b236c12
                • Instruction Fuzzy Hash: EA51D03660025DABCB32DB55CE68FAE77B9EB04748F040658F905A6194DB70DD81CFA0
                Function 03E9417B Relevance: .1, Instructions: 144COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8072938625a22f863c741e820a8d178804a0fa2005b5aee5ca01140331202d4e
                • Instruction ID: 58273881afe7f603fa8d3c0bf715bb3c75c3dddf24747483abc730250adbc226
                • Opcode Fuzzy Hash: 8072938625a22f863c741e820a8d178804a0fa2005b5aee5ca01140331202d4e
                • Instruction Fuzzy Hash: C6417935210204AFEF25DF66C844AAAB7B9FB49714F195756FC15CB1D0E730E892CB90
                Function 03EF45C2 Relevance: .1, Instructions: 143COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a0ec13fb8c7dfe231624c0cc2e07082978651d3bbcd45d603ad92ec173ee981f
                • Instruction ID: eb614d11914a2ce2fcc99493779b80359d563124f88a486f1dc851ce3cc8d68c
                • Opcode Fuzzy Hash: a0ec13fb8c7dfe231624c0cc2e07082978651d3bbcd45d603ad92ec173ee981f
                • Instruction Fuzzy Hash: 8D412A366002499FC735EF1A9894A3BB7B9EF81658B1E172CEF06872D4DBB0C9008E51
                Function 03EDBB35 Relevance: .1, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a71d974e57c284e663a1ee51f3748ef48979e7d50779d521df14969b8ccd21d
                • Instruction ID: 6d35f25ecc77cf7fa54c80abdefe71f2a296c1c8f0325e2bbc4a1f0454605cb3
                • Opcode Fuzzy Hash: 0a71d974e57c284e663a1ee51f3748ef48979e7d50779d521df14969b8ccd21d
                • Instruction Fuzzy Hash: E4518A31A083069FC710DF69C884A6ABBF9BF88718F055A3DF889D7250EB34D905CB56
                Function 03E94195 Relevance: .1, Instructions: 141COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 140dc57aeb0dd99dd3c19a569b7096e2f63863f99c97e2438ae150dd87bdaa16
                • Instruction ID: 188811d6677bad772c027cb9b9a53ebd73e34a0e0f6c33e74af58149df7857bb
                • Opcode Fuzzy Hash: 140dc57aeb0dd99dd3c19a569b7096e2f63863f99c97e2438ae150dd87bdaa16
                • Instruction Fuzzy Hash: 9E515936200104AFEF25DF96C840AAABBB9FF49714F095256FD15CB1A0E731E892DF90
                Function 03ED2662 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19aa7f8d1c7dcd2fbb348e5616996925827643e45bda749fe10f98eb2d183e7a
                • Instruction ID: a6d329f069b37fbdbca1e01839d021fa074ac7239c3b811d30943939aaba7e4b
                • Opcode Fuzzy Hash: 19aa7f8d1c7dcd2fbb348e5616996925827643e45bda749fe10f98eb2d183e7a
                • Instruction Fuzzy Hash: B751D075640219CFCB34DF19C984A96F7B8FF54304F185AAADA29CB254D770ED42CBA0
                Function 03EDD2FF Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9a599ab909df740fd151c3adba97370076c8275d105cf26e1a7b3b491da7da1f
                • Instruction ID: 53b7aea13e59026e131d13d813cb346fec4e457584084b3918e0f65d275dd5d8
                • Opcode Fuzzy Hash: 9a599ab909df740fd151c3adba97370076c8275d105cf26e1a7b3b491da7da1f
                • Instruction Fuzzy Hash: CB41E136A40208FFCB11AFA8DC59FAABB78FF08714F114555FA05EB2A4DB748941DB60
                Function 03EC286A Relevance: .1, Instructions: 137COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f994814c846e4101a127bfbf6a4e2022806abdf93e313bf7be2c714fdbee9271
                • Instruction ID: cb102993ab8b60162aa4ffc404c2306065c7972583d123cdf914aaba8ab76350
                • Opcode Fuzzy Hash: f994814c846e4101a127bfbf6a4e2022806abdf93e313bf7be2c714fdbee9271
                • Instruction Fuzzy Hash: CA41E536A20299DBCF15CF58C680BAEF7B5FF44314F195A6CEA556B350CB30AC428B90
                Function 03EEB0E9 Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61ec64198a0485cc898dd1ebb2773a00d704dd830b0e9e73edeb7bfb4b4239b5
                • Instruction ID: 9fda4806bc7a8c5f3b4f7fffa4e75d1937f0693bc58ee724ddab6ab0230d9003
                • Opcode Fuzzy Hash: 61ec64198a0485cc898dd1ebb2773a00d704dd830b0e9e73edeb7bfb4b4239b5
                • Instruction Fuzzy Hash: 49411639A04106ABDB29DF58CC55EBEB779EF84710F088358FC16AB354EB309E41C691
                Function 03EC5205 Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5d6bcb4d0cbea2450cf480acea7a4fbecace142fc4a4d1eb30fe29e233117704
                • Instruction ID: ee8506c334cc464c356623667832865ad5b851b0d13e4dd50c3411774d27309c
                • Opcode Fuzzy Hash: 5d6bcb4d0cbea2450cf480acea7a4fbecace142fc4a4d1eb30fe29e233117704
                • Instruction Fuzzy Hash: 1F41CF32600259ABCB21DF59CD88FAEB7B9FB45704F180298F91997294CB70ED81CF60
                Function 03EB1256 Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d36a939899a54ed5adb487e0fc70dfa31e9029d58b8b61750da4d8ea6b17ce9
                • Instruction ID: 315127a72ed024ad79a681747da52375994347af33dab5592484c7d3dc2205c4
                • Opcode Fuzzy Hash: 7d36a939899a54ed5adb487e0fc70dfa31e9029d58b8b61750da4d8ea6b17ce9
                • Instruction Fuzzy Hash: 0C41C475A0012CAFDB31DF148C54FEBB7BDEB54768F4506A5EA89A7140EBB05EC0CA60
                Function 03EB2635 Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e575c8a8f6cdf2f7d92b830b4fc0d34b30f07485e027f0a974c56139f4db14d
                • Instruction ID: b9c3ab108014db4249cf16ba61a9d26e6a57376e7fc9eec907339fc720140587
                • Opcode Fuzzy Hash: 1e575c8a8f6cdf2f7d92b830b4fc0d34b30f07485e027f0a974c56139f4db14d
                • Instruction Fuzzy Hash: CC41717190011DAFDB13DFA8CC58EEB7BB8EF49344F041A64FA05AA214DB319D41CBA0
                Function 03EC0382 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ac939ede189cd56bfe6e555c32f3d23a3517299a8d3c93c862891a9971b1b3e5
                • Instruction ID: ab0475dc61ee65cdfa7afdf57744bb43953b2d09303e9ffa1976d7074f1d351f
                • Opcode Fuzzy Hash: ac939ede189cd56bfe6e555c32f3d23a3517299a8d3c93c862891a9971b1b3e5
                • Instruction Fuzzy Hash: F5419E76620241DFCB24DF28C650BAAB7F5FF48754B18466DE84ACB650E730ED82CB90
                Function 03EEF324 Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d806c196359f50759a23f8330c3f1e88e229286e9e306bd02aef31f571cdbb36
                • Instruction ID: 1e90388cf1549804cdc2a4c25757bc030807f9372f200037df43638b3a9c8c76
                • Opcode Fuzzy Hash: d806c196359f50759a23f8330c3f1e88e229286e9e306bd02aef31f571cdbb36
                • Instruction Fuzzy Hash: 26419F71A04616BBD714CF58CC45F9ABB78FB48710F028359B918AB290D770A901CBE0
                Function 03E953C6 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f29c72af43eed9d4bfee671a2afe1b68a2cbf5160861a6a6bafe6fa8f3f89a90
                • Instruction ID: f02a30c9c236f86029594861ee5829fac459bc03b78c465c5a3393774b9079dc
                • Opcode Fuzzy Hash: f29c72af43eed9d4bfee671a2afe1b68a2cbf5160861a6a6bafe6fa8f3f89a90
                • Instruction Fuzzy Hash: EA314531B08B05BFE721DA289C44F9ABA689B41714F051275F943EF290DBA4ED41C7A0
                Function 03ED3003 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 478c9be2756d3cefb4b6ddca730ffa2c92db129d6d92af85df597023dafd7fde
                • Instruction ID: ddbbcc2331062b138c39b923398d351bb7a200df00dba6cfdf75074d63658e1d
                • Opcode Fuzzy Hash: 478c9be2756d3cefb4b6ddca730ffa2c92db129d6d92af85df597023dafd7fde
                • Instruction Fuzzy Hash: 6331087DA00509AFDB14DF5DCC949AEB7BAEF88204B198279D802D7314DB30DE02CB51
                Function 03ECD769 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2428f564a44dde45aec9909c252a269f74116706b79c43a470fa7ca0e5c8314e
                • Instruction ID: 91f88dadc5530ba64ee0ad27520f345bfa4e03db991e2482b63276f3bf0e4a03
                • Opcode Fuzzy Hash: 2428f564a44dde45aec9909c252a269f74116706b79c43a470fa7ca0e5c8314e
                • Instruction Fuzzy Hash: 3C416932A10656EFCB10DF5CCA84BAEF7B4FB44314F185269E801AB694DB31E912CB90
                Function 03E986D5 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6c6661ace02df2306d3fab2a6b2a8e6a2ed20f8b0740781a9abf3af1af4087c
                • Instruction ID: 6af44a513fa41efce67bfe75c6cfe0c23a815a45f8d6139df494d86719ab1156
                • Opcode Fuzzy Hash: c6c6661ace02df2306d3fab2a6b2a8e6a2ed20f8b0740781a9abf3af1af4087c
                • Instruction Fuzzy Hash: E4411B32B00E048BDB64CBADC8C17AAB3E6AB45358F29537DD56ACF1A0DA74B8418754
                Function 03EEA7DD Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ebd2688b4756ef334c13288e38bdce38a8597912c3150d904507dbc203702ea
                • Instruction ID: de10d6e0b2477d431d36fdc1dbbcfc4ed8a4bf9c898783d3f92eb38704f54e3e
                • Opcode Fuzzy Hash: 6ebd2688b4756ef334c13288e38bdce38a8597912c3150d904507dbc203702ea
                • Instruction Fuzzy Hash: CC412535A00606EFCB29DF68D4849A9F7B5FF48304B15877CD84297364DB30AD42CB94
                Function 03ED8485 Relevance: .1, Instructions: 115COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d094cafc977cc67b0c8cb826a982b9f18d7a193e9a9e454b41d80b7336835aef
                • Instruction ID: 11407ddc0c7a0a4238681521bd2c9333c12beb3b6cdacfd9b40f9ecb429a7e4f
                • Opcode Fuzzy Hash: d094cafc977cc67b0c8cb826a982b9f18d7a193e9a9e454b41d80b7336835aef
                • Instruction Fuzzy Hash: FA410471A40218AFDF21CF18DC98BEEB7B4EF54704F5942A5E419A7281E6309E86CF50
                Function 03EB23C5 Relevance: .1, Instructions: 109COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4721ee8c88262d072a36fcb7e5ebbb13848bd971603c93d700156edbc2865a6
                • Instruction ID: 94f40beec9171c39644e4db33e003d32dd8bfc81812e87cf76b96900cecbd5d1
                • Opcode Fuzzy Hash: e4721ee8c88262d072a36fcb7e5ebbb13848bd971603c93d700156edbc2865a6
                • Instruction Fuzzy Hash: 9241723A910109FFCB12EFA8D858AEEBBB8FF48305F014965E906E7614D7349941CB60
                Function 03ED8335 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 979ba45cb07b921f4e6e415b15492af1e6a44e535fcb830036e1966141bb9235
                • Instruction ID: 57b664b295964023cacf04eeed4df66fd6b3f8c8e4440f3a700602d144245b3b
                • Opcode Fuzzy Hash: 979ba45cb07b921f4e6e415b15492af1e6a44e535fcb830036e1966141bb9235
                • Instruction Fuzzy Hash: FC315732A00218EFCB21CF68CC55BEDB7B5FB09708F1422A5E559A7240C6B0AD47CFA0
                Function 03EC71E3 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37101e184f807940b95cbdfc1591cdeaa5b56f90b7750b302b4aa91dcdc43772
                • Instruction ID: dea3533b721dc97772c8960aa6ad08e6aac9f8df1b02724b246c6dd35b0a9043
                • Opcode Fuzzy Hash: 37101e184f807940b95cbdfc1591cdeaa5b56f90b7750b302b4aa91dcdc43772
                • Instruction Fuzzy Hash: C231E775A205559FDB28DF68CA40AAEB7B9EF84304F19463DF806D7350EB309D02CBA0
                Function 03E917E3 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 865f41753cdf2a21606ca137f81e171485c0fe70cb3660cb661d2ba29e7531ff
                • Instruction ID: 1ec82acb16402793ca5863d3eb6292c2e5219333347ad9616df31f75cc31d5b6
                • Opcode Fuzzy Hash: 865f41753cdf2a21606ca137f81e171485c0fe70cb3660cb661d2ba29e7531ff
                • Instruction Fuzzy Hash: 174151B1A0060AFFEB15CF99CC45AEABBF8FB48325F14432AE11592590D734A950CFA0
                Function 03ED8855 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c51c121ade36b4e070fc02de788d01ce6f2c57defd30ad3fca7e92afc45904ed
                • Instruction ID: dd1b4ffdf69d8a01077d58fd01cdc9dc26ec3bed58583a8d6c74041c55ff9a0f
                • Opcode Fuzzy Hash: c51c121ade36b4e070fc02de788d01ce6f2c57defd30ad3fca7e92afc45904ed
                • Instruction Fuzzy Hash: F231F3799502699BDB11EF28CC58BEEFBB4EF59300F1552A5E819AB301D630DA42CF90
                Function 03EE6B2C Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 81de0e781f58fc544cd8e27f1ea9b31c9f5c92cb19f372f1313cca2656a9a7b1
                • Instruction ID: cfa926a5dddc1ae3b1e8a11c0f6b1e9fadda1a957229dbf0414eae3e421957ab
                • Opcode Fuzzy Hash: 81de0e781f58fc544cd8e27f1ea9b31c9f5c92cb19f372f1313cca2656a9a7b1
                • Instruction Fuzzy Hash: A4312437A00624AACB24DB5D8840BBEB3B9DFA4715F08527AF501DF290E634CD40D764
                Function 03ED8705 Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b82c8fdbee104d7f5dfbde80842ab5a5799dfac7429b70a4a9fb49067bdcf84
                • Instruction ID: 0243dc2fad4b7360c7a322456e081f566647d3dc73c0a4ee2647903c385c13bc
                • Opcode Fuzzy Hash: 3b82c8fdbee104d7f5dfbde80842ab5a5799dfac7429b70a4a9fb49067bdcf84
                • Instruction Fuzzy Hash: 4F3108359002699FCB12DF28CC55BEAFBB5EB55304F0952E5E849EB301C674D942CFA0
                Function 03EF34E2 Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0c3c09f242b75cca2edce862e8ad584305fd6f17cbfd91629c159f26a46dc4a
                • Instruction ID: 8a01c1fc9c6e4e34030f6898a21cea86e6918e4a7d6f6b05cee02ce3e165840a
                • Opcode Fuzzy Hash: f0c3c09f242b75cca2edce862e8ad584305fd6f17cbfd91629c159f26a46dc4a
                • Instruction Fuzzy Hash: C031C439700603AFCB29DF68CC81A76B7B9FF842047085769DA059B640FBB0F951CA90
                Function 03EC53A1 Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fe336fed3bd4f3d7987ffe77f1d5c5d4691214a381d2427b22dbbe71e23f592c
                • Instruction ID: 52e6292de1ace1fb516446d77a3720e59229bdaf76516fdc98d529310f2a7b08
                • Opcode Fuzzy Hash: fe336fed3bd4f3d7987ffe77f1d5c5d4691214a381d2427b22dbbe71e23f592c
                • Instruction Fuzzy Hash: 2431E432610285AFCB22CF1AC944FAE77B5FF86755F15566CE806DB294D730B802CB60
                Function 03EBB7C3 Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71f26d194c7e79a6912c885fe8eb3bfd37119ac1f5d00cf91207ef1e191bf69e
                • Instruction ID: db0d9502b25e72eda5d4c51bd28eef64cbcc7c97ebb9aa59bd38bdcddd7dfe2f
                • Opcode Fuzzy Hash: 71f26d194c7e79a6912c885fe8eb3bfd37119ac1f5d00cf91207ef1e191bf69e
                • Instruction Fuzzy Hash: 7F31A236900149EFDB16DFD8CC58AEEBBB9FB44714F150229E901AB254DB749D04DB60
                Function 03ED3183 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b9a5d3c72f09bedc3c522a20630ecb1b62a5bd4677d9c5bc2041c7aa9274511f
                • Instruction ID: f3192cb35355857abeffa24327eb41b97d3f13730b8a2df826d79f418dfb6098
                • Opcode Fuzzy Hash: b9a5d3c72f09bedc3c522a20630ecb1b62a5bd4677d9c5bc2041c7aa9274511f
                • Instruction Fuzzy Hash: CF31F63A600101ABC718DF1CCC559BAB37AEF84704B59866DEC4687754EB71AE03C794
                Function 03EB1BE5 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e38e680f8a1deb50095a13846889a8fb5d5f150b87a7589f1122fa4e6678819
                • Instruction ID: 62c61b9cca7081b2d4bcaef5d93ad7d462715c19ecbfa492406e747bf50c4e49
                • Opcode Fuzzy Hash: 5e38e680f8a1deb50095a13846889a8fb5d5f150b87a7589f1122fa4e6678819
                • Instruction Fuzzy Hash: FE21FD36200504AFCB2AFF68DC69AFB777DFB84718B054968ED039B654D7719902CBA0
                Function 03EC2B55 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 35ee8d9f73fa4077bd2732a26d6540b07bc04a1b8aa6b27149a805c0ccb0c2ee
                • Instruction ID: 4fbdc2d5f79748763f4c7e65308f28e9018b6f3dc2c246755362307ff9fa5aba
                • Opcode Fuzzy Hash: 35ee8d9f73fa4077bd2732a26d6540b07bc04a1b8aa6b27149a805c0ccb0c2ee
                • Instruction Fuzzy Hash: C73186313207848BDF24CF69C695BEEB3E9AB44728F195B3CDA568B250CA71EC438644
                Function 03EDF035 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 600d495e9505869c305352fa4db699997e5df12e3d4b2cee5eca04f8244c2822
                • Instruction ID: ff4375384478c601f41a11549fb194ca62f7cd3b344b54831a955d15137bf2bd
                • Opcode Fuzzy Hash: 600d495e9505869c305352fa4db699997e5df12e3d4b2cee5eca04f8244c2822
                • Instruction Fuzzy Hash: FE31BC36640206FBDF22EFA5CC44F9A7BBCEB88755F115665BA02AB140CA709903CB60
                Function 03ED172A Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c73b9a235d12338785c07287b76b2fd761fb3b80a7415023c3af73b3111d1799
                • Instruction ID: 84022595741f57fda294093a8c28716b7eb191f15b46ea917c098e826965b338
                • Opcode Fuzzy Hash: c73b9a235d12338785c07287b76b2fd761fb3b80a7415023c3af73b3111d1799
                • Instruction Fuzzy Hash: 4F31B176A0020DFBDB15DF94C980AEEB779FF44314F14512AF906A7290D7B0AE41CB90
                Function 03ED28E5 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 36d32759b13bc96b3fae444dba8062d537e5f1825a9e7afbc7ef3d93675ba5fb
                • Instruction ID: 821d227b28ba55d7c21e537ff6e51b4c9a74bb6381a3700377fdf4ed3d853cdf
                • Opcode Fuzzy Hash: 36d32759b13bc96b3fae444dba8062d537e5f1825a9e7afbc7ef3d93675ba5fb
                • Instruction Fuzzy Hash: 4D31A171500209FFDB11CF58C898B99BBB4FF04358F1946A9EE46A7350C3719E42DB60
                Function 03ED3747 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 613e41937c2792e5963a654d66ae8884d72dd4c7920a1f5e3c7978e763d72103
                • Instruction ID: ef16bb9dc7a7d964abb621948a1d9609b113307b9c47bc398a7579e347344748
                • Opcode Fuzzy Hash: 613e41937c2792e5963a654d66ae8884d72dd4c7920a1f5e3c7978e763d72103
                • Instruction Fuzzy Hash: 91219179A00119AFDB10EBA8C944EAFB7BDEB88744F154165E802D7250DA309E02CB91
                Function 03EF4758 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e5270c906f4d5a13233b974b7af1377ea75a67ff3db2b9e37fe79f4f57ae7c3
                • Instruction ID: 937a00fe979f8db874fdc50dce537a36fdfe2e513ea488aaf3846a846bc9fab6
                • Opcode Fuzzy Hash: 6e5270c906f4d5a13233b974b7af1377ea75a67ff3db2b9e37fe79f4f57ae7c3
                • Instruction Fuzzy Hash: 16216B31741060AFC719DE2EC96897BB6B9EB85128F2D5264FB03E73E4D9A0CF008B51
                Function 03EF24A5 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e9d883feb920d87b00624f6eb842391d26a45b0aaa90314f3a9affa1c0324fa
                • Instruction ID: a42bf2ada0380bab64e1494051f5c6400a11a58ce51e63f7b90bcbfdc5113fc0
                • Opcode Fuzzy Hash: 6e9d883feb920d87b00624f6eb842391d26a45b0aaa90314f3a9affa1c0324fa
                • Instruction Fuzzy Hash: C93138B9E00209EFDB11DF95C880DEFBBB9FB94314F104656AA16A7240D7709A01CBA1
                Function 03ED3669 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 11c8c6233b70f4ab4c0542bb6e688dc4dfb57854e24b45b64e76378820d3a7eb
                • Instruction ID: 3995378a91470ad7cfaeac929e7c207976c1cc88830ca982407e7c70773b4ecb
                • Opcode Fuzzy Hash: 11c8c6233b70f4ab4c0542bb6e688dc4dfb57854e24b45b64e76378820d3a7eb
                • Instruction Fuzzy Hash: A221387A60050AAFD729DF5CD8D89BBB778FB84214B18036DE81283344DA719D06CBA1
                Function 03EF4AAB Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d02290d5c7e4761f781af1cd5b8f07b7ad4e417abcef0f6f3ca2a6569c32890
                • Instruction ID: ddb7385ba424a49caa2fffc3c2c01eac946ec153aa86cc1dbc1414730fb0d1df
                • Opcode Fuzzy Hash: 3d02290d5c7e4761f781af1cd5b8f07b7ad4e417abcef0f6f3ca2a6569c32890
                • Instruction Fuzzy Hash: 9E21CC32541504FFC722AB9ACD1CF5BBF79FB89B54F150054F602972A4CB708A01DBA0
                Function 03EB8526 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fbe34bd87a9858710f6ca2a941ec7ec4f3db8ac1c0c52924fb7845999d0501a1
                • Instruction ID: ade872e27f3ca2d19c48f5e6625ac0d47b84e42d874d29f84868d1d0bc26c023
                • Opcode Fuzzy Hash: fbe34bd87a9858710f6ca2a941ec7ec4f3db8ac1c0c52924fb7845999d0501a1
                • Instruction Fuzzy Hash: 1D31F831942568EFDF22EF58CD5CBDAB7BCFB04709F480594A449A2164CB349E84CF60
                Function 03EC0922 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 06f217ee7fb3dfc9a3f4932631936d1a3636d8200a712c90943d0bb37a569b9a
                • Instruction ID: aedfcb8175447d7b8bf6ef200d89879eed2f33f777f9bb0f0596925651f8723f
                • Opcode Fuzzy Hash: 06f217ee7fb3dfc9a3f4932631936d1a3636d8200a712c90943d0bb37a569b9a
                • Instruction Fuzzy Hash: 0A219632A41144FBDB21EB69CE54F6EBB79EBC4758F150268F901A7354CA34DD01C790
                Function 03ED3BD5 Relevance: .1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb28ee1f6cef53afeb156d567624eb87428cc0ea907ce13baba6b5409e635c09
                • Instruction ID: 89f648cea882b9c1bcc5b51a9248912b8e2a68111cadf97bb90187d417a5f428
                • Opcode Fuzzy Hash: cb28ee1f6cef53afeb156d567624eb87428cc0ea907ce13baba6b5409e635c09
                • Instruction Fuzzy Hash: DF11B23A341619BFEB229F58DC98E673B6CFB44794B191624F90686214DA70DC02D7B2
                Function 03EB1465 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cbd3014de76c36f45f9215bc9a00050994b76a6d9005147e1fd504cb11f1f6e
                • Instruction ID: a32fadcff3a4f60ad32d8809b91f24f7f4c8806c96eef61c4d73896bf7f7b404
                • Opcode Fuzzy Hash: 0cbd3014de76c36f45f9215bc9a00050994b76a6d9005147e1fd504cb11f1f6e
                • Instruction Fuzzy Hash: 0511B132244144FFEB22EBA8CC68EAB7BBDEB08769F150A24F507D6150DA748D01D770
                Function 03EEA571 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f5457c8b8cc440b291814f4ac5778bbbd0e1dc7dc43649036fd65889067e70e
                • Instruction ID: be6146273ecd6c2c0276543ead578b7ea071f9a28379ae96823e104269c92357
                • Opcode Fuzzy Hash: 0f5457c8b8cc440b291814f4ac5778bbbd0e1dc7dc43649036fd65889067e70e
                • Instruction Fuzzy Hash: 60218932200B02AFDB36DF68C884B6ABBF9FB44705F04492CE1169B990DB70E855CB50
                Function 03EC8408 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 368bdcad3fc8f98af54d3f2414f42d2205b5881625f0d98cdc68fa9fbdcf9c99
                • Instruction ID: 46a5bd343871d39ab48fb774f9861a80fcfae5734e40358d8aadcf3ccb60763f
                • Opcode Fuzzy Hash: 368bdcad3fc8f98af54d3f2414f42d2205b5881625f0d98cdc68fa9fbdcf9c99
                • Instruction Fuzzy Hash: 8D11E232710190ABDB30DB6CCF44BBEB7B8FB44359F050669EA05D7240D630DC42C650
                Function 03ED3389 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dae3220f27a4c0e147abbb7bbfc43c083f8663e707c708a5f4912289eae61aed
                • Instruction ID: f271d03d6c41319ea30bfda094aaccb4a8c2447aa0a827baa2493132fa900405
                • Opcode Fuzzy Hash: dae3220f27a4c0e147abbb7bbfc43c083f8663e707c708a5f4912289eae61aed
                • Instruction Fuzzy Hash: D911C176600128BFCB19EB58CC55E7BB6BDFB88614B240669F406E7260DF74CE018A60
                Function 03EB3535 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f50fd026929f6c1bdf2667cf0e1556b2c7ec51fea5534f263b180d5efd2f9979
                • Instruction ID: 0387de193b358c187b12c99592c15f53ef7d1a5f5149d2b8277ae68ddeb15b1c
                • Opcode Fuzzy Hash: f50fd026929f6c1bdf2667cf0e1556b2c7ec51fea5534f263b180d5efd2f9979
                • Instruction Fuzzy Hash: B921A135A01208EBD712EFA8D859FAFBBB8FB44716F144215E905AA181CB749A04CF61
                Function 03EBB362 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 568728fe82ab9b6fe815c2b890fb17a4a5c3a6222de50dee193365803acff276
                • Instruction ID: bdfa985c4e66c79bfac4ec10aa1ca890e584e0736945830991264f8a4981556b
                • Opcode Fuzzy Hash: 568728fe82ab9b6fe815c2b890fb17a4a5c3a6222de50dee193365803acff276
                • Instruction Fuzzy Hash: 80117F71A00216EFC716DF8DC4909AEBBB8EF48704B1A516AE9459B310D7B0ED41CBA0
                Function 03ED35E4 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5711fa5c868a9b47f6ff184e3c7ebc0c7c3288251f458038ef86884d5f79c621
                • Instruction ID: a112e8fe97e2fd0d5ed35388cc4a787dfe6d3ed685f7ddf9277ee64d51f45057
                • Opcode Fuzzy Hash: 5711fa5c868a9b47f6ff184e3c7ebc0c7c3288251f458038ef86884d5f79c621
                • Instruction Fuzzy Hash: 5E11087E64420ABFEB55DB689C19FB2777CEB45798F2406A8F512C6240D7618802C631
                Function 03EC55C5 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fccfb8536b74569d9ab242ae7902c6202cbef606d66cff74ced7f759bdc16e90
                • Instruction ID: 5dc39273360e94bdd9095fb0e6c63ac47eb94fdc03d676ef6c9dbceb972f93b2
                • Opcode Fuzzy Hash: fccfb8536b74569d9ab242ae7902c6202cbef606d66cff74ced7f759bdc16e90
                • Instruction Fuzzy Hash: 03110636610158ABCF20DF2ACE44ADEB7B5EF55354F044359E8169B2D0DE70EE85CB90
                Function 03EEA1FC Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4256c84e0ec96f971ce30db06da2b9777f68a8722374d3819f8a8b850ea8dced
                • Instruction ID: 95caa1e0873079b67d7ba36550e10fa73b4d0e2fc09df88b027c6096e3ba6783
                • Opcode Fuzzy Hash: 4256c84e0ec96f971ce30db06da2b9777f68a8722374d3819f8a8b850ea8dced
                • Instruction Fuzzy Hash: AC110276A00B11DBC722DF49C040A1AFBF6EFD8B60711862DE845AB310DA71ED01C790
                Function 03EC5BC5 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e5f9d3b655beb83074e2c2e0535215c6f2c59dda551c0c8d3bd6380dd15e832
                • Instruction ID: 9c9821cbf74805f83d09e30afdb2af8d285030d2f7e940a86c5222cc3cffff04
                • Opcode Fuzzy Hash: 0e5f9d3b655beb83074e2c2e0535215c6f2c59dda551c0c8d3bd6380dd15e832
                • Instruction Fuzzy Hash: 6C118271E00158BBCB15DB999948EAEBBBCEB46718F144569EC15E3280D7709E0A8B60
                Function 03EE1775 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f14c17e1a3be499561ada5a3780f053ff5119d71111b79aaebeafe3dbb19efc
                • Instruction ID: 30fa0f113cbfac1cc0035f013d461d82eea15149c962fd44a1b341840658bfc4
                • Opcode Fuzzy Hash: 7f14c17e1a3be499561ada5a3780f053ff5119d71111b79aaebeafe3dbb19efc
                • Instruction Fuzzy Hash: C711E176254305AFD314EF64CC56FAB77A8EB48B10F000A19F956CB680E670E940C7A1
                Function 03EC5515 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 970bc30184154e7a16b9895a57a30cfbd8d43fb08b42c94bd0af488a9610f7ac
                • Instruction ID: e64cb87f66ba103dcb3d861d38fa12bf7402f984dcf531c251652241ef9c6b2e
                • Opcode Fuzzy Hash: 970bc30184154e7a16b9895a57a30cfbd8d43fb08b42c94bd0af488a9610f7ac
                • Instruction Fuzzy Hash: 4111C436A10158ABCF20DF66CD44AEEB7B6EF49354F040258E946972C0DF70ED81CB90
                Function 03EF0739 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: be490d340b7ce0be306bcae9c5d57f819083d65d5227ce9bd03cba31521aa569
                • Instruction ID: 26bf12285199a0f03901ab6106ce1b4f58217510a7ac3ac7995d933d23644414
                • Opcode Fuzzy Hash: be490d340b7ce0be306bcae9c5d57f819083d65d5227ce9bd03cba31521aa569
                • Instruction Fuzzy Hash: 89116D35201A809FC735EF1AC958F53BBF8FF80A45F084A5DA95A866A5CBB4A840CF50
                Function 03EE18B5 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6f0adb6fd04407451d16493c19c841e805a1781fbf33a6446341cc0f461ed36
                • Instruction ID: bf5dd6e0f65d8d7cee692155c945692369866e7c39574bd788b133ec958cfac1
                • Opcode Fuzzy Hash: a6f0adb6fd04407451d16493c19c841e805a1781fbf33a6446341cc0f461ed36
                • Instruction Fuzzy Hash: AD01C032248346AFC714DF69DC09F9BBBA8AF84704F004A19B955DB291DB70E905CB65
                Function 03EF44D5 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8fd557fe419f29bdb59855df8624a1a44de319c3787a6bc945133cf28d2150a5
                • Instruction ID: c6edb93c9df1049563cbc1b5a0e5a307900f13cef27cb2c5b157c85f5eddbce7
                • Opcode Fuzzy Hash: 8fd557fe419f29bdb59855df8624a1a44de319c3787a6bc945133cf28d2150a5
                • Instruction Fuzzy Hash: 22019E36601018FFC720EB59C969EBB7BBCEB49A55B060164F901D7114EA60DD00DAA0
                Function 03ED737B Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7a84e2092c46b65828d2959d40a0b1bdab8261c39106f44c6433bf359b2950ba
                • Instruction ID: ad1a6a9d95e836364060d2d86b0e7096f55e112c4b85faa42de7b06d67742d07
                • Opcode Fuzzy Hash: 7a84e2092c46b65828d2959d40a0b1bdab8261c39106f44c6433bf359b2950ba
                • Instruction Fuzzy Hash: A70140711409409FD721EF2DDC98E57BBB9FB04669F181729B96AD35A0CB30EC42CB60
                Function 03EDD8F5 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd82756e3a5075134171b427b7ee80f918f6ded9d0d530963e60c67859214d5c
                • Instruction ID: 99d51282a3658951663c7236ad087e49994fb160023429a037424e2b9ab39599
                • Opcode Fuzzy Hash: dd82756e3a5075134171b427b7ee80f918f6ded9d0d530963e60c67859214d5c
                • Instruction Fuzzy Hash: E701F934404219EBCB20EB64C914BFABBB4FF01719F044295EC87AB584E7B4DB42DBA4
                Function 03EE1355 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d0eadb073c47098a8f56d462aab6e732000eada89ea9d603e1141a224bf943d
                • Instruction ID: 6c928fe9680a0758f9d95331bd31846a207278ec7f01e5d1d69f32cceeb1f972
                • Opcode Fuzzy Hash: 3d0eadb073c47098a8f56d462aab6e732000eada89ea9d603e1141a224bf943d
                • Instruction Fuzzy Hash: BB01D632258349AFD714EF28CC55F5B7BE8FB44700F004968F4A5CB581E670E900C761
                Function 03E9F7D0 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dea64e87c9217b970a7791b99824a11c649334e78451fcaf50b2bee329ac1c09
                • Instruction ID: a89d0ae8f71195940938825d9e66b349eaff5760ecb8c2d3c3b012226447e385
                • Opcode Fuzzy Hash: dea64e87c9217b970a7791b99824a11c649334e78451fcaf50b2bee329ac1c09
                • Instruction Fuzzy Hash: 57F05936700A0077DF26DA5E4840ADBF2AFEFC8762F0405B6B405EB250CAB5DD1283E0
                Function 03EA06F2 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bc9be89ec850b6aaa79fb575f50df086e6ac934b82280d1424bdb1e455a80d8d
                • Instruction ID: 86b101050f3772cd18a961eaebd9329e6f7a496b5cafb6c097993d0a1a1ac05a
                • Opcode Fuzzy Hash: bc9be89ec850b6aaa79fb575f50df086e6ac934b82280d1424bdb1e455a80d8d
                • Instruction Fuzzy Hash: 32018B79241A40DFD211FF28C9C8E56B7ADFB4434AB056224B5014F615C634FC44CE60
                Function 03EEA18E Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f78563b230d03a8f8d97bf04331302404cdfcdc5dfd3f4585a5c38f1bbd032d8
                • Instruction ID: 0244acdaaa0c345bc247e1ae5bbf5b5e135764c1bc1ff3c26f85d42aeeb0612e
                • Opcode Fuzzy Hash: f78563b230d03a8f8d97bf04331302404cdfcdc5dfd3f4585a5c38f1bbd032d8
                • Instruction Fuzzy Hash: FA016D36180A40EBC7269F08D898F11F775FB88B15F180668E9156B9A4CB79DC91CB50
                Function 03EEA2D6 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a4852b2919e63bc5a0f5847d30530fcfa93d89cbd06832d7bd5eb32f3163a67d
                • Instruction ID: 3be75ff2c1ba0567209f2f21de28f9dddb45a94c96c1a6eac07757cbcca3fb9c
                • Opcode Fuzzy Hash: a4852b2919e63bc5a0f5847d30530fcfa93d89cbd06832d7bd5eb32f3163a67d
                • Instruction Fuzzy Hash: DC01F6B16457009FC328CF59A504A56BBE9EF99B20B0AC0BEE509DB361D670E841CBA4
                Function 03ED5100 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c87552deaf842ed97d29cb391ecb251dccdaa5fe5023886453769596dbd387ef
                • Instruction ID: 4bdb4a57d117916cf09fe3d0ed1d5aba91825f051e1e9aa44eb7d0bd8bb8bb19
                • Opcode Fuzzy Hash: c87552deaf842ed97d29cb391ecb251dccdaa5fe5023886453769596dbd387ef
                • Instruction Fuzzy Hash: 7AF02472602A2067D332A2289C04B57BBBDDF82A98F091225B9099F380DF749C0782A0
                Function 03EE1545 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e6417adaaf9672ffe4894fd5e87c52fbe9403b7518f1ff0874250514044399f
                • Instruction ID: 4e2280f7fcc7bb8b3911721049355caf00f3037f2c9a88244f1ee3583c9291c9
                • Opcode Fuzzy Hash: 3e6417adaaf9672ffe4894fd5e87c52fbe9403b7518f1ff0874250514044399f
                • Instruction Fuzzy Hash: 72011D75A50308AFDB09DF68C895E9A77F9BB4C704F508568B417DB280EB70E944CB54
                Function 03EE14D5 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64c0a37f27847282ff9bb2634b9cd52713382a3c3ef6c307a2de59e02c026957
                • Instruction ID: 0affc7e1ee1ce88cddf4f7e5d9a8722ac716821be0bf5337e4cdf5377dd58aa7
                • Opcode Fuzzy Hash: 64c0a37f27847282ff9bb2634b9cd52713382a3c3ef6c307a2de59e02c026957
                • Instruction Fuzzy Hash: F7013175650309ABCB09DF68D991E9E77F9BB4C700F108569B417DB280EB70E944CB54
                Function 03EC02D4 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8883a150b78c49bdf9844d1288274400839c0e0914512f81d70afb25f60e233
                • Instruction ID: 4be61fea43eb3ebc8616bd9a95a162e779e3a21fdf0e0135b7969d29a6053721
                • Opcode Fuzzy Hash: f8883a150b78c49bdf9844d1288274400839c0e0914512f81d70afb25f60e233
                • Instruction Fuzzy Hash: F101BB32151980EFC732AF0ADA58E17BBF9FB95B55B054969F40693931CB34EC41CB60
                Function 03ED7406 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cc1e0d17d90844bf05d21d4557093df5cf2bea7521ab89afa58fb6d86e357519
                • Instruction ID: 5d1413edb03febd956c2dbcc637e6f933351ac9813a9b5c801ac6ec2f336d195
                • Opcode Fuzzy Hash: cc1e0d17d90844bf05d21d4557093df5cf2bea7521ab89afa58fb6d86e357519
                • Instruction Fuzzy Hash: AEF0E971200701AFC7229F69CC44A16BBE9FFC8711F10883DE59BC6550DB70D8528B10
                Function 03EEC866 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3022eea5309986d70dd35817438120a2cafb720a3de36607397f80a5e2e764ae
                • Instruction ID: 35eac4dad31d183efa934287d5ea7ef794284f4aeacc738d3e70078f06a698f2
                • Opcode Fuzzy Hash: 3022eea5309986d70dd35817438120a2cafb720a3de36607397f80a5e2e764ae
                • Instruction Fuzzy Hash: EFF0B432040701EAE732861DDD88BE2F7B8FF8171CF3C5A29F985165A1C7B2A8C0C555
                Function 03ED40D5 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9965c4ccfa958559aa628aed425beb96ac2feb4310ef0f0a9500c91a63737af0
                • Instruction ID: e4a22d858991c350929c6d942d0bb814e3bd7b40784c4e81a8d1c187ba7bc74e
                • Opcode Fuzzy Hash: 9965c4ccfa958559aa628aed425beb96ac2feb4310ef0f0a9500c91a63737af0
                • Instruction Fuzzy Hash: A7F0BE3A200204FBCF22DB46C915B9E77B6EBA4759F245664E402AB190CF34CE02EF00
                Function 03EDC7F5 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2e5d96bd1ef7dface2538804407b5ec0b3733b0341de63edb3dde598aa776ab
                • Instruction ID: 0505d51f5d9977b7e5768efa5baddec979b47056d6ac8950774510a19db401b3
                • Opcode Fuzzy Hash: b2e5d96bd1ef7dface2538804407b5ec0b3733b0341de63edb3dde598aa776ab
                • Instruction Fuzzy Hash: 2AE0E53A241514ABC3216B59ED0CE96FA29EB84BA6F290331F91997180EB21AC03D6D0
                Function 03EDF155 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c45760cdb7d7fceaa66531ea5c49605462074a1048f5862239c111f61d603df
                • Instruction ID: 4658effeb57e7181fc4cffc14c77384663f4d3e013207fdf847129ee7478cd14
                • Opcode Fuzzy Hash: 2c45760cdb7d7fceaa66531ea5c49605462074a1048f5862239c111f61d603df
                • Instruction Fuzzy Hash: E1E09232284218BBCB21FB65DC08F577BACFF08B65F054A61F50BEA411DA71D84397A0
                Function 03EC033C Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: abbfb7b0bd2b221c58704f429873f435f4d06081b6c1d8d0c87489f58b45b84a
                • Instruction ID: 66b1561e130acd2801a762174828af72c3551f560d685d1da41b3752c9bffd1c
                • Opcode Fuzzy Hash: abbfb7b0bd2b221c58704f429873f435f4d06081b6c1d8d0c87489f58b45b84a
                • Instruction Fuzzy Hash: 3AF03032151A50EBC7329F08D908F167B75FB80B65F1A0A5CE8596B550C735FC42CB90
                Function 03EEF48D Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: db01a999681982313ca124c5d74a0e0c54aaf993c37f6ea960cee40d012bf838
                • Instruction ID: 5d7da196c023133b2bfdcac6743ca859f81cbe90ce686a39fede0d455193dc57
                • Opcode Fuzzy Hash: db01a999681982313ca124c5d74a0e0c54aaf993c37f6ea960cee40d012bf838
                • Instruction Fuzzy Hash: 61F0ED33005A10ABC331EB08D818B52F7B0EF80B10F1A8728E826578B5DB35AC82CB40
                Function 03EF1A67 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6176c9af1f66ab9c691d3a64489f4e1faa326e68f6548e7c3bc25fa95a2bf265
                • Instruction ID: 46c25e4fac001aa4177166a7f73390822b9e5fdd3450a32a390bb63fbdaf7243
                • Opcode Fuzzy Hash: 6176c9af1f66ab9c691d3a64489f4e1faa326e68f6548e7c3bc25fa95a2bf265
                • Instruction Fuzzy Hash: A1F0F871502502DFD710DF08D544B91BBB4FF89318F1D82A9E5589F211E371AC82CB80
                Function 03EDD985 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b663009357e3847535b1a8e72ad5c2846640eea7d1cb395db1d0893fd1f942e
                • Instruction ID: 1f2ac0ca22395429cd5bde78245eea4ca27ebf762dd8ad85be0b6a579874cb98
                • Opcode Fuzzy Hash: 2b663009357e3847535b1a8e72ad5c2846640eea7d1cb395db1d0893fd1f942e
                • Instruction Fuzzy Hash: 3DE02636100108FBDB18EB41CC15EEB7B7CEB8064CF100298E90B26580EAB1EE02D7A0
                Function 03EEB0A5 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75f0d336ef8a641ee4277e925b6a2e8ed328fe82dd943c4ccca3b14a89294b8e
                • Instruction ID: d589dff2fa1ce0e64e78ed3be1a4da6486d435b942b577a17fe20685b2af7d6b
                • Opcode Fuzzy Hash: 75f0d336ef8a641ee4277e925b6a2e8ed328fe82dd943c4ccca3b14a89294b8e
                • Instruction Fuzzy Hash: 96F09B32445B11DBD7329B04D909B22B3F0EB00B16F09C91DB5AA5A9D0D774BC80CB40
                Function 03EDD8B5 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 94260b4456a1ab16f3a8a24e761195de73059c0d33d57b7b527699712d44f7e3
                • Instruction ID: 9a06228d4797304b78b0213524744509c38d3706b7c0678900adb77f67eb5301
                • Opcode Fuzzy Hash: 94260b4456a1ab16f3a8a24e761195de73059c0d33d57b7b527699712d44f7e3
                • Instruction Fuzzy Hash: 98E02636100104FBDB18EB45CC15EEBBB7CEF8064CF100298E90626580EAB1EE02D7A0
                Function 03EEA61F Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b208b32320d45c72e7dfa7820b0db31e285090838543f755a6c1a298cf5c3757
                • Instruction ID: ff25d9091e7bb859852eacd7179dd82bf6014a069d03f52e3cf1ab8e3ee50d05
                • Opcode Fuzzy Hash: b208b32320d45c72e7dfa7820b0db31e285090838543f755a6c1a298cf5c3757
                • Instruction Fuzzy Hash: 53E03935401E01EFC332AF0AE904813FBF4FBC5B21309CA3EA86A52A24C6359841CF50
                Function 03ED1515 Relevance: .0, Instructions: 24COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 55f05406cf80f3e9e33b08086a73b01038a5689ecee4dea38d05f624d03a770e
                • Instruction ID: 5ca0a15a70c99551218c82e804802a7a1cf1334e869d1823d461e970d8226016
                • Opcode Fuzzy Hash: 55f05406cf80f3e9e33b08086a73b01038a5689ecee4dea38d05f624d03a770e
                • Instruction Fuzzy Hash: E6E01237641164AFC7619B45DC08F5ABB7DEB88B71F158015F90997210C630ED01CBE0
                Function 03EE1BF1 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                • Instruction ID: a2d14a8c1c9516ecf19c333cd40727bcb5a84bfc53d88b2042c3e0840dc26345
                • Opcode Fuzzy Hash: bcf163cb4427abcb7cf1e28c2c535b2182b2ccb3bfc9805e171924cbf72d3aba
                • Instruction Fuzzy Hash: 88D01737212238BBC725EE8ADC04DD3BFADFF89AA0B058059B61C8B1208530E850C7E0
                Function 03ED29E5 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d3fd450c444643bde0aaa0ec7175f306b519dad50374e43cb8d25b1ccbabd460
                • Instruction ID: 8790a17ddea47743dd5f999f01a566a3590bf81aef17d17fc71c804925bcea3b
                • Opcode Fuzzy Hash: d3fd450c444643bde0aaa0ec7175f306b519dad50374e43cb8d25b1ccbabd460
                • Instruction Fuzzy Hash: D3E04F32041614AFC7329B05D81CF52BBA8FB40765F098815F60956450C775A850DF90
                Function 03E940FC Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 03ec7075b05c065336d67f95b9847d29b4fda4a07b99d507cdf335099aa4bbbd
                • Instruction ID: 10a03cfd61208b3ccad7960e0cd958105823835ff67bdea30dac83589a805377
                • Opcode Fuzzy Hash: 03ec7075b05c065336d67f95b9847d29b4fda4a07b99d507cdf335099aa4bbbd
                • Instruction Fuzzy Hash: 43E08C35001600DFEB3ADF1BD418B66B3B1EF44B15F096A1EA4A6529A0CB78A8C1CB40
                Function 03ED8091 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba6776f88ac652e79b0d995ce0140421e28879680c0bc1c8e242b708a6a163d3
                • Instruction ID: da2986f9e043fa66a3ddef0c15a9018293508b55f84dbe3c0b9689ef2905e7d5
                • Opcode Fuzzy Hash: ba6776f88ac652e79b0d995ce0140421e28879680c0bc1c8e242b708a6a163d3
                • Instruction Fuzzy Hash: 60E0EC31254544AFDB26DF58FA68F2AB7B9FB48B04F0A0518B40AE3560CA25D941CA20
                Function 03EC97F5 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1b3e5113a7933aae5ae4fee1a9c189e2575ff93fbb7e622b3bcb1d31d465217b
                • Instruction ID: 094751b64f25aa7e5b67b38f0acdfda092def3e7eefba1718d658584c44ce24b
                • Opcode Fuzzy Hash: 1b3e5113a7933aae5ae4fee1a9c189e2575ff93fbb7e622b3bcb1d31d465217b
                • Instruction Fuzzy Hash: 06D05B32155198A7C3315A49AD48F81BF98EB44754F184025F90997561C6749841C7D4
                Function 03ED2A25 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                • Instruction ID: f5069b03ec69763be37f76353b18b786a90c980f80397d57439763da1ebc6d03
                • Opcode Fuzzy Hash: 6c954125d07a6c40e8a07cd747802c0c19018b7384788b34aeae02da9c1f8ea1
                • Instruction Fuzzy Hash: 25D05E31610288AECB31CA19D844B91B7E8D744654F0C9910E90C8B121D234E943C710
                Function 03E99156 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 64adae068c7ce90a9a42eeb87ceaae34762043070be0519c6079a3662632da68
                • Instruction ID: dbb99935f4ddd11ab586490b2b43b00ee6302e05be72984bf55aa08ca2c70f7c
                • Opcode Fuzzy Hash: 64adae068c7ce90a9a42eeb87ceaae34762043070be0519c6079a3662632da68
                • Instruction Fuzzy Hash: E7D0C7B6A10B50CBDB22DB88980078CB7B0E740A74F10036AC012AB3C0C3B82A008F80
                Function 03ED5166 Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e95fb3db77209d6321970fbbebe46b6a207df9624e492bf38af0411b526b96b7
                • Instruction ID: 07b5704bdbb23bffbb8c14d1591b9a6e92a84346fa10017ba0ddce4e49d9484d
                • Opcode Fuzzy Hash: e95fb3db77209d6321970fbbebe46b6a207df9624e492bf38af0411b526b96b7
                • Instruction Fuzzy Hash: 86D0C933112050AFC321AB5CE918F8137A8FB4D314B160461B101D3124C674DC01CBA0
                Function 03EA088F Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ced453204738b01f826c3c7524ecca5e960224b09a67bc91c5ad81314ce70a4f
                • Instruction ID: 32e22a81bca8f610386a9a73f189860daf1a15b2413b176c43db20455816ba78
                • Opcode Fuzzy Hash: ced453204738b01f826c3c7524ecca5e960224b09a67bc91c5ad81314ce70a4f
                • Instruction Fuzzy Hash: 8AC01231211E408ACB11AB28C90872173F4EB40606F0944A4A042D5868DB24D881D554
                Function 03ED168B Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1f71db7f365a7ed34b9f70a0200d2a9af6464cd17e5662724052cdd1c6f0af0f
                • Instruction ID: 9d3d1e08b9f78644521d9396528c007ea8af446d930e57cfca172e4134351fbd
                • Opcode Fuzzy Hash: 1f71db7f365a7ed34b9f70a0200d2a9af6464cd17e5662724052cdd1c6f0af0f
                • Instruction Fuzzy Hash: 6AD0C931C45518DFCF71DA45C658B6AB778FB04709F0C5564E5256641086344442CE90
                Function 03E9A5B5 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2082357710.0000000003E90000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E90000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3e90000_01vwXiyQ8K.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad407ed96c308c72ac0fac517dbda1885112c105d5f3409dc80887de19ba1025
                • Instruction ID: d39bf1a23d60cdd0560ea69f824194fe26d3f18bda8dcf4f5ac86a69d70f9272
                • Opcode Fuzzy Hash: ad407ed96c308c72ac0fac517dbda1885112c105d5f3409dc80887de19ba1025
                • Instruction Fuzzy Hash: 86D01232180648FBDB229F44D908F557B79FB94754F154021BA09169B0CB79D9A0DB94

                Execution Graph

                Execution Coverage:4.1%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:1.1%
                Total number of Nodes:538
                Total number of Limit Nodes:80
                execution_graph 68832 41a59da 68833 41a59f7 68832->68833 68834 41a5a19 GetPEB 68833->68834 68836 41a5ab8 68833->68836 68837 41a5a3c 68833->68837 68834->68837 68837->68836 68838 41a417a 68837->68838 68839 41a41e8 68838->68839 68840 41a448e 68838->68840 68839->68840 68841 41a443d GetPEB 68839->68841 68844 41a445f 68839->68844 68840->68836 68842 41a4449 GetPEB 68841->68842 68841->68844 68843 41f1e20 68842->68843 68842->68844 68851 421845d GetPEB GetPEB LdrInitializeThunk LdrInitializeThunk 68843->68851 68844->68840 68847 41a46da 68844->68847 68849 41a4720 68847->68849 68848 41a4775 68848->68840 68849->68848 68852 41bce9e GetPEB 68849->68852 68851->68844 68853 41bcec6 68852->68853 68854 41bcf38 68852->68854 68853->68854 68856 41bd223 68853->68856 68854->68848 68858 41bd2a3 68856->68858 68860 41bd4c9 68856->68860 68857 41bd4f1 68857->68854 68858->68857 68858->68860 68866 41bd36e 68858->68866 68877 41bd51a 68858->68877 68862 41bd4e3 68860->68862 68908 41cd38a LdrInitializeThunk 68860->68908 68862->68857 68865 41fce88 GetPEB 68862->68865 68863 41bd7c2 4 API calls 68871 41bd388 68863->68871 68864 41bd51a 10 API calls 68864->68871 68865->68857 68866->68857 68866->68863 68866->68871 68867 41bd51a 10 API calls 68867->68860 68868 41bd45f 68874 41bd47a 68868->68874 68906 41cd5ea LdrInitializeThunk 68868->68906 68871->68864 68871->68868 68871->68874 68893 41bd7c2 68871->68893 68905 41cd38a LdrInitializeThunk 68871->68905 68873 41fcdd5 68873->68874 68907 41cd38a LdrInitializeThunk 68873->68907 68874->68860 68874->68867 68876 41fcdf2 GetPEB 68876->68874 68878 41bd54b 68877->68878 68879 41bd668 68877->68879 68880 41bd554 68878->68880 68885 41bd5f9 68878->68885 68913 41cd3ba LdrInitializeThunk 68879->68913 68882 41bd608 68880->68882 68883 41bd55f GetPEB 68880->68883 68891 41bd5d8 68882->68891 68914 41cd5da LdrInitializeThunk 68882->68914 68884 41bd57f 68883->68884 68883->68891 68886 41bd58b GetPEB GetPEB 68884->68886 68884->68891 68885->68891 68915 41cd38a LdrInitializeThunk 68885->68915 68888 41bd5aa 68886->68888 68889 41fced8 GetPEB 68886->68889 68909 41bda9e 68888->68909 68889->68882 68891->68866 68896 41bd83b 68893->68896 68895 41fd201 68895->68895 68898 41bd9c6 68896->68898 68903 41bda68 68896->68903 68927 41cd5ea LdrInitializeThunk 68896->68927 68901 41bd9d6 68898->68901 68928 41cd38a LdrInitializeThunk 68898->68928 68900 41fd128 GetPEB 68900->68901 68902 41bda57 GetPEB 68901->68902 68901->68903 68902->68903 68904 41bda83 68903->68904 68929 41cd38a LdrInitializeThunk 68903->68929 68904->68871 68905->68871 68906->68873 68907->68876 68908->68862 68910 41bdab3 68909->68910 68911 41bdac1 68910->68911 68916 41bdac8 68910->68916 68911->68891 68913->68891 68914->68891 68915->68891 68917 41bdafe 68916->68917 68920 41bdb69 68917->68920 68925 41cd68a LdrInitializeThunk 68917->68925 68919 41bdb56 GetPEB 68919->68920 68920->68911 68921 41bdb4c 68921->68919 68926 41cd38a LdrInitializeThunk 68921->68926 68923 41fd20e GetPEB 68924 41fd21e 68923->68924 68924->68919 68925->68921 68926->68923 68927->68898 68928->68900 68929->68895 68930 41ba85a 68933 4196fea 68930->68933 68932 41ba8a0 68934 419705f 68933->68934 68935 4196fea 32 API calls 68934->68935 68937 41973c1 68934->68937 68939 4197293 68934->68939 68945 4197130 68934->68945 68935->68939 68936 41974e6 68936->68937 68938 419750f GetPEB 68936->68938 68942 419752a 68936->68942 68937->68932 68938->68942 68940 419736d 68939->68940 68939->68945 68940->68937 68951 41962ca 68940->68951 68942->68937 68943 41962ca 32 API calls 68942->68943 68944 4197c30 68942->68944 68943->68944 68944->68937 68946 41962ca 32 API calls 68944->68946 68945->68936 68945->68937 68947 4197a19 68945->68947 68946->68937 68948 41962ca 32 API calls 68947->68948 68949 4197a2b 68947->68949 68948->68949 68949->68937 68950 41962ca 32 API calls 68949->68950 68950->68937 68959 4196336 68951->68959 68952 41964a9 GetPEB 68953 41ee31b 68952->68953 68956 41964ba 68952->68956 68954 41ee324 GetPEB 68953->68954 68953->68956 68954->68956 68955 41964c8 68955->68937 68956->68955 68976 421a554 6 API calls 68956->68976 68959->68952 68959->68955 68960 4196fea 31 API calls 68959->68960 68961 41966ea 68959->68961 68960->68959 68972 41966f9 68961->68972 68963 41967fc 68963->68959 68964 419e54a GetPEB 68964->68972 68965 41ee645 GetPEB 68965->68972 68966 4196e01 GetPEB 68966->68972 68967 41ee6b7 GetPEB 68967->68972 68968 41ee6d7 GetPEB 68968->68972 68969 41ee661 GetPEB 68969->68972 68970 4196e4c GetPEB 68970->68972 68971 41ee6f2 GetPEB 68971->68972 68972->68963 68972->68964 68972->68965 68972->68966 68972->68967 68972->68968 68972->68969 68972->68970 68972->68971 68973 41ee483 GetPEB 68972->68973 68974 41936c5 8 API calls 68972->68974 68975 4193aef 10 API calls 68972->68975 68977 421a406 GetPEB GetPEB GetPEB 68972->68977 68973->68972 68974->68972 68975->68972 68976->68955 68977->68972 68979 419ad5f 68980 419ad89 68979->68980 68982 419ae46 68980->68982 69009 419ad8d 68980->69009 69010 41cd41a LdrInitializeThunk 68980->69010 68984 419ae50 68982->68984 69014 41cd41a LdrInitializeThunk 68982->69014 68984->69009 69011 41cd41a LdrInitializeThunk 68984->69011 68986 419aea5 68987 419aee5 68986->68987 68986->69009 69012 419e54a GetPEB 68986->69012 68989 41ef778 GetPEB 68987->68989 68990 419aef7 68987->68990 68991 41ef788 GetPEB 68989->68991 68990->68991 69003 419af02 68990->69003 68992 41ef79b 68991->68992 68991->69003 68997 419e54a GetPEB 68992->68997 68993 419e54a GetPEB 68994 419af07 68993->68994 68995 41ef7de GetPEB 68994->68995 68996 419af19 68994->68996 68998 41ef7ee 68995->68998 68996->68998 68999 419af24 68996->68999 69000 41ef7af 68997->69000 69001 419e54a GetPEB 68998->69001 69002 419e54a GetPEB 68999->69002 69000->69003 69004 41ef7b3 GetPEB 69000->69004 69005 41ef7f3 69001->69005 69007 419af29 69002->69007 69003->68993 69004->69003 69006 41ef7f7 GetPEB 69005->69006 69005->69007 69006->69007 69008 41ef822 GetPEB 69007->69008 69007->69009 69008->69009 69010->68982 69011->68986 69013 419e557 69012->69013 69013->68987 69014->68982 69018 41c005b 69019 41c007f 69018->69019 69032 41cd5ea LdrInitializeThunk 69019->69032 69021 41c00aa 69022 41c0139 69021->69022 69033 41cd75a LdrInitializeThunk 69021->69033 69024 41c00cb 69025 41c0131 69024->69025 69034 41cd53a LdrInitializeThunk 69024->69034 69037 41cd38a LdrInitializeThunk 69025->69037 69028 41c0129 69036 41cd38a LdrInitializeThunk 69028->69036 69030 41c00f1 69030->69028 69035 41cd55a LdrInitializeThunk 69030->69035 69032->69021 69033->69024 69034->69030 69035->69028 69036->69025 69037->69022 69038 422c82a 69041 422c8d8 69038->69041 69061 422cca6 69038->69061 69039 422d124 GetPEB 69040 422cf47 69039->69040 69042 422cc20 69040->69042 69043 422d13c GetPEB 69040->69043 69044 422c915 69041->69044 69045 422c8f8 GetPEB 69041->69045 69041->69061 69046 422d157 GetPEB 69042->69046 69047 422c9e6 69042->69047 69043->69042 69049 422c90d 69045->69049 69046->69047 69047->69044 69048 422c9f5 GetPEB 69047->69048 69048->69044 69049->69044 69049->69047 69052 422caee 69049->69052 69060 422c97f 69049->69060 69066 422ebfe 69049->69066 69051 422cd8e 69059 422cd97 69051->69059 69063 422ce81 69051->69063 69052->69047 69053 422cb92 GetPEB 69052->69053 69052->69060 69053->69060 69054 422cbec 69054->69042 69056 422cc2a GetPEB 69054->69056 69062 422cc3b 69054->69062 69056->69062 69057 422f064 15 API calls 69065 422cf23 69057->69065 69058 422f064 15 API calls 69058->69059 69059->69058 69059->69061 69060->69040 69060->69047 69060->69051 69060->69054 69061->69039 69061->69040 69062->69061 69062->69062 69087 422f064 69062->69087 69064 422cf0d GetPEB 69063->69064 69063->69065 69064->69065 69065->69040 69065->69057 69065->69061 69068 422ec30 69066->69068 69067 422ed6e 69069 422eda5 69067->69069 69105 41cd55a LdrInitializeThunk 69067->69105 69068->69067 69101 41cd80a LdrInitializeThunk 69068->69101 69071 422edb3 69069->69071 69107 41cd38a LdrInitializeThunk 69069->69107 69071->69052 69074 422ecd6 69074->69067 69102 41cd75a LdrInitializeThunk 69074->69102 69075 422ecc6 GetPEB 69075->69074 69076 422ec97 69076->69074 69076->69075 69106 41cd38a LdrInitializeThunk 69076->69106 69079 422ecff 69079->69067 69103 41cd53a LdrInitializeThunk 69079->69103 69080 422ecb6 GetPEB 69081 419e4ca 69080->69081 69081->69075 69083 422ed2d 69104 41cd38a LdrInitializeThunk 69083->69104 69085 422ed37 69085->69067 69086 4196fea 33 API calls 69085->69086 69086->69067 69088 422f0bc 69087->69088 69089 422f13f 69088->69089 69116 41936c5 69088->69116 69092 422f16e 69089->69092 69108 422f1a2 69089->69108 69096 422f18f 69092->69096 69099 422f17e GetPEB 69092->69099 69093 422f0e4 69094 422f0eb GetPEB 69093->69094 69095 422f118 69093->69095 69097 422f101 69094->69097 69095->69089 69098 422f1a2 6 API calls 69095->69098 69096->69062 69097->69089 69100 41936c5 8 API calls 69097->69100 69098->69089 69099->69096 69100->69095 69101->69076 69102->69079 69103->69083 69104->69085 69105->69069 69106->69080 69107->69071 69110 422f1ae 69108->69110 69109 422f1e3 69111 422f39c 69109->69111 69112 422f38c GetPEB 69109->69112 69110->69109 69113 422f1ed GetPEB 69110->69113 69111->69092 69112->69111 69114 422f203 69113->69114 69114->69109 69115 41bda9e 4 API calls 69114->69115 69115->69109 69117 419377f 69116->69117 69118 41936f3 69116->69118 69117->69093 69118->69117 69120 4193627 69118->69120 69121 4193643 69120->69121 69123 4193662 69120->69123 69121->69123 69124 41ac6e6 69121->69124 69123->69117 69125 41ac718 69124->69125 69127 41ac844 69124->69127 69125->69127 69132 41c04ea 69125->69132 69127->69123 69128 41ac785 69128->69127 69129 41ac7ff NtOpenKey 69128->69129 69129->69127 69130 41f5012 69129->69130 69149 426642b GetPEB GetPEB 69130->69149 69133 41c0513 69132->69133 69134 41c0593 69133->69134 69148 41c051f 69133->69148 69150 41cd3ba LdrInitializeThunk 69133->69150 69134->69128 69136 41c0580 69138 41c058b 69136->69138 69154 41cd38a LdrInitializeThunk 69136->69154 69138->69134 69141 41fe665 GetPEB 69138->69141 69139 41c05dd 69139->69148 69151 41cd3ba LdrInitializeThunk 69139->69151 69142 41fe675 69141->69142 69144 41fe4d2 69145 41fe51d GetPEB 69144->69145 69144->69148 69146 41fe52f 69145->69146 69146->69148 69152 41cd40a LdrInitializeThunk 69146->69152 69148->69136 69153 41cd38a LdrInitializeThunk 69148->69153 69149->69127 69150->69139 69151->69144 69152->69148 69153->69136 69154->69138 69155 41b4412 69156 41b4424 69155->69156 69159 41b444a 69156->69159 69158 41b442f 69163 41b446c 69159->69163 69161 41b4c8a 69161->69158 69162 41b452c 69162->69158 69163->69162 69164 41b4c9a 69163->69164 69166 41b4ca6 69164->69166 69165 41b4cf6 69165->69161 69166->69165 69167 41b4db6 GetPEB 69166->69167 69168 41f89ed GetPEB 69166->69168 69169 41f8a08 GetPEB 69166->69169 69172 41cd55a LdrInitializeThunk 69166->69172 69173 41cd38a LdrInitializeThunk 69166->69173 69167->69166 69168->69166 69169->69166 69172->69166 69173->69166 69174 420e42b 69175 420e44a 69174->69175 69182 41c0733 69175->69182 69178 41c0733 2 API calls 69181 420e49e 69178->69181 69179 420e4a2 69181->69179 69192 41cd38a LdrInitializeThunk 69181->69192 69183 41c0770 69182->69183 69187 41c080a 69183->69187 69190 41c080e 69183->69190 69193 41cd3ba LdrInitializeThunk 69183->69193 69185 41c0801 69185->69187 69194 41cd38a LdrInitializeThunk 69185->69194 69188 41c0844 69187->69188 69187->69190 69196 41cd38a LdrInitializeThunk 69187->69196 69188->69190 69195 41cd38a LdrInitializeThunk 69188->69195 69190->69178 69190->69181 69192->69179 69193->69185 69194->69187 69195->69190 69196->69188 69198 4022bd4 69199 4022be9 69198->69199 69201 4022c07 69199->69201 69202 4023b30 69199->69202 69204 4023c0c 69202->69204 69203 4023ffc 69203->69201 69204->69203 69207 41cd80a LdrInitializeThunk 69204->69207 69208 41cd30a LdrInitializeThunk 69204->69208 69207->69204 69208->69204 69212 41b8a82 69214 41b8ae6 69212->69214 69216 41b8c20 69214->69216 69217 41acd8a 69214->69217 69221 41b8e11 69214->69221 69220 41acddf 69217->69220 69218 41acf69 69218->69214 69220->69218 69257 41ac868 69220->69257 69222 41b8e33 69221->69222 69224 419e54a GetPEB 69222->69224 69226 41b8e7e 69222->69226 69223 41fa2a6 GetPEB 69225 41fa2b9 GetPEB 69223->69225 69224->69226 69227 41fa2cc 69225->69227 69228 41b8e96 GetPEB 69225->69228 69226->69223 69229 41b8e8b 69226->69229 69230 419e54a GetPEB 69227->69230 69235 41b8ea9 69228->69235 69229->69225 69229->69228 69231 41fa2d1 69230->69231 69232 41fa2d5 GetPEB 69231->69232 69234 41fa2e5 69231->69234 69232->69234 69234->69228 69236 41b8ed0 69235->69236 69239 41b8f5f 69235->69239 69266 41cd5ea LdrInitializeThunk 69235->69266 69237 41fa3a4 GetPEB 69236->69237 69236->69239 69241 41b8eea 69236->69241 69242 41b8f57 69236->69242 69237->69241 69239->69214 69240 41b8f03 69243 419e54a GetPEB 69240->69243 69250 41b8f12 69240->69250 69241->69242 69267 41cd75a LdrInitializeThunk 69241->69267 69273 41cd38a LdrInitializeThunk 69242->69273 69243->69250 69245 41b8f1a 69247 41fa471 GetPEB 69245->69247 69256 41b8f23 69245->69256 69246 41fa45d GetPEB 69246->69247 69248 41fa484 69247->69248 69247->69256 69249 419e54a GetPEB 69248->69249 69252 41fa489 69249->69252 69250->69245 69250->69246 69251 41b8f43 69251->69239 69272 41cd38a LdrInitializeThunk 69251->69272 69255 41fa48d GetPEB 69252->69255 69252->69256 69255->69256 69256->69251 69268 41abc3c 69256->69268 69258 41ac885 69257->69258 69260 41ac900 69258->69260 69261 41ac989 69258->69261 69260->69220 69262 41ac9b7 69261->69262 69263 41ac9f6 69262->69263 69265 41cd68a LdrInitializeThunk 69262->69265 69263->69260 69265->69263 69266->69235 69267->69240 69270 41abc51 69268->69270 69269 41abda7 69269->69251 69270->69269 69274 41a5d1a 69270->69274 69272->69242 69273->69239 69278 41a5d3e 69274->69278 69275 41a5f22 69275->69269 69277 41a5ec3 69277->69275 69292 419875a 69277->69292 69278->69275 69278->69277 69280 41a5f5a 69278->69280 69281 41a6009 69280->69281 69282 41a61c3 GetPEB 69281->69282 69283 41f2ed4 GetPEB 69281->69283 69284 41a651e GetPEB 69281->69284 69285 41f31b8 GetPEB 69281->69285 69287 41a6281 GetPEB 69281->69287 69288 41a417a 18 API calls 69281->69288 69289 41a68d4 69281->69289 69291 41a6956 69281->69291 69299 41acb72 69281->69299 69282->69281 69283->69281 69284->69281 69285->69281 69287->69281 69288->69281 69289->69291 69303 418256b GetPEB 69289->69303 69291->69278 69296 41987c8 69292->69296 69294 4198d82 69294->69275 69297 4198943 69296->69297 69298 4198c75 69296->69298 69316 41ab5a1 69296->69316 69297->69294 69320 41cd55a LdrInitializeThunk 69297->69320 69298->69275 69300 41acb9e 69299->69300 69301 41acbf2 69300->69301 69304 41a9897 69300->69304 69301->69281 69303->69291 69305 41a98af 69304->69305 69307 41a98f3 69305->69307 69308 41ab905 69305->69308 69307->69301 69309 41ab922 69308->69309 69311 41ab959 69308->69311 69313 41ab982 69309->69313 69314 41cd62a LdrInitializeThunk 69309->69314 69311->69313 69315 41cd38a LdrInitializeThunk 69311->69315 69313->69307 69314->69311 69315->69313 69317 41ab5b7 69316->69317 69319 41ab5ec 69317->69319 69321 41ab60b 69317->69321 69319->69297 69320->69294 69322 41ab617 69321->69322 69323 41ab658 GetPEB 69322->69323 69325 41ab646 69322->69325 69326 41ab679 69323->69326 69325->69319 69326->69325 69328 41ab7a4 69326->69328 69329 41cd47a LdrInitializeThunk 69326->69329 69328->69325 69330 418256b GetPEB 69328->69330 69329->69328 69330->69325 69331 41b8984 69332 41ac868 LdrInitializeThunk 69331->69332 69335 41b89de 69332->69335 69333 41b8e11 38 API calls 69334 41b8a3c 69333->69334 69335->69333 69335->69334 69336 4187ffa 69344 41ae19a 69336->69344 69338 418800e 69341 4188041 69338->69341 69347 41cd3ba LdrInitializeThunk 69338->69347 69340 4188058 69341->69340 69348 41cd3ba LdrInitializeThunk 69341->69348 69343 41e5205 69349 41cd4ca LdrInitializeThunk 69344->69349 69346 41ae1c3 69346->69338 69347->69341 69348->69343 69349->69346 69350 24b4668 69351 24b4676 69350->69351 69354 24b6de0 69351->69354 69352 24b46e9 69355 24b6e05 69354->69355 69359 24b6edf 69355->69359 69363 24b6ef0 69355->69363 69356 24b6e0f 69356->69352 69361 24b6f17 69359->69361 69360 24b6ff4 69360->69360 69361->69360 69367 24b6414 69361->69367 69365 24b6f17 69363->69365 69364 24b6ff4 69364->69364 69365->69364 69366 24b6414 CreateActCtxWWorker 69365->69366 69366->69364 69368 24b7370 69367->69368 69371 3e7e270 69368->69371 69369 24b7423 69372 3e7e3be 69371->69372 69374 3e7e2dd 69371->69374 69372->69369 69373 3e7e4ed CreateActCtxWWorker 69373->69372 69374->69372 69374->69373 69375 4035be0 69376 4035bf7 69375->69376 69378 4035bef 69375->69378 69379 4035933 69376->69379 69380 4035956 69379->69380 69381 403595c 69380->69381 69382 40359a5 DnsQueryConfig DnsQueryConfig 69380->69382 69381->69378 69382->69381 69383 41a8a3e 69386 41a8a4a 69383->69386 69384 41a8a7f 69385 41acb72 2 API calls 69385->69386 69386->69384 69386->69385 69388 41acab0 69386->69388 69389 41acac9 69388->69389 69391 41acb3f 69389->69391 69392 41ac23e 69389->69392 69391->69386 69393 41ac29b 69392->69393 69394 41ac25c 69392->69394 69393->69391 69394->69393 69396 41ac290 69394->69396 69397 41ac23e 4 API calls 69394->69397 69396->69393 69398 41abff8 69396->69398 69397->69394 69399 41ac004 69398->69399 69400 41ac188 69399->69400 69402 41a85db 69399->69402 69400->69393 69403 41a85e7 69402->69403 69404 419e54a GetPEB 69403->69404 69405 41a85f3 69404->69405 69406 41a85fb 69405->69406 69407 41f3ec2 GetPEB 69405->69407 69408 41f3ed5 GetPEB 69406->69408 69413 41a8609 69406->69413 69407->69408 69409 41f3ee8 69408->69409 69408->69413 69410 419e54a GetPEB 69409->69410 69411 41f3eed 69410->69411 69412 41f3ef1 GetPEB 69411->69412 69411->69413 69412->69413 69413->69399 69418 41cd2fa LdrInitializeThunk 69419 41cd434 69420 41cd449 LdrInitializeThunk 69419->69420 69421 41cd43b 69419->69421 69422 24be120 69423 24be12d 69422->69423 69424 24be166 69423->69424 69426 24bc464 69423->69426 69428 24bc46f 69426->69428 69427 24be1d8 69428->69427 69430 24bc498 69428->69430 69431 24bc4a3 69430->69431 69434 24be2c0 69431->69434 69432 24be256 69432->69427 69435 24be2ee 69434->69435 69436 24be3ba KiUserCallbackDispatcher 69435->69436 69437 24be3bf 69435->69437 69436->69437 69438 3fb9555 69439 3fb960a 69438->69439 69441 3fb9826 69439->69441 69442 3fc5b9a NdrClientCall4 69439->69442 69442->69441 69443 419e56a 69444 419e5e8 69443->69444 69445 419e611 69443->69445 69446 419e659 GetPEB 69445->69446 69449 419e638 69445->69449 69447 419e67b 69446->69447 69448 419e666 69446->69448 69451 419e685 GetPEB 69447->69451 69454 419e694 69447->69454 69448->69447 69450 419e66b GetPEB 69448->69450 69450->69447 69451->69454 69452 419e84a 69453 419e891 GetPEB 69452->69453 69479 419e8aa 69452->69479 69453->69479 69454->69452 69455 419f747 69454->69455 69467 419e731 69454->69467 69456 419f7aa 69455->69456 69457 419f794 GetPEB 69455->69457 69458 419e54a GetPEB 69456->69458 69457->69456 69459 419f7ee 69458->69459 69460 419f7f2 GetPEB 69459->69460 69461 419f80b 69459->69461 69460->69461 69462 419e54a GetPEB 69461->69462 69463 419f843 69462->69463 69464 419f85a 69463->69464 69465 419f847 GetPEB 69463->69465 69470 419f864 GetPEB 69464->69470 69484 419f88c 69464->69484 69465->69464 69466 419eb79 GetPEB 69468 419eb86 GetPEB 69466->69468 69483 419eba1 69466->69483 69468->69483 69469 419f008 69469->69467 69471 419f050 GetPEB 69469->69471 69473 419f873 69470->69473 69470->69484 69475 419f05d GetPEB 69471->69475 69488 419f078 69471->69488 69472 419edb1 GetPEB 69476 419edbe GetPEB 69472->69476 69487 419ead6 69472->69487 69477 419e54a GetPEB 69473->69477 69474 419e54a GetPEB 69478 419f8b8 69474->69478 69475->69488 69476->69487 69480 419f878 69477->69480 69481 419f8bc GetPEB 69478->69481 69482 419f8cf 69478->69482 69479->69466 69479->69467 69479->69487 69480->69484 69485 419f87c GetPEB 69480->69485 69481->69482 69482->69467 69489 419e54a GetPEB 69482->69489 69486 419ebc7 GetPEB 69483->69486 69484->69474 69485->69484 69486->69487 69487->69467 69487->69469 69487->69472 69491 419edff GetPEB 69487->69491 69490 419f0a1 GetPEB 69488->69490 69492 419f8de 69489->69492 69490->69467 69491->69487 69492->69467 69493 419f8e2 GetPEB 69492->69493 69493->69467

                Executed Functions

                Function 041AC6E6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 844 41ac6e6-41ac712 845 41ac718-41ac71a 844->845 846 41f5086 844->846 845->846 847 41ac720-41ac761 call 419a74a 845->847 851 41ac767-41ac789 call 41c04ea 847->851 852 41ac844-41ac849 847->852 851->852 858 41ac78f-41ac7a2 call 419a74a 851->858 854 41ac84f-41ac865 call 41cf45a 852->854 855 41f5077-41f5081 852->855 855->846 858->852 863 41ac7a8-41ac7bb call 419a74a 858->863 863->852 866 41ac7c1-41ac7d4 call 419a74a 863->866 866->852 869 41ac7d6-41ac7e9 call 419a74a 866->869 869->852 872 41ac7eb-41ac7fd call 419a74a 869->872 872->852 875 41ac7ff-41ac83e NtOpenKey 872->875 875->852 876 41f5012-41f502e call 426642b 875->876 879 41f505c-41f505e 876->879 880 41f5030-41f5035 876->880 879->852 881 41f5064-41f5067 879->881 882 41f503e-41f5042 880->882 883 41f5037-41f503c 880->883 881->852 884 41f506d-41f5072 881->884 885 41f504f 882->885 886 41f5044-41f504d 882->886 883->879 884->852 887 41f5054-41f5056 885->887 886->887 887->852 887->879
                APIs
                • NtOpenKey.NTDLL(?,00020019,00000018,?,?,?,76E956D4,?,76E94EE8,?,76E956D4,?,?,76E94E90,00000000,76E94E48), ref: 041AC834
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: Open
                • String ID: @
                • API String ID: 71445658-2766056989
                • Opcode ID: aecbbf19038232d34efa27909aa9039dc4976dc32be2897279da607b4d627dc4
                • Instruction ID: 6df18b375d08e6a8113781d585e22cf4a409cf1042ca5efa79afc3ed6f2318c0
                • Opcode Fuzzy Hash: aecbbf19038232d34efa27909aa9039dc4976dc32be2897279da607b4d627dc4
                • Instruction Fuzzy Hash: 2B518176904715AFE725CE24C8C4A5BB7E9AF84B14F014A2DFA459B201EB30FD0987E7
                Function 041CE4BA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0420A9B0,7FFE0384,00020119,?,00000000,00000000), ref: 041CE4C4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 975e4540047c09df17ad09b790a727036ee41cf6a4f9c9dbfc7b57c3140214fc
                • Instruction ID: 4c4b2517a01270269c9b175c558a4f19563d295adb9ca9ea6a41c2a7e44bb8d4
                • Opcode Fuzzy Hash: 975e4540047c09df17ad09b790a727036ee41cf6a4f9c9dbfc7b57c3140214fc
                • Instruction Fuzzy Hash: E190023124140553D50571589904647100547D5341F66D511A052451CECB54896161A2
                Function 024B74E0 Relevance: 90.7, Strings: 72, Instructions: 736COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 24b74e0-24b750c 2 24b750e-24b752b 0->2 3 24b752c-24b82ad 0->3 268 24b82b8-24b82e2 call 24b650c 3->268 270 24b82e7-24b8301 call 24b650c 268->270
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                • API String ID: 0-1605395142
                • Opcode ID: 356ed2fae337bb106b28d20e3e134f2de8a62aab3255c169666817a5c3a05852
                • Instruction ID: 07cebe9cce942faa4c3abee3bab0ed46389ff9f88f4a20f76a283ad264e4d2bd
                • Opcode Fuzzy Hash: 356ed2fae337bb106b28d20e3e134f2de8a62aab3255c169666817a5c3a05852
                • Instruction Fuzzy Hash: AA722C30E0110A8FDB1CEF65E9556DDBBF2FB44700F1045AAD04AAB269DF346D898F81
                Function 024B7570 Relevance: 90.7, Strings: 72, Instructions: 688COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 273 24b7570-24b82e2 call 24b650c 533 24b82e7-24b8301 call 24b650c 273->533
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                • API String ID: 0-1605395142
                • Opcode ID: 7c084d66770235bb7f1b1d6a636ec329b1a2ecfedbd70b56e0547a1c6c1650da
                • Instruction ID: 8c7a0c1812f63afa16cc975111fab84d47dac88a408108cd7c0d5bf91ee6bec7
                • Opcode Fuzzy Hash: 7c084d66770235bb7f1b1d6a636ec329b1a2ecfedbd70b56e0547a1c6c1650da
                • Instruction Fuzzy Hash: 56720B30E0110A8FDB1CEF65E9556DDBBF2FB44B00F1045AAD04AAB269DF346D898F81
                Function 024B71D0 Relevance: 3.8, Strings: 3, Instructions: 72COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 751 24b71d0-24b71f1 752 24b7259-24b725f 751->752 753 24b71f3-24b71fc 751->753 754 24b72b2-24b72bb 752->754 755 24b7261-24b7268 752->755 753->754 759 24b7202-24b7237 753->759 757 24b728b-24b7292 755->757 758 24b726a call 24b6420 755->758 757->754 761 24b7294-24b72af 757->761 762 24b726f-24b7284 758->762 759->754 770 24b7239-24b7257 759->770 761->754 762->757 770->754
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q$`Q^q$`Q^q
                • API String ID: 0-846367443
                • Opcode ID: c53c316ecd63e2ba3d5c89932f4f1021679f417d95bbe53fe843d91c32f4e01c
                • Instruction ID: 58f1eff9daa1e645d5f6b1f89201f8978f6f8f9222260e54562dc9a88bbe3b94
                • Opcode Fuzzy Hash: c53c316ecd63e2ba3d5c89932f4f1021679f417d95bbe53fe843d91c32f4e01c
                • Instruction Fuzzy Hash: 51219831F002585BEB1A9BB5C8057AEBAE2AF85F04F24015ED105AF384DAB4598687E5
                Function 03E7E270 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 222COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 773 3e7e270-3e7e2d7 774 3e7e51d-3e7e525 773->774 775 3e7e2dd-3e7e2e6 773->775 776 3e7e52a-3e7e539 774->776 775->774 777 3e7e2ec-3e7e301 775->777 783 3e7e53c-3e7e543 776->783 778 3e7e307-3e7e30a 777->778 779 3e7e50d-3e7e51b 777->779 781 3e7e317-3e7e31a 778->781 782 3e7e30c-3e7e311 778->782 779->776 784 3e7e31c-3e7e323 781->784 785 3e7e32b-3e7e32d 781->785 782->779 782->781 786 3e7e545-3e7e54b 783->786 787 3e7e552-3e7e559 783->787 784->779 788 3e7e329 784->788 789 3e7e32f-3e7e332 785->789 786->787 790 3e7e576-3e7e58b 787->790 791 3e7e55b-3e7e567 787->791 788->789 792 3e7e334-3e7e33b 789->792 793 3e7e341-3e7e34a 789->793 801 3e7e593-3e7e5a3 call 3e4795f 790->801 802 3e7e58d-3e7e58e call 3e411d0 790->802 791->790 794 3e7e569-3e7e56f 791->794 792->779 792->793 795 3e7e34c-3e7e353 793->795 796 3e7e359-3e7e35c 793->796 794->790 795->796 797 3e7e507 795->797 799 3e7e35e-3e7e365 796->799 800 3e7e36b-3e7e374 796->800 797->779 799->797 799->800 803 3e7e376-3e7e37b 800->803 804 3e7e381-3e7e384 800->804 802->801 803->797 803->804 807 3e7e386-3e7e3bc 804->807 808 3e7e3e8-3e7e3ea 804->808 832 3e7e3d4-3e7e3e6 807->832 833 3e7e3be-3e7e3c4 807->833 809 3e7e3f6 808->809 810 3e7e3ec-3e7e3f1 808->810 812 3e7e3fc-3e7e3ff 809->812 810->790 814 3e7e401-3e7e405 812->814 815 3e7e40c-3e7e40f 812->815 814->815 816 3e7e411-3e7e415 815->816 817 3e7e41c-3e7e41e 815->817 816->817 819 3e7e420-3e7e423 817->819 820 3e7e429-3e7e42c 817->820 819->820 821 3e7e42e-3e7e480 820->821 822 3e7e4aa-3e7e4ad 820->822 841 3e7e487-3e7e492 821->841 842 3e7e482 821->842 824 3e7e4af-3e7e4c0 call 3e407d9 822->824 825 3e7e4ed-3e7e503 CreateActCtxWWorker 822->825 834 3e7e4e7 824->834 835 3e7e4c2-3e7e4d6 824->835 825->783 826 3e7e505 825->826 830 3e7e4d9-3e7e4e5 826->830 830->783 832->812 833->783 837 3e7e3ca-3e7e3cf 833->837 834->825 835->830 837->783 841->783 843 3e7e498-3e7e4a4 841->843 842->841 843->822
                APIs
                • CreateActCtxWWorker.KERNEL32(00000020), ref: 03E7E4F4
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929820020.0000000003E35000.00000040.00000020.00020000.00000000.sdmp, Offset: 03E35000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_3e35000_COM Services.jbxd
                Similarity
                • API ID: CreateWorker
                • String ID:
                • API String ID: 1056503121-3916222277
                • Opcode ID: 475740f321e7f84b474bc28d3bffa124a102d202f8f8a1d80d3dfd4471880095
                • Instruction ID: 58d9965f8372e34398ca5c2a23ddc9d20b326ab1fb1d902d6ce065a6b6d4503c
                • Opcode Fuzzy Hash: 475740f321e7f84b474bc28d3bffa124a102d202f8f8a1d80d3dfd4471880095
                • Instruction Fuzzy Hash: FB917F7590062D9BCF24EF64DC887E9B7B5AB88315F1853E5E909AB250E734EE80CF50
                Function 04035933 Relevance: 3.1, APIs: 2, Instructions: 79networkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 888 4035933-403595a call 401ed46 891 4035967-403598c call 402774b 888->891 892 403595c-4035962 888->892 898 40359a5-40359e7 DnsQueryConfig * 2 call 403d5a9 call 4038840 891->898 899 403598e-403599c call 40358f1 891->899 896 4035a01-4035a05 892->896 905 40359ec-40359ee 898->905 899->898 906 40359f0-40359f7 905->906 907 40359fd-40359ff 905->907 906->907 907->896
                APIs
                • DnsQueryConfig.DNSAPI(0000000D,00000000,00000000,00000000,00000000,00000004), ref: 040359B9
                • DnsQueryConfig.DNSAPI(00000001,00000000,00000000,00000000,00000084,00000004), ref: 040359D4
                Memory Dump Source
                • Source File: 00000006.00000002.2932301539.000000000401B000.00000040.00000800.00020000.00000000.sdmp, Offset: 0401B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_401b000_COM Services.jbxd
                Similarity
                • API ID: ConfigQuery
                • String ID:
                • API String ID: 2925869523-0
                • Opcode ID: 2771ac6733420e54a3e292ee4c7ada7d8aaa7d157637ea8ec34f14bae2b85b10
                • Instruction ID: 4c74a39970169e86d44fa30d84c395e5295eb0b5b25b68965df0dd46d17aea0d
                • Opcode Fuzzy Hash: 2771ac6733420e54a3e292ee4c7ada7d8aaa7d157637ea8ec34f14bae2b85b10
                • Instruction Fuzzy Hash: BE2130B5600609BFFB10EFA0CD84FEF7BBCEB41359F100565B905E6190EA749E048B61
                Function 03FC5B9A Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2638 3fc5b9a-3fc5bc6 NdrClientCall4
                APIs
                • NdrClientCall4.RPCRT4(75A71008,75A751A4,?,?,00000001,00000001,00000000,00000004,00000001,?,?,03FB9826,75ADD0F8,?,00000001,00000004), ref: 03FC5BBC
                Memory Dump Source
                • Source File: 00000006.00000002.2932301539.0000000003FA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 03FA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_3fa0000_COM Services.jbxd
                Similarity
                • API ID: Call4Client
                • String ID:
                • API String ID: 169691017-0
                • Opcode ID: 443c6c948f97ca4ca72f5005753f8222f88f9d86b330438778367ce81a329554
                • Instruction ID: 3b518c3851dd82cd161a5dde5a2972d800205d2c20e0537503e7e1ee5acf2945
                • Opcode Fuzzy Hash: 443c6c948f97ca4ca72f5005753f8222f88f9d86b330438778367ce81a329554
                • Instruction Fuzzy Hash: 87D05E7304010DBFDF021F81CC06D9B3E2AFB88311F004814FE1408010D7738871ABA1
                Function 041CD434 Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2639 41cd434-41cd439 2640 41cd449-41cd450 LdrInitializeThunk 2639->2640 2641 41cd43b-41cd442 2639->2641
                APIs
                • LdrInitializeThunk.NTDLL(04215F11,000000FF,00000007,00000000,00000004,00000000,?,?,?,04215C23,00000065,00000000,?,042151B8,FFFFFFE0,00000000), ref: 041CD44E
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 57a3ce4a6cd042b2e29a04d47be6010eb2fc9a38db92db7222596fe38e09d5db
                • Instruction ID: f9421c22ba5d955d5030a13883af87800831b73828acf378d12d98d0863e6280
                • Opcode Fuzzy Hash: 57a3ce4a6cd042b2e29a04d47be6010eb2fc9a38db92db7222596fe38e09d5db
                • Instruction Fuzzy Hash: DCB09B719414C5D6D715E7609B087177A0067D1751F2AC465D2030685AC738D1D1F177
                Function 041CD41A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215B87,000000FF,00000000,00000000,0000000C,00001000,00000004,76F9D260,0000001C,042158E0), ref: 041CD424
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 0d31bdc5e895713220ce662a61d04867ab61c022431a34318c2dc86bf81b89db
                • Instruction ID: 4ea1b432caf4561c718d9b764f0e23649471b28f507ecf4cab519ef754f3fafc
                • Opcode Fuzzy Hash: 0d31bdc5e895713220ce662a61d04867ab61c022431a34318c2dc86bf81b89db
                • Instruction Fuzzy Hash: E690023124140953D1847158850464A100547D2341FA6C015A0125618DCF158B5977E2
                Function 041CD61A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215885,00000073,?,00000008,00000000,000000FF,00000004), ref: 041CD624
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: ec71b7451c546664bf35ef07b94af51bda82b3b35988c4d9d5f24baad3317d8e
                • Instruction ID: 13764af054c3b3b15cd464e4f2c09a31a864a4982af123b49be67ef4ff905470
                • Opcode Fuzzy Hash: ec71b7451c546664bf35ef07b94af51bda82b3b35988c4d9d5f24baad3317d8e
                • Instruction Fuzzy Hash: C290023124140563D11571588604707100947D1281FA6C412A052451CDDB568A52A162
                Function 041CD40A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0418BBD6,7D810F61,76E91058,00000002,?,00000018,000000FF,7D810F61,00000009,00000018,?,76FB6634,000000FF), ref: 041CD414
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 9799a231fc582a1d879bbc408da56a837852c794da40ce7145c225034ed9b907
                • Instruction ID: 097cb51e8b7db2e39c4e04cf8c004c3ea5ae71dd8afd21b05f7b0cd20060c84f
                • Opcode Fuzzy Hash: 9799a231fc582a1d879bbc408da56a837852c794da40ce7145c225034ed9b907
                • Instruction Fuzzy Hash: 3D90023124544993D14471588504A46101547D1345F66C011A0164658DDB258E55B6A2
                Function 041CD80A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04264B2E,?,00100080,00000018,?,00000000,00000000,00000007,00000001,00000020,00000000,00000000,76EB5A68,00000000,?,?), ref: 041CD814
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 54481f4d594b3377c34323b3386a0f2851a2affedc84f37fead9d6b2bd012bcf
                • Instruction ID: 6ba36cff4f96477dec44d6e65deef2ee4110706603a2650ee37f516d2334f8a4
                • Opcode Fuzzy Hash: 54481f4d594b3377c34323b3386a0f2851a2affedc84f37fead9d6b2bd012bcf
                • Instruction Fuzzy Hash: A4900231251C0193D20475688D14B07100547D1343F66C115A0254518CCE1589615562
                Function 041CD62A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041AB959,00000000,0000000D,?,C0000135,0000001D,00000024), ref: 041CD634
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b69ce4a945a2fbc9160c3ce5ed7aa9c53c98b61d2b2e592ac42d282b1c620c41
                • Instruction ID: e68421dc186aeea5c12a22dca5864be0b255e2ca089e7a00d82cd77aa184391d
                • Opcode Fuzzy Hash: b69ce4a945a2fbc9160c3ce5ed7aa9c53c98b61d2b2e592ac42d282b1c620c41
                • Instruction Fuzzy Hash: 01900271245441D3D11572588504F0A510947E1285FA6C016A0154558CCA258A52D162
                Function 041CD65A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04233061,?,?,?,00000048,00000000,00000003,00000000,00000000,00000000,?,76F68350,00003000,00003000,?), ref: 041CD664
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b1d453efb3cf6fd263088a1a20e7b778143637021a400b06e042bf03f02aa672
                • Instruction ID: 5721cc78678568f733640cb733794f89f3281deffeff7ae2686cf0238caf030f
                • Opcode Fuzzy Hash: b1d453efb3cf6fd263088a1a20e7b778143637021a400b06e042bf03f02aa672
                • Instruction Fuzzy Hash: E790023134140553D10671588514606100987D2385FA6C012E1524519DCB258A53A173
                Function 041CD67A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(042155EC,000000FF,000000FF,000000FF,76F9D220,001FFFFF,00000002,00000000,76F9D220,00000058), ref: 041CD684
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 38215d8584b8c461e47401ba1983e72a8dd0fb1517d8629a8272fc7d43935e15
                • Instruction ID: b4fe59ce09d8e07d3528683d47c0cfa27a0510447797b8a01b7cf5efdbaf85d2
                • Opcode Fuzzy Hash: 38215d8584b8c461e47401ba1983e72a8dd0fb1517d8629a8272fc7d43935e15
                • Instruction Fuzzy Hash: 6F900231241405D3E10571588504F06200947E1281FA6C016A1129528DCB15CA52A266
                Function 041CD47A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215FD9,?,0000003F,00000004,00000008,?,?,?,04215591,?,76F9D220,00000058), ref: 041CD484
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 87396bda67124f21e32f67ec540717f199adc35b46a1c5b0aec3ec10c0a1371b
                • Instruction ID: 27e84011ba0bad40210e08ed5e93e69f8d4551153f88729841262c384e725f80
                • Opcode Fuzzy Hash: 87396bda67124f21e32f67ec540717f199adc35b46a1c5b0aec3ec10c0a1371b
                • Instruction Fuzzy Hash: EF90023128144993E10471588504B46200547D1341F6AC411A152461CDCB55C9517166
                Function 041CD49A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215DB5,000000FF,0000001C,0000000C,00008000,00000000,00000000,?,04215BF9,000000FF,00000000,00000000,0000000C,00001000,00000004,76F9D260), ref: 041CD4A4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 74b2f5c1949c5b005ae280bc09e20f4996768b41f3b1e86b9f16953048c93bfb
                • Instruction ID: 042c41eab79a74df4114dce023807dceaabe85d7c9383715a76a9dc89c017fe3
                • Opcode Fuzzy Hash: 74b2f5c1949c5b005ae280bc09e20f4996768b41f3b1e86b9f16953048c93bfb
                • Instruction Fuzzy Hash: 1890023124148953D1147158C50474A100547D1341F6AC411A452461CDCB9589917162
                Function 041CD68A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041BDB4C,?,?,?,?), ref: 041CD694
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: a0837b1aee755e81415db79eb56502344e58007f707974a1c04282a9bed6d337
                • Instruction ID: fc1de20c4ff7836697093f3db438f8491cebabc48580fce9f118b3ec0fff4d6e
                • Opcode Fuzzy Hash: a0837b1aee755e81415db79eb56502344e58007f707974a1c04282a9bed6d337
                • Instruction Fuzzy Hash: 2C90027124140153D14571589504706500957E1281FA6C013A0614518CCA158A569262
                Function 041CD4CA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041AE1C3,000000FA,00000001,?,00000050,?,00000000), ref: 041CD4D4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: fe0128e8a262e1b2f09f6a0ab4168f8485f3b1fa421dd2a018fb12ec02f46bcf
                • Instruction ID: 8db88214da74976d4840de9ed98e3db0cc21fcf0c5b7beff3499dd65bcb56a78
                • Opcode Fuzzy Hash: fe0128e8a262e1b2f09f6a0ab4168f8485f3b1fa421dd2a018fb12ec02f46bcf
                • Instruction Fuzzy Hash: FE90023124140553D10475989508646100547E1341F66D011A5124519ECB6589916172
                Function 041CD6CA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041EC3B4,?,00000000,00000001,00000010,00000000,00000000,000000FE,00000005,?,00000004,?,00000004,?,00000002,?), ref: 041CD6D4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b7ef66b1e74bc2a7b5a0e3c7df725107dfe1f13a790f23f7448f9a207caca58e
                • Instruction ID: b91642156ae58ebc8d4becfe8c0dd0e8a1bab3de98fbed84f3a65dc8f7859066
                • Opcode Fuzzy Hash: b7ef66b1e74bc2a7b5a0e3c7df725107dfe1f13a790f23f7448f9a207caca58e
                • Instruction Fuzzy Hash: A290027124140553D14471588504746100547D1341F66C011A5164518ECB598ED566A6
                Function 041CDECA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041CAF33,?,001FFFFF,00000018,?,?,?,00000000,00000000,00003000,00000004,?,?,00000000,00000000), ref: 041CDED4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 4703eba3720efe055f7ba6e027f9e2fce320c8088d92f377a0edff4a0e74274d
                • Instruction ID: d72b73200ff82216f03e61c85f6fa02cf73556902fa7bcef64640c56eeafe3e0
                • Opcode Fuzzy Hash: 4703eba3720efe055f7ba6e027f9e2fce320c8088d92f377a0edff4a0e74274d
                • Instruction Fuzzy Hash: 2B90023125240193E10472688504F46140587D2341F66C615A4114618ECA5589A15162
                Function 041CD2FA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0421E262,?,00000000,00000000,00000000,00000000,00000000,76E95608,00000000,00000000,00000000,?,?,?,?), ref: 041CD304
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 5caf4adf629287ac0a7139d2747f1f4547ca29794821a11ae7cebfe9b87b0a32
                • Instruction ID: b9ea41fa403f9fa9413899b5e798c2e4efb96666061ad971a2a859b6290c49e9
                • Opcode Fuzzy Hash: 5caf4adf629287ac0a7139d2747f1f4547ca29794821a11ae7cebfe9b87b0a32
                • Instruction Fuzzy Hash: 6E90043535140153010DF55C4704507104747D73D1377C031F1115514CDF31CD715173
                Function 041CD30A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04264CB3,00000000,00000000,00000000,00000000,?,0022096C,00000000,00000000,00000004,00000010,?,00000000), ref: 041CD314
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 1993095ad921b3c157c3483a729b00d0c3550d30670a11863c69b9d44adb1749
                • Instruction ID: 42c74857bbe58d4f52f256587c6972313b780a6d22c3f1afe27b6f11f15571ae
                • Opcode Fuzzy Hash: 1993095ad921b3c157c3483a729b00d0c3550d30670a11863c69b9d44adb1749
                • Instruction Fuzzy Hash: 1D900235652445930145B1588604947100547D9289366C011F0155558CDB2599659262
                Function 041CD53A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215D32,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000004,00000004,000F0007,C0000001,?,00000004), ref: 041CD544
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 3a9b15dd84d09f6cfe0997d4a92ef64ec3ff300c5dea4a88553003abd46ef662
                • Instruction ID: 03df7ad3632efba307b5e365549eeb2080e711c2b6b6e6843f30a0b78e89a92e
                • Opcode Fuzzy Hash: 3a9b15dd84d09f6cfe0997d4a92ef64ec3ff300c5dea4a88553003abd46ef662
                • Instruction Fuzzy Hash: 4090023925340153D1847158950860A100547D2242FA6D415A011551CCCE1589695362
                Function 041CDF3A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0421D208,00000103,00000107,02000000,02000000,00000048,?,?,00000000,?,?,?), ref: 041CDF44
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: fc7965eccf004cc5d92d60c456e56b23b9aae97bb09433e3fe684a84ddc1dd10
                • Instruction ID: c3d68d95cee4a218286d73e664a41271bb995aa5f7474c882a328365a366dba2
                • Opcode Fuzzy Hash: fc7965eccf004cc5d92d60c456e56b23b9aae97bb09433e3fe684a84ddc1dd10
                • Instruction Fuzzy Hash: 8690023125240193E14472689504F0A100587D2241FA6C619E0115618CCE1599655366
                Function 041CD52A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0421E8FB,?,00540052,00000000,00000008,0000000E), ref: 041CD534
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 112dbd585b03539e7dfb80ff51e0f806fe4bb80a16cfb70594ec3cb0b191aa52
                • Instruction ID: 79ad7fdc6792e65631dbe32b62728d05d6f6ed3760ef17a1c8d698d1fcd83f6e
                • Opcode Fuzzy Hash: 112dbd585b03539e7dfb80ff51e0f806fe4bb80a16cfb70594ec3cb0b191aa52
                • Instruction Fuzzy Hash: E890023124544593D10475589508A06100547D1245F66D011A1164559DCB358951A172
                Function 041CD55A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215D74,000000FF,00000000,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 041CD564
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: e389dd9ca22ad8feee621d125de6eaced4dae3ddebe71fb49b02d09b498a78d6
                • Instruction ID: 0b6b1a32d0189a1406794d788fdc1b4efb335d261ef8a04bf62263f3c9b52ab1
                • Opcode Fuzzy Hash: e389dd9ca22ad8feee621d125de6eaced4dae3ddebe71fb49b02d09b498a78d6
                • Instruction Fuzzy Hash: D190023134140153D14471589518606500597E2341F66D011E0514518CDE1589565263
                Function 041CD75A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215D10,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 041CD764
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: e0c3fd7727c0618fe379fb431cd195caf2ca442fe67d98e48ff391937e99dfe8
                • Instruction ID: f561119bb052d14626a9abf6b15384dfc98e2816db000d0cb483e9c625bb6dfd
                • Opcode Fuzzy Hash: e0c3fd7727c0618fe379fb431cd195caf2ca442fe67d98e48ff391937e99dfe8
                • Instruction Fuzzy Hash: 3D90027138140593D10471588514B06100587E2341F66C015E1164518DCB19CD526167
                Function 041CD74A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041BE7C5,00000000,00000003,?,00000008,00000004,00000000,?,?,?,?,00000021,00100020,?), ref: 041CD754
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 8795e84e3564b5ccbfd9e9af7254d3711fb67a764f762ca1eca4fcd2f9c599bc
                • Instruction ID: 711c6b01f8507822266ac0a85cc74667c23a6df032ac6968f90fda21d33cab9d
                • Opcode Fuzzy Hash: 8795e84e3564b5ccbfd9e9af7254d3711fb67a764f762ca1eca4fcd2f9c599bc
                • Instruction Fuzzy Hash: 4990027124140597D104719A9504617100547D1241F66C022A2164519DCB298D516176
                Function 041CEB6A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(042413F5,?,00010007), ref: 041CEB74
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 12fc7b2c04055ca9423ffd80cd737a880b56bf7570745da57fc6a05aa389c420
                • Instruction ID: 74eb402b2e709d4ff122dce4fd31bd076edb583086033199130ac3727584e00f
                • Opcode Fuzzy Hash: 12fc7b2c04055ca9423ffd80cd737a880b56bf7570745da57fc6a05aa389c420
                • Instruction Fuzzy Hash: D990023164580163914471588984546500557E1341B66C011E0524518CCF148A5653A2
                Function 041CD36A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041EA4A2,000000FE,00000005,?,00000004,000000FE,00000000,00000001), ref: 041CD374
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 4aff3a0d5c42aaa54cb7e5f73f43ffb6e72425bfc9cb2ff983512e8a5b77775d
                • Instruction ID: 316550ce106d06ca486e39b69cc113884f03759fee3506b2551bddc249bb4915
                • Opcode Fuzzy Hash: 4aff3a0d5c42aaa54cb7e5f73f43ffb6e72425bfc9cb2ff983512e8a5b77775d
                • Instruction Fuzzy Hash: 6990023124140553D10471988504706100547D1241F66C412E062451CDCB5589516572
                Function 041CD38A Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(04215D85,00000004,00000004,000F0007,C0000001,?,00000004,08000000,00000000,00000065,00000000,00000000,00000058), ref: 041CD394
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 91cbdc8f25cf403b97c733796c8533121141234f509fa7b6ad7da16308649fd1
                • Instruction ID: eefa54c2ca1b03e1b6a8a97528d47933ba1f6fbb68e7c02e1499ae9adf70caab
                • Opcode Fuzzy Hash: 91cbdc8f25cf403b97c733796c8533121141234f509fa7b6ad7da16308649fd1
                • Instruction Fuzzy Hash: BD90027124240153410971588514616500A47E1241B66C021E1114554DCA2589916166
                Function 041CD3BA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0418BBB9,7D810F61,00000009,00000018,?,76FB6634,000000FF), ref: 041CD3C4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: c7e9ab8c7c4edcfa956c065d80bbcede37d8d68038c4b8899cad4a427d603f38
                • Instruction ID: 2c82162a22b80e7c3f1d79ddef489f74357bc80e2697a1ea1246be1321c95e33
                • Opcode Fuzzy Hash: c7e9ab8c7c4edcfa956c065d80bbcede37d8d68038c4b8899cad4a427d603f38
                • Instruction Fuzzy Hash: 6C90023124140593D10472588504B4A510557E1341F66C015A0514618DCA5589617162
                Function 041CD7DA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(042330DA,00000004,00000000,?,?,?,00000048,00000000,00000003,00000000,00000000,00000000,?,76F68350,00003000,00003000), ref: 041CD7E4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 4c15ff77ffc3c643d97a2284519a1cb9cfa346759bc4ddcbad7c11f47693cc96
                • Instruction ID: 5347ede824c965de53902eea639419f0570af3a3c9d93f6a024a3f4025d402a2
                • Opcode Fuzzy Hash: 4c15ff77ffc3c643d97a2284519a1cb9cfa346759bc4ddcbad7c11f47693cc96
                • Instruction Fuzzy Hash: BD9002316414019341447168C94490650056BE2251766C121A0A98514DCA59896556A6
                Function 041CD5DA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041E6A88,?,00000000,00000000,?,00000220,?,?,?,00000001,?,76E97EAC,?,?,00000002,?), ref: 041CD5E4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 23ed2ecea5cf7939355776f9c5c934a2d01a330e3d6b02b878ecdf63713890be
                • Instruction ID: edb4182936cb07eb646b4f5c6737d5feb18bca8d394c88b946a87ec524a2d1ca
                • Opcode Fuzzy Hash: 23ed2ecea5cf7939355776f9c5c934a2d01a330e3d6b02b878ecdf63713890be
                • Instruction Fuzzy Hash: A990023128140553D14571588504606100957D1281FA6C012A0524518ECB558B56AAA2
                Function 041CD3CA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(0424755B,?,00000000,00000001,?,00000200,?,00000001,?,?,?,?,76EB4428,?,?), ref: 041CD3D4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 47798237d56b5776582cad053ee60e3f0b553db58c9cd6ebadcb904c2f004dd8
                • Instruction ID: 2a2a27f654b8333c330c3a7de7f5d6976899b60f9d5747232973b39588833ec4
                • Opcode Fuzzy Hash: 47798237d56b5776582cad053ee60e3f0b553db58c9cd6ebadcb904c2f004dd8
                • Instruction Fuzzy Hash: 7E90023164540953D15471588514746100547D1341F66C011A0124618DCB558B5576E2
                Function 041CD5FA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041E39CD,00000000,76FB4F4C,?,?,?,04193244,76F9C2B0,00000018,04193860,00000000,00000000,00000000), ref: 041CD604
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 5ad6e419875d47a949f38a5a92fc343fbaa3db26a821c4ba20a65fcd7d2c8ca8
                • Instruction ID: 376178e8ddb5bc5867ee31ab9d07b0e84cf5ca83bda756fe3d301d58dfefda4f
                • Opcode Fuzzy Hash: 5ad6e419875d47a949f38a5a92fc343fbaa3db26a821c4ba20a65fcd7d2c8ca8
                • Instruction Fuzzy Hash: 66900231282442A35549B1588504507500657E12817A6C012A1514914CCA269956D662
                Function 041CD5EA Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                • LdrInitializeThunk.NTDLL(041BE78F,?,?,?,00000021,00100020,?), ref: 041CD5F4
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 90bf019154798b880dc975dfcd84ae80c501904a7e030a5f90e48fb02031a11d
                • Instruction ID: 3e4f4e96b3c5704a1420c16e4997732840a65c94ef00e194aa4ea8cddcc9ece9
                • Opcode Fuzzy Hash: 90bf019154798b880dc975dfcd84ae80c501904a7e030a5f90e48fb02031a11d
                • Instruction Fuzzy Hash: 7A90023164540553D14571588554706101947D1281FA6C012A0124518DCB558B56A6E2
                Function 024BBFF0 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 9450096c94402224e4d6f6ebfa0e802af5f08ffd130633b9c72c72017a61db04
                • Instruction ID: b43eeef84ad73efb4b23533541e0558d65f4aa7c9968dd22b4ef83d2ec648a57
                • Opcode Fuzzy Hash: 9450096c94402224e4d6f6ebfa0e802af5f08ffd130633b9c72c72017a61db04
                • Instruction Fuzzy Hash: 76810270A00B059FD725DF6AC48479BBBF2FF88604F10892AD48697B50D775E846CFA0
                Function 024BF01C Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: Hbq
                • API String ID: 0-1245868
                • Opcode ID: c070dc1dde27239435136b8c33f146b37e5eae4cf308b928c6a21cc553e209f7
                • Instruction ID: b566043ef610830e3541e21e86d4fcebf14936a03d0e48db796fcae82d65aaa1
                • Opcode Fuzzy Hash: c070dc1dde27239435136b8c33f146b37e5eae4cf308b928c6a21cc553e209f7
                • Instruction Fuzzy Hash: 0851AE343006109FD719AB29C854B6E77A7BFC9714F25846EE00ACB7A1CF35ED068BA4
                Function 024B9EF0 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q
                • API String ID: 0-1948671464
                • Opcode ID: 3c9bc159ba14af085a76981f3dc6e112154e350a65ba5d8b5f4def489a41f03a
                • Instruction ID: dc82a957698e9c3d4ae763e29fd74956b9417ee6c5e9485aaece600142c035b7
                • Opcode Fuzzy Hash: 3c9bc159ba14af085a76981f3dc6e112154e350a65ba5d8b5f4def489a41f03a
                • Instruction Fuzzy Hash: 9451E174604244EFE701DF2AE4447AA7FA7EB89358F04409AF2419F381DB798C85CFA5
                Function 024B6530 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 47a8bf6fa9bffd6899c71996ccf6df21a9e40e49569782055c02ed4e3a287db1
                • Instruction ID: 87a03ff4418b784ae40e34a6a0814174cc7050f5b5d633557edd94d6d0ff206e
                • Opcode Fuzzy Hash: 47a8bf6fa9bffd6899c71996ccf6df21a9e40e49569782055c02ed4e3a287db1
                • Instruction Fuzzy Hash: 8D5146B09002098FDB15CFA9D648BDEBBF5FF49304F20845AE448A73A1DB35A945CF65
                Function 024B6540 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 2f3956d7e51405fb5af9a7a770ec061e2cb5e3e3c66e1aec802d009c0e9618c4
                • Instruction ID: dcbdc3b96ab8bda344951b34d5a630cc5f1e4ea20959bd94142293e928231095
                • Opcode Fuzzy Hash: 2f3956d7e51405fb5af9a7a770ec061e2cb5e3e3c66e1aec802d009c0e9618c4
                • Instruction Fuzzy Hash: 6B5125B09002098FDB15DFA9D648BDEBBF5FF49304F20845AE419A73A0DB35A944CF65
                Function 024BDBCA Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: LR^q
                • API String ID: 0-2625958711
                • Opcode ID: b3223ce17ee3e081aa95d010acd3bf4023ad3bfb201747824ada83793dd8be85
                • Instruction ID: 6ebe4314205afa47a4cb81aeca9aa3b9662c770f0e44e6b3dd9dcbdfbdd4ed26
                • Opcode Fuzzy Hash: b3223ce17ee3e081aa95d010acd3bf4023ad3bfb201747824ada83793dd8be85
                • Instruction Fuzzy Hash: 6A31DC74B00204DFDB18DF69D884AAEB7B6FF88B11F1041AAE506D7350DB70AD01CBA0
                Function 024B7364 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 26446a2e3f5f1a3ffa955448fb5645200d82075957ef546b1c461812a3e7ae4f
                • Instruction ID: d6e093c877cd2633ac06ba95ab5ad330d94319cea3afca820ed6da24d853d9f2
                • Opcode Fuzzy Hash: 26446a2e3f5f1a3ffa955448fb5645200d82075957ef546b1c461812a3e7ae4f
                • Instruction Fuzzy Hash: 4041F3B1C00219DFDB25CFA9C9447DEFBB5BF85304F2480AAD408AB255DB75694ACF90
                Function 024B6414 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 450be88bb472869a091a70093bf78d9aea9d5f5c98ec905ed29345f592ed914c
                • Instruction ID: 3ac69910d5a271911021dc628c3b4a95da2a93b0cfa913cf3c37ea2fd53d38bc
                • Opcode Fuzzy Hash: 450be88bb472869a091a70093bf78d9aea9d5f5c98ec905ed29345f592ed914c
                • Instruction Fuzzy Hash: 0141D2B1C00619DFDB24CFA9C944BDEFBB5BF45304F24806AD408AB255DB756986CF90
                Function 024B6780 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 80a7d206ab0da206dc478e66a233d058a24a4d6400cab2ec1b1fa622f4722201
                • Instruction ID: 902a6d9253c415fc7d8e10d8d161613c85f72f4e8820921827ab05952cfeec82
                • Opcode Fuzzy Hash: 80a7d206ab0da206dc478e66a233d058a24a4d6400cab2ec1b1fa622f4722201
                • Instruction Fuzzy Hash: 5921D2B5D01258DFDB10CFA9D584AEEBBF5EB48320F24842AE958A7310D374A951CFA4
                Function 024B6788 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: c8fe1605d630564fb7c3ddf9a7de434ac35c25e56765f1b140c28c7f074cc8d2
                • Instruction ID: 108270ef32b9b3a454c35ec47edaf5aaabb2f62e094c0fcf2412f435ab7478b5
                • Opcode Fuzzy Hash: c8fe1605d630564fb7c3ddf9a7de434ac35c25e56765f1b140c28c7f074cc8d2
                • Instruction Fuzzy Hash: 0221E4B59012089FDB10CF9AD984ADEFFF8EB48320F14841AE958A3310D374A950CFA5
                Function 024BC294 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: ee46a42d00880f4f8fd7aee8dae2c01761ab8d87cd75ad69d3801d3d67b45f3b
                • Instruction ID: 7b6d15220be69d5a24a12360b1ffddd8e4405c4864621f7e39e117a48a6de2b6
                • Opcode Fuzzy Hash: ee46a42d00880f4f8fd7aee8dae2c01761ab8d87cd75ad69d3801d3d67b45f3b
                • Instruction Fuzzy Hash: C01100B69002099FDB10CF9AD484AEEFBF4EF88324F10842AE819B7210C374A545CFA4
                Function 024BC870 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 68016b91a579b4cee8317fd3171a178767a43279568186b07590a42d5e9f8d18
                • Instruction ID: 887549ac8d37228a97582d2d4d33919f23870fbf236bfd8da510f49aa8b07e24
                • Opcode Fuzzy Hash: 68016b91a579b4cee8317fd3171a178767a43279568186b07590a42d5e9f8d18
                • Instruction Fuzzy Hash: 4811D0B69002499FDB10CF9AD484AEEFBF4EB88314F14842AD919A7210C379A545CFA5
                Function 024B5470 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: 4'^q
                • API String ID: 0-1614139903
                • Opcode ID: 109c9a4eb367c0f5a47b907ce5a683ab0897a68b8c028d18c53f3493158ef79b
                • Instruction ID: 9bbc8e204e98e7262fac211b08f88461ddfb418ee42f1ffae5363bb63c703ddb
                • Opcode Fuzzy Hash: 109c9a4eb367c0f5a47b907ce5a683ab0897a68b8c028d18c53f3493158ef79b
                • Instruction Fuzzy Hash: 1B11E970A052459FDB19EB78E5406EDBFB2EF41614B5001EDC405AF296EE306E478B91
                Function 024BC1F0 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: jzw
                • API String ID: 0-1960552920
                • Opcode ID: 1b5d0a6b1cac3a542c3597dc25dacfbf06673b620392f98ccd22aa5e0bd63239
                • Instruction ID: a621b09790f6109c5aeab2e0956fc616756f8383f3e618c6bf57119f7e608cf2
                • Opcode Fuzzy Hash: 1b5d0a6b1cac3a542c3597dc25dacfbf06673b620392f98ccd22aa5e0bd63239
                • Instruction Fuzzy Hash: D71102B5C002498FCB14CF9AC484ADEFBF4AF88614F10842AD459B7310C374A545CFA5
                Function 024B54B8 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: 4'^q
                • API String ID: 0-1614139903
                • Opcode ID: c18aa3677c6be4877750ebc1dc9a74ada78f4a021d07b14267961caf0f515a84
                • Instruction ID: 4f39485b5dc120e6552c7c31c0abc93e67bfe1e4d5d58b804d2518690f1cff54
                • Opcode Fuzzy Hash: c18aa3677c6be4877750ebc1dc9a74ada78f4a021d07b14267961caf0f515a84
                • Instruction Fuzzy Hash: 7601D670E141089FDB45EFB8F4515DDBFB2EF41708B1041AAD008EB255EA30AE468B91
                Function 024B7120 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q
                • API String ID: 0-1948671464
                • Opcode ID: e3345a2f7236cea9f1708a50760e1cd7ac7a0e0a5fbd8da6ff1bb2adcac368d2
                • Instruction ID: 9d5fed449b73d77c1ac7509de49d454f7457c90b39733739babdf26707261768
                • Opcode Fuzzy Hash: e3345a2f7236cea9f1708a50760e1cd7ac7a0e0a5fbd8da6ff1bb2adcac368d2
                • Instruction Fuzzy Hash: E4E02B76B451006FE309462AAC94FA65F97EFCAB24F2D41AFF108CB3A2C891DC074260
                Function 024B7130 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID: `Q^q
                • API String ID: 0-1948671464
                • Opcode ID: 5d2acd82d1303c1cc3a080b9122daff7918c25c8629632e7af87545235122dd7
                • Instruction ID: 6836b94a81a648b5eafea9a45452492af87ce5c0d8a6bd011cc3486d04880a64
                • Opcode Fuzzy Hash: 5d2acd82d1303c1cc3a080b9122daff7918c25c8629632e7af87545235122dd7
                • Instruction Fuzzy Hash: E2E04F327401146BE218596BAC54F67A69AEBC9A20F64016AF209DB2A0CC91EC0546A4
                Function 024BB688 Relevance: .7, Instructions: 659COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34326a8a4d492ec3a3e4b9e00c7ae567665b09c193c5fb09b80105d44d8e152b
                • Instruction ID: e22e93b9677db571b51ae3014dc2d7ea785a6e61a4950d5b5839ce42d3c76932
                • Opcode Fuzzy Hash: 34326a8a4d492ec3a3e4b9e00c7ae567665b09c193c5fb09b80105d44d8e152b
                • Instruction Fuzzy Hash: 9142C230600A168FCB16CF28C980AAAB7F6FF45318F45895AD856DB791D734FD85CBA0
                Function 024BB7A0 Relevance: .5, Instructions: 486COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b14b52a4f3a4eba7a16936adfa3c64f374c8f448b15c47c2b466c7026b5b69e2
                • Instruction ID: 15215fc9f2ff78ab58f14770a3c2c01fcf1f0c927d3cced094c18b24d74d5e64
                • Opcode Fuzzy Hash: b14b52a4f3a4eba7a16936adfa3c64f374c8f448b15c47c2b466c7026b5b69e2
                • Instruction Fuzzy Hash: 6B129130600A169FDB16DF29C880AAEB7F6FF44308F44495AD856DB794DB34F985CBA0
                Function 024BE2C0 Relevance: .3, Instructions: 332COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7aec800afcd0ec4cc64d99c55acda3f97e31bfcb36ea7ec8ba1e933d1577e654
                • Instruction ID: 0f1d9ae7acc4d9114871631380df6bf2333739af4feeec88bb44ea5dad31280c
                • Opcode Fuzzy Hash: 7aec800afcd0ec4cc64d99c55acda3f97e31bfcb36ea7ec8ba1e933d1577e654
                • Instruction Fuzzy Hash: 28E12C31A002198FDB15DF65C884BDEBBB2FF85304F5144AAE509AB361DB71AD86CF60
                Function 024B9BD0 Relevance: .2, Instructions: 243COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ce914fcad669429b194426084f30fa828764f7ac1c5ba0aaaf0c30d388cff2d
                • Instruction ID: ea0f86b150f0a867772e531c72dc279bef5c6fe6679c7b27afb50dc67a40417e
                • Opcode Fuzzy Hash: 1ce914fcad669429b194426084f30fa828764f7ac1c5ba0aaaf0c30d388cff2d
                • Instruction Fuzzy Hash: 16A18534A10705CFCB04DF69C88499DBBB2FF89314F1186A9E505AB366EB70E985CF90
                Function 024B85E0 Relevance: .2, Instructions: 240COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 138f86dbd3d2cfe35de6ff132d43f37eff55fbe11b43f175f18d50324a33127a
                • Instruction ID: 50927f18d4234afe7075611d0a3aaa0500e0b1f76a778b18e95936aadcc4dd0a
                • Opcode Fuzzy Hash: 138f86dbd3d2cfe35de6ff132d43f37eff55fbe11b43f175f18d50324a33127a
                • Instruction Fuzzy Hash: 89A17435A10605CFCB04DF69C88499DBBB2FF89314F1186A9E509AB365EB70ED85CF90
                Function 024BBBC8 Relevance: .2, Instructions: 222COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ab34e5cbc4ed8662e9cc23bdb7c347da73189b35a201b21a4e55d8e1147f57a8
                • Instruction ID: 4d5ba392ed84784941702134a0c1fc4caf5d5afa90e58e9a2cad64290208ec1e
                • Opcode Fuzzy Hash: ab34e5cbc4ed8662e9cc23bdb7c347da73189b35a201b21a4e55d8e1147f57a8
                • Instruction Fuzzy Hash: B3816B30700A019FEB26EF39C5517AA77EAFF45308F14092AD946CB3A0DB34E851CBA1
                Function 024BF104 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 93a523b82f826edb9316d0c239fa33a92d02bfbbcf56884440d9a1ef66582f9c
                • Instruction ID: d248ae49c691471a71134f873f48af46fef12186c7e683cc696f3b5904dc1acf
                • Opcode Fuzzy Hash: 93a523b82f826edb9316d0c239fa33a92d02bfbbcf56884440d9a1ef66582f9c
                • Instruction Fuzzy Hash: 5B414034A106149FDB15CF69D944AAEB7F1BF89704F1140AAF50AEB7A1CB31D845CB60
                Function 024B6EDF Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cf9743b64f3c77f3447c33c3a6062be9c53f30aeab35d0c0337a1dadd6b43258
                • Instruction ID: 1c70060dd5d05adb2ae36122b4cff01a401659adad1001c89524d23a1600e860
                • Opcode Fuzzy Hash: cf9743b64f3c77f3447c33c3a6062be9c53f30aeab35d0c0337a1dadd6b43258
                • Instruction Fuzzy Hash: 0031C931A042459BE705DF79D5446AEBFF6EFCA308B19816BD005A7382DB39E841CFA1
                Function 024B6EF0 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5f9a267e340e86e4fcd9a1f98181b04561370a616c0f7e5f9415bc671a7e1f1
                • Instruction ID: 7c288f7f0775133f5169258ff13ac475f024fce5f726ddaad2dee620374498a0
                • Opcode Fuzzy Hash: d5f9a267e340e86e4fcd9a1f98181b04561370a616c0f7e5f9415bc671a7e1f1
                • Instruction Fuzzy Hash: B831C431A042058BE706CF7AD5406AEBBF6EFC9308B19816BD005A7391DB38E841CFA1
                Function 024BF958 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f228296dc205f68a4c41df4099f5081d0436d34e856a4deb84cb5b3fc3ed2740
                • Instruction ID: a7e2ef54cb38e030cce8d055b6be54895babdf3d4bcf25bda4dd3751fcb1179c
                • Opcode Fuzzy Hash: f228296dc205f68a4c41df4099f5081d0436d34e856a4deb84cb5b3fc3ed2740
                • Instruction Fuzzy Hash: 5C216A303006119FE719DB2AD850B6E77A7BFC8704F11812AF009CB7A4CB75EC468BA4
                Function 024BC4A8 Relevance: .1, Instructions: 73COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c487836ca166b2177d46a0bb6acb01bd2af9f2697ab70498842989991c93732
                • Instruction ID: d4519c6c045036c02f59e96368858323132aeee40234bf765f31d504e5890280
                • Opcode Fuzzy Hash: 6c487836ca166b2177d46a0bb6acb01bd2af9f2697ab70498842989991c93732
                • Instruction Fuzzy Hash: 8C1136717092505FE31A673909180AF7BA6EFC6304B0504ABE90ADB795DE29CC0B87B2
                Function 0245D01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929036025.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_245d000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6f2b6c37adb97c9d0a5f468c4257a7c8d5d320a2db23f8bd5c50f93a569e944
                • Instruction ID: 7b6f49479439440ea8bedaafba1c8198dcccd814d1a7533bd5978ab3c8dd96c1
                • Opcode Fuzzy Hash: a6f2b6c37adb97c9d0a5f468c4257a7c8d5d320a2db23f8bd5c50f93a569e944
                • Instruction Fuzzy Hash: 2B21F271A04200DFDB14DF14D9C4B26BBA5EF84B18F20C56ADD8A4B357C33AD447CA61
                Function 024B8560 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 657f117722b457ebefdfc90975a6c913a059d194c965ea96413a5c2fae661b94
                • Instruction ID: 473c26989a9a3ffa0da94b86724de6c6092eafc7d63435c31695a0f67e4e7f8f
                • Opcode Fuzzy Hash: 657f117722b457ebefdfc90975a6c913a059d194c965ea96413a5c2fae661b94
                • Instruction Fuzzy Hash: F8216D716002058BEB459F2DD880785F7E6FF89324F14C6BEE509EB385EA74E8458BA0
                Function 024B8848 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ed904faff93dc47ac2ea9d9514e80b71fc9ac9f56fa73078a79c60cc8f17380
                • Instruction ID: dbee3ee7bb1e57d942912c211d3bcde7f1af539dfbbec9048d1b69696d210a12
                • Opcode Fuzzy Hash: 0ed904faff93dc47ac2ea9d9514e80b71fc9ac9f56fa73078a79c60cc8f17380
                • Instruction Fuzzy Hash: A42180716002058BE7059F29C890385F7E6EF89324B1986BED809EF385EA74A8458BA4
                Function 024BBF08 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71bf55f4877f64ccd77e4b9cffc28dd2d65a72e0457815870f3c9f63f06d5e19
                • Instruction ID: c6a3886f2f69f0d6d20a4313fa9b6f5099406fb472f72e859a4cb353d55d0eea
                • Opcode Fuzzy Hash: 71bf55f4877f64ccd77e4b9cffc28dd2d65a72e0457815870f3c9f63f06d5e19
                • Instruction Fuzzy Hash: 57215E70200B409FE716CF28C44975ABBE1FF41308F144A6EE166CF6A1C7B6E59ACB95
                Function 024BBEF8 Relevance: .1, Instructions: 64COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37d1223b827dc50a56b610b9cf42fd4dd2f10c523bf1810867b195a6c1e8201c
                • Instruction ID: f970d52e4833979a6d0f47e69046d61c8cff48ac31ede5bad376e6b17ebd9024
                • Opcode Fuzzy Hash: 37d1223b827dc50a56b610b9cf42fd4dd2f10c523bf1810867b195a6c1e8201c
                • Instruction Fuzzy Hash: 102171701007409FE716CF28C45979A7BE1EF4130CF1449AED556CF2A2C7B6E48ACB91
                Function 024B89F9 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 12c22feb2f1db26462b48e76442f7679a44167151e23286abc9f1954bf33ee07
                • Instruction ID: 484963c1d378aeb1dddc67961dcf483ae25d33393cdae9a1566aa154a0c3c449
                • Opcode Fuzzy Hash: 12c22feb2f1db26462b48e76442f7679a44167151e23286abc9f1954bf33ee07
                • Instruction Fuzzy Hash: 8821C071A147058BEB01AF68C8403D5B372FFD4320F25867AD94C7B282EB71B9858BA0
                Function 0245D005 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929036025.000000000245D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0245D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_245d000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 477bdeeff8a3790e232d7778c0f59334d0b6e1d6f1d9ab67b00340e98d877d0b
                • Instruction ID: 5ba27fbd71bd5ce40fca59748a924d57df2191a38d6a71e1cc03c7e702028dbb
                • Opcode Fuzzy Hash: 477bdeeff8a3790e232d7778c0f59334d0b6e1d6f1d9ab67b00340e98d877d0b
                • Instruction Fuzzy Hash: 8A217175508380DFDB06CF24D994B16BF71EF46214F28C5DAD8898F267C33A980ACB62
                Function 024B85B0 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6682b6c22f92346888f7fbcff381f3288b799b65ac7b1dca1b0d028f36fa8b5b
                • Instruction ID: 198b66eb526ac0f049f720299977b1f235b41a71d2bf11c8291a3992cee67e1b
                • Opcode Fuzzy Hash: 6682b6c22f92346888f7fbcff381f3288b799b65ac7b1dca1b0d028f36fa8b5b
                • Instruction Fuzzy Hash: 94218431A107098BEB01AF69C8403D5B376FFD5324F11867AD94C7B241EF71B9848BA0
                Function 024B4658 Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af802e2901c579afffa7148e19ca4a3d45b9717156828323a99fe6ef1e1bd0de
                • Instruction ID: 0e93482e9514ef29ce29a82ec462ccb26c45982c40d0dd1c4e3488cb2a8031a4
                • Opcode Fuzzy Hash: af802e2901c579afffa7148e19ca4a3d45b9717156828323a99fe6ef1e1bd0de
                • Instruction Fuzzy Hash: A3119E746407508FD7299B79D5198AE7BA2EF857143108A6EE046CB391CF38AC058F92
                Function 024B8950 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19812af7bedf12463b827bcc0e6bbb7dc5236409ab30e3e1a737f0f60158e560
                • Instruction ID: 5ce4c13f8fe00455918fc2dec2be113cd9cc9171258a3eafdbaeff30a88b0cb7
                • Opcode Fuzzy Hash: 19812af7bedf12463b827bcc0e6bbb7dc5236409ab30e3e1a737f0f60158e560
                • Instruction Fuzzy Hash: 1101F5B12083404BE7025F6988907C17B66EF86324F0442BBD548AF2C3EA6458468771
                Function 024BC464 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7509e3e78ed9c6e86aebffb099fb7191c59720992369f7c58047ad470e48e4a
                • Instruction ID: 291722c6a01685c7d4f8e1453a7061c83fc2a3cdad7464932d94b0e3087e2601
                • Opcode Fuzzy Hash: f7509e3e78ed9c6e86aebffb099fb7191c59720992369f7c58047ad470e48e4a
                • Instruction Fuzzy Hash: F8019630A402689BEB1ADB68C9547EEBAF6BF88300F54052AD442B7394DF745945CBB1
                Function 024B4668 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a62fb569ab2d5eb211aa31597d6f10f88e86a76e087106e20e4277c46b701254
                • Instruction ID: 61e8c7131cb0adaac1d6af031e2c3f318fddf02ebd698b15dc87aab3bf939ccf
                • Opcode Fuzzy Hash: a62fb569ab2d5eb211aa31597d6f10f88e86a76e087106e20e4277c46b701254
                • Instruction Fuzzy Hash: BF0169346007108FC728AF7AD51959E7AA2EF856447108A6EE10B8B790DF39EC448FD6
                Function 024BC4B8 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 200e0e43c2d7090603c8a3f1ed81059099f211e41c554a6a873b08452c2c17d2
                • Instruction ID: 3b2cb04d68692d749840803c7fc405c989e1d591cd9e25ffd0cb6b336e3d5f88
                • Opcode Fuzzy Hash: 200e0e43c2d7090603c8a3f1ed81059099f211e41c554a6a873b08452c2c17d2
                • Instruction Fuzzy Hash: C0017C34A102189FDB10DF7AC844BEA77F9EF85304F0184AAE909D7651DB74DA59CB60
                Function 024B8580 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e5f9538bae72d5c8f749bd803f464f4923e884b444a738c8ca97748b6623387a
                • Instruction ID: 627ae38a258be31120f096cd94220cce8d07821f2ee57d5e8345bdd719d979a2
                • Opcode Fuzzy Hash: e5f9538bae72d5c8f749bd803f464f4923e884b444a738c8ca97748b6623387a
                • Instruction Fuzzy Hash: FCF0AF3130430447EB016F6D9890786B7AAFFC8324F10467AEA0CBB385EB71A8458BB4
                Function 024B670F Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76280a120bce13dec113228298afdde6d93ce6ec25a0fd808ae860797020acd1
                • Instruction ID: c962fb38e6646d724f159db27100b3065af6f57ef1a902f4b4cc749f603836b4
                • Opcode Fuzzy Hash: 76280a120bce13dec113228298afdde6d93ce6ec25a0fd808ae860797020acd1
                • Instruction Fuzzy Hash: E201CD36204548AFDF038F45D844CD93F76FF8971470D80A6F6449B222C635D926DFA0
                Function 0244D603 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2928979725.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_244d000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b8758abf355dca1b540917547266b45a339e2d3e15d7ea4cc2b224eb2ef024d
                • Instruction ID: ce1282da10de5df7a6a4e8fc0726e8efd9cc0bd43c1957a390a9f13559906033
                • Opcode Fuzzy Hash: 9b8758abf355dca1b540917547266b45a339e2d3e15d7ea4cc2b224eb2ef024d
                • Instruction Fuzzy Hash: 3DF0F976600600AF97208F0AD885C23FBA9EBD4A74715C56AEC4A5B711C771EC42CAA0
                Function 024BC689 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d69850c2084e6ff180e7c1235b69326ecea7750c75803a8bca69f576b2f5a2a
                • Instruction ID: 12cb46fd274760dc2f6d2b436a0a9792bba143487ac8c042d237e017e73491b2
                • Opcode Fuzzy Hash: 7d69850c2084e6ff180e7c1235b69326ecea7750c75803a8bca69f576b2f5a2a
                • Instruction Fuzzy Hash: 5FE0E562B642042FE7096277ECC09F7175BDFC0EA1718803FA505CA280ED90CC038270
                Function 0244D5F4 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2928979725.000000000244D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0244D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_244d000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f801290ccfa2e2319cee10af895a3d9466c29a9fe7a1d91b687d6ad32f67bae5
                • Instruction ID: b5825f468925a6f7b22c323fdd1d96201703cf4532e94fbe843278ae03aeee0e
                • Opcode Fuzzy Hash: f801290ccfa2e2319cee10af895a3d9466c29a9fe7a1d91b687d6ad32f67bae5
                • Instruction Fuzzy Hash: C3F0E775104680AFD725CF16C985C23BBB9EF85A60719C59AE88A9B362C771FC42CB60
                Function 024BAA88 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 458e90a9154a5285d661d19dc76aba046977003e39c3e323108c4ffdf67a5491
                • Instruction ID: 6009b8c9e712c6659582815d0bbba228b206c3382226e3c96fde1c1b146152ff
                • Opcode Fuzzy Hash: 458e90a9154a5285d661d19dc76aba046977003e39c3e323108c4ffdf67a5491
                • Instruction Fuzzy Hash: 1CF09674129354AFE7069BB7B9853A63F9BDB46614F04406BD540862C2DB1885C6CF70
                Function 024BE120 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1940fef07606144f7aceeca70e76e5b9263165569513e53013efe4f806498479
                • Instruction ID: 2dda77c9fba0c23e4f61afcb2d3cd11b2378dd534c1b6ecc5bd47295d8679b44
                • Opcode Fuzzy Hash: 1940fef07606144f7aceeca70e76e5b9263165569513e53013efe4f806498479
                • Instruction Fuzzy Hash: 5AE0E531B403152FCB26A67EC900ADFAB9ADFC0760F504636D4189B358EF25DD094BE0
                Function 024BC498 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 699026d53713da28a69603f98f761f7769758b213276535fd2177c392b9ef69c
                • Instruction ID: f5d8c1b10610f4a6a7cc23b72debe12f96c4b0e68254dc6027e8e007e1dd9847
                • Opcode Fuzzy Hash: 699026d53713da28a69603f98f761f7769758b213276535fd2177c392b9ef69c
                • Instruction Fuzzy Hash: 93F015303501244FD709AB6AC894AAE769BEFC9B00F4080ABE10ACB3A5CDA5DC014BF1
                Function 024BC698 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8f91641a282b0105ad5e6db4777d61753d400614ce3122456fc8007326c74142
                • Instruction ID: 55e7403650e3d9a19dd189eac9046affb584a07c2895764141639537cb79df1f
                • Opcode Fuzzy Hash: 8f91641a282b0105ad5e6db4777d61753d400614ce3122456fc8007326c74142
                • Instruction Fuzzy Hash: 67E04826B641192F6B1DA17BDCD0DB7628FDFC4E91718843FA506CF280EE508C0297B4
                Function 024B7178 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e66c4091dc10eaf29971d6d764a10bb8ed9a65fa12f44e30f4d5d3f7b47b21d3
                • Instruction ID: 0be65dcb41b072bacb94843ad3838ae320c2d737c59272581cf64921683c8c72
                • Opcode Fuzzy Hash: e66c4091dc10eaf29971d6d764a10bb8ed9a65fa12f44e30f4d5d3f7b47b21d3
                • Instruction Fuzzy Hash: 11E092333402254BD3129A79D800AE6B3999F94665B008077E904CB365EA31DC83C3F1
                Function 024BD9D8 Relevance: .0, Instructions: 30COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 57e3d6b8903b6f35725929f152f2454d34aa1c76b9ac4ca2caca784409c97e61
                • Instruction ID: 61f30d8b90449289cf0c4f30a4a1928e4f0b160ed9af92bc2758dac8691aefd4
                • Opcode Fuzzy Hash: 57e3d6b8903b6f35725929f152f2454d34aa1c76b9ac4ca2caca784409c97e61
                • Instruction Fuzzy Hash: AFE09232304114CBCF1197AAF8406EA739CEF8A6A9B0800ABF50DE7300EB51E82087A0
                Function 024B421C Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 72a0c74971ea2f372b20104aecfe0d47ebdb89c032b79c0759db2422e8e91b8a
                • Instruction ID: c2c6cbc5cb10abfd70191593aec77a81d9c95959de6d7377059bd5f5fb50d6f0
                • Opcode Fuzzy Hash: 72a0c74971ea2f372b20104aecfe0d47ebdb89c032b79c0759db2422e8e91b8a
                • Instruction Fuzzy Hash: 55E06D312411111BE506A32DA9545FE6ACBDFC2754B10483AD11AAB398DD60A9868AF6
                Function 024B7167 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13c271c43045878713f845405053dcac7da0d4885876d16f05e6e27151f4f1a0
                • Instruction ID: 7cf8b81a74253363a02f2f7d87cf47eae9e43fda823d636c4578c60077335bc5
                • Opcode Fuzzy Hash: 13c271c43045878713f845405053dcac7da0d4885876d16f05e6e27151f4f1a0
                • Instruction Fuzzy Hash: 13F02B722493604FC3034F3CD8105D57B648F52764B0100A7E940CB367D226CC93C3B1
                Function 024B97A8 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 77b51a0b7c17b1ab1efee1cba559d1b23aa01225da9c743b7033d6383ea6a251
                • Instruction ID: 14ddb24315a8df3f525ff5108b93b3797d7f4aacece8e0ef7ec0f815abdffd45
                • Opcode Fuzzy Hash: 77b51a0b7c17b1ab1efee1cba559d1b23aa01225da9c743b7033d6383ea6a251
                • Instruction Fuzzy Hash: FAF0E234124350EBEB0297B7B2853A63F9BDF86605F048467A60085381DB2889C0CF30
                Function 024BD940 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a9a70e7fd8a0b5cc35b8ae7c57cd3fbdd9a5cfb5b66bc8df064e8e689ba4d44
                • Instruction ID: 465360e6befec24d2501f00a0fbb3afdbc5c340516855dc4455d2c0ad4e2505d
                • Opcode Fuzzy Hash: 5a9a70e7fd8a0b5cc35b8ae7c57cd3fbdd9a5cfb5b66bc8df064e8e689ba4d44
                • Instruction Fuzzy Hash: FEE08C32310225CB4B04EAADF4808EA77DCEF48A6930400EBF50CC7710CB51E80087A0
                Function 024B6DE0 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c6b4f88ea188352bee63626bd378bd5cbb9a422e5793e40a7ee7542b7e77b4c
                • Instruction ID: bcfa282ac33adf936615190602eeb650821bfcaf5b16f628a62f9ec9272ce71a
                • Opcode Fuzzy Hash: 0c6b4f88ea188352bee63626bd378bd5cbb9a422e5793e40a7ee7542b7e77b4c
                • Instruction Fuzzy Hash: 27D02E3130201053E3094A5CF54429B6BA3EBCA308F29C0AFE408AB286CEA9CC474792
                Function 024B5480 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fae33808e43ec6a75eb4fb965a46681fe25e7c7c425846e33f1043664f4c4793
                • Instruction ID: 22847fdc6032375fdea1f33a09e8ce65542ec7c5e53ffe5257c4f9117a083eab
                • Opcode Fuzzy Hash: fae33808e43ec6a75eb4fb965a46681fe25e7c7c425846e33f1043664f4c4793
                • Instruction Fuzzy Hash: DBD0220030043007F281A37C6D10BEB02CBAFC0388B01006AD205FB3C5DA04EC410BF1
                Function 024BBED1 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b98df15d5151bd33f7ac5e8e617c40b6da195007e1d2df085f98db8b14e5be44
                • Instruction ID: 3ed23568a11874cf3f4a6f57e0b69d3ac3f5f50b3b0de7ccb81cb787eeae4a45
                • Opcode Fuzzy Hash: b98df15d5151bd33f7ac5e8e617c40b6da195007e1d2df085f98db8b14e5be44
                • Instruction Fuzzy Hash: 53D0C9E5F156804FF306CB1899912C7BF91FB5660474A04EEE144DB217E215D683C7A2
                Function 024B4F78 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 489e8d7c05b0d0a1046612f84e9a9e9adb2d130b1df07fbc77cc1dd8c5a61fe8
                • Instruction ID: 5cc03735d7f07e5b25aa7af330d4913d3334ef414ba40136a0c5ef1fdacbbf20
                • Opcode Fuzzy Hash: 489e8d7c05b0d0a1046612f84e9a9e9adb2d130b1df07fbc77cc1dd8c5a61fe8
                • Instruction Fuzzy Hash: 71D01230318209CFEF11EF35E74575E3F71EB80B447514016A14597245DF38D806CB90
                Function 024BD910 Relevance: .0, Instructions: 9COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2929410791.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_24b0000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b406d05e5fc71264d8a77b6db41d2763e986893205681695ca97370577acd98
                • Instruction ID: 6c16fefb63d61745d5bf407d9463a1d2222ae5e0c5655a95bf0d7f19ffb82c44
                • Opcode Fuzzy Hash: 4b406d05e5fc71264d8a77b6db41d2763e986893205681695ca97370577acd98
                • Instruction Fuzzy Hash: 6BB092E9A597801FFF0387226A9A0842F24EC8621930A01EAD0969A093844C8947CB22

                Non-executed Functions

                Function 041B655A Relevance: .2, Instructions: 182COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000006.00000002.2934357264.000000000415B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0415B000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_6_2_415b000_COM Services.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c395b32a77337265ad6b1697e87848313fdfa1953f8d7d43f3cb2fa04bbc2518
                • Instruction ID: 20c35332dce753741235a44597e2e5234903d9ee92c11c638e7c24486728a05c
                • Opcode Fuzzy Hash: c395b32a77337265ad6b1697e87848313fdfa1953f8d7d43f3cb2fa04bbc2518
                • Instruction Fuzzy Hash: DB716AB1E012099FCB04DF98C990BECFBF5BF58354F1980AAD955A7381E735A942CB90